Auditing Scenarios for Web Application Hosted in IIS - Part 2 - Permissions changed on Folder
Published Feb 08 2023 11:04 AM 4,303 Views
Microsoft

I have come across a few instances Root Cause Analysis (RCA) was requested for issues related to a web application that were caused by factors such as:

  • Changes in permission of the Application Root folder.
  • Web site being deleted.
  • SSL certificate binding modified.

 

Furthermore, there were times when using Process Monitor - Sysinternals | Microsoft Learn was not possible because the problem was intermittent, such as when files were being written to C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys at irregular intervals.

 

The steps below assisted me in enabling auditing to log the necessary events in each scenario.  Please feel free to check other parts of this blog:

 

 

Scenario 2: Permissions changed on Application Root Folder:

 

  1. Apply a basic audit policy on a file or folder (Windows 10) - Windows security | Microsoft Learn
    • manojdixit_0-1675860655118.png

       

       manojdixit_1-1675860655618.png

       

       

  2. Enable File System Auditing:
  • Open Local Security Policy Editor (run >> secpol.msc)
  • Advanced Audit Policy Configuration >> Audit File System >> configure for success and failure.

manojdixit_2-1675860656496.png

 

 

 

Happy Troubleshooting!

Co-Authors
Version history
Last update:
‎Apr 07 2023 03:41 PM
Updated by: