I have come across a few instances Root Cause Analysis (RCA) was requested for issues related to a web application that were caused by factors such as:
- Changes in permission of the Application Root folder.
- Web site being deleted.
- SSL certificate binding modified.
Furthermore, there were times when using Process Monitor - Sysinternals | Microsoft Learn was not possible because the problem was intermittent, such as when files were being written to C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys at irregular intervals.
The steps below assisted me in enabling auditing to log the necessary events in each scenario. Please feel free to check other parts of this blog:
Scenario 2: Permissions changed on Application Root Folder:
Enable File System Auditing:
- Apply a basic audit policy on a file or folder (Windows 10) - Windows security | Microsoft Learn
- Open Local Security Policy Editor (run >> secpol.msc)
- Advanced Audit Policy Configuration >> Audit File System >> configure for success and failure.
- A Sample 4670(S): Permissions on an object were changed event, which will be written to security event logs:
- The principle for which the access for modified is written in the SID string format. You can decrypt the SID using the tool PsGetSid - Windows Sysinternals | Microsoft Learn.
- Ex - .\PsGetsid.exe S-X-X-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- Please note this command should be run on the machine where the principle is present/accessible.