Step 10. Auditing and Logging

Log All Failed Logon Attempts

You must log failed logon attempts to be able to detect and trace suspicious behavior.

 Task   To audit failed logon attempts

1. Start the Local Security Policy tool from the Administrative Tools program group .

2. Expand Local Policies and then select Audit Policy

3. Double-click Audit account logon events .

4. Click Failure and then OK .

Logon failures are recorded as events in the Windows security event log. The following event IDs are suspicious:

• 531 . This means an attempt was made to log on using a disabled account.

• 529 . This means an attempt was made to log on using an unknown user account or using a valid user account but with an invalid password. An unexpected increase in the number of these audit events might indicate an attempt to guess passwords.

Log All Failed Actions Across the File System

Use NTFS auditing on the file system to detect potentially malicious attempts. This is a two-step process.

 Task   To enable logging

1. Start the Local Security Policy tool from the Administrative Tools program group.

2. Expand Local Policies and then select Audit Policy

3. Double-click Audit object access .

4. Click Failure and then click OK .

 Task   To audit failed actions across the file system

1. Start Windows Explorer and navigate to the root of the file system.

2. Right-click and then click Properties .

3. Click the Security tab.

4. Click Advanced and then click the Auditing tab.

5. Click Add and then enter Everyone in the Name field.

6. Click OK and then select all of the Failed check boxes to audit all failed events.

   By default, this applies to the current folder and all subfolders and files.

7. Click OK three times to close all open dialog boxes.

   Failed audit events are logged to the Windows security event log.

Relocate and Secure the IIS Log Files

By moving and renaming the IIS log files, you make it much more difficult for an attacker to cover his tracks. The attacker must locate the log files before he or she can alter them. To make an attacker's task more difficult still, use NTFS permissions to secure the log files.

Move and rename the IIS log file directory to a different volume than your Web site. Do not use the system volume. Then, apply the following NTFS permissions to the log files folder and subfolders.

• Administrators: Full Control

• System: Full Control

• Backup Operators: Read

Archive Log Files for Offline Analysis

To facilitate the offline analysis of IIS log files, you can use a script to automate secure removal of log files from an IIS server. Log files should be removed at least every 24 hours. An automated script can use FTP, SMTP, HTTP, or SMB to transfer log files from a server computer. However, if you enable one of these protocols, do so securely so that you do not open any additional attack opportunities. Use an IPSec policy to secure ports and channels.

Audit Access to the Metabase.bin File

Audit all failures by the Everyone group to the IIS metabase.bin file located in \WINNT\System32\inetsrv\. Do the same for the \Metabase backup folder for the backup copies of the metabase.

Additional Considerations

Additionally, you can configure IIS W3C Extended Log File Format Auditing. Select W3C Extended Log File Format on the Web Site tab of the Web site's properties dialog box. You can then choose Extended Properties such as URI Stem and URI Query.