|
|
Now that you have mastered the process of auditing events and how to navigate the Event Viewer to check these events for analysis, let's look at some other systems you will be responsible for knowing about, not only on the exam but also as a Microsoft Certified Professional dealing with daily security issues on your systems. For the exam, you need to know how to audit Internet Information Services (IIS). IIS is Microsoft's Web services product. IIS 5.0 comes with Windows 2000 Server.
IIS creates log files that track connection attempts to Web (HTTP), FTP, NNTP, and SMTP services. If used, each of these services (which can run using IIS) maintains its own log files. In other words, if you don't use the SMTP service, a log file is not generated. In Exercise 10.02, we look at how to set up and view an IIS-based log for the Web service.
Exercise 10.02: Configuring and Viewing the IIS Log Files
When you set up IIS logging, you need to make sure that you have IIS installed and running. This is easy to do. Go to your Internet Services Manager (ISM) console, located within the Administrative Tools folder. Open the ISM and make sure your default Web site (or a configured one, if you have it) is running and not stopped. You will see that it is stopped or running, as shown in Figure 10.21.
Figure 10.21: Viewing the IIS Internet Services Manager
Go to the default Web site and right-click it. Go to Properties. Choose the Web Site properties, and you will by default be on the tab you need (the Web Site tab). On the bottom of the screen you will be able to enable logging, as shown in Figure 10.22. Logging is enabled by default.
Figure 10.22: Default Web Site Settings
You can change the Active Log format (you can configure IIS to store the logs into an ODBC-compliant database, such as Microsoft SQL Server), but for purposes of this exercise, we want to log to a World Wide Web Consortium (W3C) Extended log file format.
Click the Properties button and you will be presented with the Extended Logging Properties dialog box shown in Figure 10.23. Here, on the bottom of the dialog box, you can see where the log files will be stored. By default, they will be stored in the %WinDir%\System32\Logfiles folder.
Figure 10.23: Viewing the W3C Extended Logging Properties
Make absolutely sure that you pay attention to the log filename format at the bottom of the dialog box, because you need to know that W3SVC1 is the folder you need to open to see the log files you want to audit. In addition, notice the exyymmdd.log format. This format would resemble ex021024.log if it were created on October 24, 2002.
Now you can go to Windows Explorer and browse to the directory where the log files are stored. Follow the path to the %WinDir%\System32\Logfiles folder. Open the W3SVC1 folder, and open the newest log available. You should see something similar to the following:
#Software: Microsoft Internet Information Services 5.0 #Version: 1.0 #Date: 2002-10-24 15:11:51 #Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status cs(User-Agent) 2002-10-24 19:46:40 127.0.0.1 - 127.0.0.1 80 GET /index.htm - 304 Mozilla/4.0+(compatible;+MSIE+6.0;+ Windows+NT+5.0;+.NET+CLR+1.0.3526)
If you have no entries, you can open a Web browser and go to http://localhost (the loopback for the local system at 127.0.0.1). This pulls up the Web site you have configured. If you do not have one, you can make a blank index.htm or default.asp page to put in your Inetpub\wwwroot directory.
Refresh the page and audit your log. You should see entries similar to the ones shown in the log that appears in Step 6.
Note | You should always make certain that your systems have synchronized clocks, especially systems that create log files. For a file to hold up in a court of law, you must know the time that events happened. Domain synchronization via login script is probably the best way to make sure that all hosts have the correct time. You can use the Net Time batch command to perform this operation. Another, more expensive way is to have a device on location that performs time synching through the NTP protocol. You could also set your systems to synchronize with an atomic clock on the Internet, but then you will have to let port 123 through your firewall. Whatever you choose, it's important to do something to keep accurate time. You can see an atomic clock and get the exact time at a site provided by the U.S. government: www.time.gov. |
|
|