Exam 70-124: Objective 6.1: Auditing Internet Information Services

Now that you have mastered the process of auditing events and how to navigate the Event Viewer to check these events for analysis, let's look at some other systems you will be responsible for knowing about, not only on the exam but also as a Microsoft Certified Professional dealing with daily security issues on your systems. For the exam, you need to know how to audit Internet Information Services (IIS). IIS is Microsoft's Web services product. IIS 5.0 comes with Windows 2000 Server.

Internet Information Services

IIS creates log files that track connection attempts to Web (HTTP), FTP, NNTP, and SMTP services. If used, each of these services (which can run using IIS) maintains its own log files. In other words, if you don't use the SMTP service, a log file is not generated. In Exercise 10.02, we look at how to set up and view an IIS-based log for the Web service.

Exercise 10.02: Configuring and Viewing the IIS Log Files

start example
  1. When you set up IIS logging, you need to make sure that you have IIS installed and running. This is easy to do. Go to your Internet Services Manager (ISM) console, located within the Administrative Tools folder. Open the ISM and make sure your default Web site (or a configured one, if you have it) is running and not stopped. You will see that it is stopped or running, as shown in Figure 10.21.

    click to expand
    Figure 10.21: Viewing the IIS Internet Services Manager

  2. Go to the default Web site and right-click it. Go to Properties. Choose the Web Site properties, and you will by default be on the tab you need (the Web Site tab). On the bottom of the screen you will be able to enable logging, as shown in Figure 10.22. Logging is enabled by default.

    click to expand
    Figure 10.22: Default Web Site Settings

  3. You can change the Active Log format (you can configure IIS to store the logs into an ODBC-compliant database, such as Microsoft SQL Server), but for purposes of this exercise, we want to log to a World Wide Web Consortium (W3C) Extended log file format.

  4. Click the Properties button and you will be presented with the Extended Logging Properties dialog box shown in Figure 10.23. Here, on the bottom of the dialog box, you can see where the log files will be stored. By default, they will be stored in the %WinDir%\System32\Logfiles folder.

    click to expand
    Figure 10.23: Viewing the W3C Extended Logging Properties

  5. Make absolutely sure that you pay attention to the log filename format at the bottom of the dialog box, because you need to know that W3SVC1 is the folder you need to open to see the log files you want to audit. In addition, notice the exyymmdd.log format. This format would resemble ex021024.log if it were created on October 24, 2002.

  6. Now you can go to Windows Explorer and browse to the directory where the log files are stored. Follow the path to the %WinDir%\System32\Logfiles folder. Open the W3SVC1 folder, and open the newest log available. You should see something similar to the following:

    #Software: Microsoft Internet Information Services 5.0 #Version: 1.0 #Date: 2002-10-24 15:11:51 #Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem  cs-uri-query sc-status cs(User-Agent) 2002-10-24 19:46:40 127.0.0.1 -  127.0.0.1 80 GET /index.htm - 304 Mozilla/4.0+(compatible;+MSIE+6.0;+ Windows+NT+5.0;+.NET+CLR+1.0.3526) 

  7. If you have no entries, you can open a Web browser and go to http://localhost (the loopback for the local system at 127.0.0.1). This pulls up the Web site you have configured. If you do not have one, you can make a blank index.htm or default.asp page to put in your Inetpub\wwwroot directory.

  8. Refresh the page and audit your log. You should see entries similar to the ones shown in the log that appears in Step 6.

end example

Note 

You should always make certain that your systems have synchronized clocks, especially systems that create log files. For a file to hold up in a court of law, you must know the time that events happened. Domain synchronization via login script is probably the best way to make sure that all hosts have the correct time. You can use the Net Time batch command to perform this operation. Another, more expensive way is to have a device on location that performs time synching through the NTP protocol. You could also set your systems to synchronize with an atomic clock on the Internet, but then you will have to let port 123 through your firewall. Whatever you choose, it's important to do something to keep accurate time. You can see an atomic clock and get the exact time at a site provided by the U.S. government: www.time.gov.



MCSE. MCSA Implementing & Administering Security in a Windows 2000 Network Study Guide Exam 70-214
MCSE/MCSA Implementing and Administering Security in a Windows 2000 Network: Study Guide and DVD Training System (Exam 70-214)
ISBN: 1931836841
EAN: 2147483647
Year: 2003
Pages: 162

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net