IIS Logging of access failure
Results 1 to 6 of 6

Thread: IIS Logging of access failure

  1. #1
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356

    Question IIS Logging of access failure

    I was trying to trouble shoot a problem today with a client that was using frontpage extensions to post web page updates to their IIS 4.0 server. To make a long story short, if I do a sniff of traffic on the network passing to the IIS server, I clearly see the server issuing a HTTP 403 Access Denied error. My knowledge of IIS is somewhat limited, but I know in apache, that if the server issues something like this, it is not only logged but the reason why it was denied is shown (for example file permissions). I started having him go through the event logs and through the individual logs for IIS and it at least appears to me ATM that IIS only logs the HTTP GET/POST/OPTIONS requests and does not appear to log errors such as file not found, file permisisons, access denied, etc. I can see in the log where he issued the HTTP requests to the server, but I can' t see the status of them.

    The question, 1) Does IIS or NT have a log somewhere for things like this ? 2) If so, is it not on by default ? If not, how do you turn it on and where will the logs be placed ?

    Any help would be appreciated...

    Neb
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  2. #2
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    Several things.

    You can view the normal HTTP access log, it will log the HTTP status code (401, 403 etc). A lot of hits on "authentication required" (401 I think) will indicate someone being repeatedly unsuccessful at logging in.

    Additionally, if you have a domain controller, you can turn on auditing of failed logins, and AFAIK (not 100% but fairly sure) it will audit failed logins by web users as well as normal NT users.

    It will of course only log failed login attempts by domain accounts (and non-existent domain accounts)

    Users who attempt to log in using local accounts won't get caught by this method. Also, this method will not log their IP address (although you could attempt to correlate the IP addresses in the web access log)

    HTTP is a strange protocol with authentication, because clients will always attempt to connect with no authentication, and if refused will then retry (possibly having prompted the user). So don't be surprised if even users who always remember their password show up as auth required requests.

    Unfortunately, IIS doesn't seem to have a log which explicitly logs errors, like Apache's error_log (I often wish it did ) - also many errors don't make it to the NT event log

  3. #3
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    You can view the normal HTTP access log, it will log the HTTP status code (401, 403 etc). A lot of hits on "authentication required" (401 I think) will indicate someone being repeatedly unsuccessful at logging in.
    Do you know where this log is ? I haven't been able to find it...


    neb
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  4. #4
    Senior Member
    Join Date
    Jul 2002
    Posts
    112
    IIS has the abilit to log file if you configure it to do so. Logging is enable by default but it is minimum limits. From the properties of the website you are administering you get the ability to enable logging for the site.


    Bottom section should show logging is enable in W3C Extended Log File Format. Choosing properties gives you the location of the log files. Choosing extended properties tab gives you the ability to extend the logging feature.

    Hope this helps
    My other Computer is a 4000 node Beowulf Custer

  5. #5
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    I did see that and that pretty much just adds a few fields to exisiting logs. I think I have it figured out, after a long conversation with my customer and him absolutely insisting that auditing was turned on, I had him load up the user manager and check policies->audit policy...and guess what....grrr
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  6. #6
    Senior Member
    Join Date
    Jul 2002
    Posts
    112
    Amazing isn't it... It's doesn't take much to check to make sure things are the way they are suppose to be. But I guess we all do it from time to time, know for a fact something is one way only to find out it isn't... Enjoy!
    My other Computer is a 4000 node Beowulf Custer

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •