Posted February 8, 20232 yr I have come across a few instances Root Cause Analysis (RCA) was requested for issues related to a web application that were caused by factors such as: Changes in permission of the Application Root folder. Web site being deleted. SSL certificate binding modified. Furthermore, there were times when using Process Monitor - Sysinternals | Microsoft Learn was not possible because the problem was intermittent, such as when files were being written to C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys at irregular intervals. The steps below assisted me in enabling auditing to log the necessary events in each scenario. Please feel free to check other parts of this blog: Part 1- Auditing Scenarios for Web Application Hosted in IIS - Part 1 - SSL Binding Modified Part 3- Auditing Scenarios for Web Application Hosted in IIS - Part 3 - Website deleted Part 4- Auditing Scenarios for Web Application Hosted in IIS - Part 4 - Files being written to folder Scenario 2: Permissions changed on Application Root Folder: 4670(S) Permissions on an object were changed. (Windows 10) - Windows security | Microsoft Learn – Event can be referred to review changes made to permissions of the folder. This is written to Security event logs when an audit policy is created for a folder followed by enabling auditing. Please find the steps for the same. Apply a basic audit policy on a file or folder (Windows 10) - Windows security | Microsoft Learn To create Auditing policy for all the users and only for permission change events, you can refer below (folder to be audited >> properties >> security >> advanced >> auditing >> add >> show advanced permissions): Adding all permissions would result in lot of events, also please refer to ‘More considerations’ section of Apply a basic audit policy on a file or folder (Windows 10) - Windows security | Microsoft Learn. [*]Enable File System Auditing: Open Local Security Policy Editor (run >> secpol.msc) Advanced Audit Policy Configuration >> Audit File System >> configure for success and failure. Reference: Advanced security audit policy settings (Windows 10) - Windows security | Microsoft Learn Audit File System (Windows 10) - Windows security | Microsoft Learn A Sample 4670(S): Permissions on an object were changed event, which will be written to security event logs: More details on event - 4670(S) Permissions on an object were changed. (Windows 10) - Windows security | Microsoft Learn Reading Security Descriptor (which has the details of old and changed permissions in the event): 4670(S) Permissions on an object were changed. (Windows 10) - Windows security | Microsoft Learn The Security Descriptor Definition Language of Love (Part 1) - Microsoft Community Hub The Security Descriptor Definition Language of Love (Part 2) - Microsoft Community Hub The principle for which the access for modified is written in the SID string format. You can decrypt the SID using the tool PsGetSid - Windows Sysinternals | Microsoft Learn. Ex - .\PsGetsid.exe S-X-X-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Please note this command should be run on the machine where the principle is present/accessible. Happy Troubleshooting! Continue reading...
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.