SUMMARY

This step-by-step article discusses some of the best practices for troubleshooting in the area of access to resources, which can become a complex task when you try to secure Web servers.

Site administrators frequently work blind when they try to troubleshoot access problems. Monitoring how the server is being used is a good place to start.

back to the top

Monitor server use

To monitor server use, an administrator can set up auditing and logging:

back to the top

Audit user logons

1. Click Start, point to Programs, and then click Administrative Tools (Common) to open User Manager for Domains.
2. Select the appropriate domain for the IIS server. To do this, click Select Domain on the User menu.
3. On the Policies menu, click Audit.
4. Click to select Audit These Events.
5. For both Logon and Logoff, click to select both the Success and the Failure check boxes.
6. Click OK.

back to the top

Enable auditing on objects

1. Click Start, point to Programs, and then click Administrative Tools (Common) to open User Manager for Domains.
2. On the Policies menu, select Audit.
3. Click to select Audit These Events.
4. For both File and Object Access, click to select both the Success and the Failure check boxes.
5. Click OK.

back to the top

Select objects to audit

1. Click Start, point to Programs, and then click Windows NT Explorer to start Windows NT Explorer.
2. Select the file or folder that you want to audit.
3. Right-click the file or folder, and then click Properties.
4. Click the Security tab.
5. Click Auditing.
6. Click Add.
7. Select the appropriate domain for the IIS server from the drop-down menu.
8. Select Everyone, click Add, and then click OK.
9. Click to select the Success and the Failure check boxes for all of the following:
   • Read
   • Write
   • Execute
10. Click OK.

back to the top

Enable W3C extended logging

1. Start the Internet Service Manager (ISM). To do this, click Start, point to Programs, click Windows NT 4.0 Option Pack, click Microsoft Internet Information Server, and then click Internet Service Manager.
2. Under Internet Information Server, select the IIS server.
3. Right-click the Web site, and then click Properties.
4. On the Web Site tab, click to select the Enable Logging check box. By default, Enable Logging is selected.
5. Click Properties.
6. Click the Extended Properties tab.
7. Click to select at least the following check boxes:
   • Date
   • Time
   • Client IP Address
   • User Name
   • Method
   • HTTP Status
   • Win32 Status
8. Click OK to exit the logging properties.
9. Click OK to exit the Web site properties.

Basic auditing and logging is now in place.

back to the top

Stop and restart the Web service

After you enable basic auditing and logging, you must stop and then restart the Web service to clear any cached logon information. To do this, do one of the following:

• Stop and restart the Web service from a command prompt:
  1. At a Cmd.exe prompt, type the following:

     NET STOP IISADMIN /Y

     NOTE: When you use /Y, all of the other dependent services are stopped, and you are not prompted for each service. If you want to be prompted to stop each dependent service, do not use the /Y option.
     
     

  2. Restart each dependent service that you stopped in the previous step by typing:

     NET START W3SVC (to start the World Wide Web Publishing Service).
     NET START MSFTPSVC (to start the FTP Publishing Service).
     NET START SMTPSVC (to start the Microsoft SMTP Service).
     NET START NNTPSVC (to start the Microsoft NNTP Service).

  -or-
  
  

• Stop and restart the Web service from Control Panel:
  1. Click Start, point to Programs, click Control Panel, and then double-click Services.
  2. Select IIS Admin Service, and then click Stop.
  3. Click OK to shut down all dependent services.
  4. Manually start each dependent service that you just stopped.

back to the top

Clear the security log

1. Open the Event Viewer. To do this, click Start, point to Programs, click Administrative Tools (Common), and then click Event Viewer.
2. On the Log menu, click Security to select the security log.
3. On the Log menu, select Clear All Events.NOTE: Microsoft recommends that you save the existing security log. To do this, click Yes, and then specify a folder or file to save to.
   

1. Click Yes to clear the security log.

back to the top

Troubleshoot the Web server

After you have examined the server, try to access the resource from a browser. If you refresh the security log in the event viewer, a series of audited events is listed. Examine the security log entries and ask these questions:

1. Are any access-denied errors present in the audit log? (You may see some error messages that are related to object access and protected storage; you can safely ignore these messages.)
2. What account is being logged on? Is it what you expected?
3. Does this account have access to the file in question? You can check this by looking at the file access entries in the audit log.
4. What about the W3C log? Are there any HTTP-401 or HTTP-403 errors? Why are they there?

Use the File Monitor (Filemon.exe) tool and the Registry Monitor (Regmon.exe) tool to view real-time system activity. File Monitor enables you to view and to capture real-time file system activity. Registry Monitor enables you to view and to capture real-time system registry activity.

For more information about how to use File Monitor, visit the following Web site:

For more information about how to use Registry Monitor, visit the following Web site:

back to the top

Tips

The following are some rules and tips about permissions and IIS 4.0:

• If Anonymous authentication is turned on, it is always be used instead of Basic or Windows NT Challenge/Response authentication.
• Accessing data in an ASP file requires the account that is logging on to have access to the ADO and ODBC directories.
• If you are using a page count component, the account that is logging on must have write and possibly delete access to the file or registry entry that it uses to persist its count.
• Any account that is used for Anonymous or Basic authentication must have the Logon Locally right. To configure this, open User Manager for Domains, and then click User Rights on the Policies menu.
• You can change the rights type to Batch or Network. For more information about how to do this, see the "LogonMethod" topic in the IIS documentation.
• You may not be able to access a remote computer from an IIS computer. This occurs when Windows NT cannot pass the user security information to the other computer. To verify this, perform the auditing steps listed in this article on both the remote computer and on the IIS computer.
• You can configure Internet Explorer 4.0 and later to only support certain authentication protocols. To set these protocols:
  1. In Control Panel, click Internet Options.
  2. Click Security, click either Custom or Custom Level, click Settings, and then either click Authentication or scroll to User Authentication.
  3. Select the authentication that you want, and then click OK.NOTE: If you select Anonymous Logon, the browser will not support any authentication schemes other than Anonymous.

  
  
  

• Check the IP and domain restrictions for the Web site:
  1. In the Internet Services Manager, right-click the Web site, and then click Properties.
  2. On the Directory Security tab, locate the IP Address and Domain Name Restrictions section, and then click Edit.
  3. Review, add, or change any restriction settings as needed.
• If you are using Anonymous authentication, verify that the anonymous account is valid (that is, verify the password and logon times), and then verify that the anonymous account is enabled. If you are not sure which anonymous account is used for the Web Site, follow these steps:
  1. In the Internet Services Manager, right-click the Web site, and then click Properties.
  2. On the Directory Security tab, locate the Anonymous Access and Authentication Control section, and then click Edit.
  3. In the Authentication Methods dialog box that appears, locate the Anonymous Access section, and then click Edit to see the Windows NT account that is used for Anonymous authentication.
  4. In User Manager for Domains, make sure that the account is enabled, that it has the correct logon rights, and that it has the correct hours.
• If you are using #include statements, errors may result because access is denied on the included file, not the main file. For example, if Default.asp has an #include statement for Tools.asp, but the file Tools.asp has a restrictive access control list (ACL), an error may be reported on Default.asp, although the logged on account has access to the Default.asp file. To verify this, you can temporarily comment out #include statements until you have successfully resolved the situation.

back to the top

Troubleshooting resources

To troubleshoot complex issues, you can use the following resources:

• The security chapter (chapter 8) of the Internet Information Server 4.0 Resource Kit (http://www.microsoft.com/mspress/books/1398.asp), Microsoft Press, 1998.
• The Microsoft Security Advisor Web site:

  http://www.microsoft.com/security/

• The Microsoft Internet Information Server Web site:

  http://www.microsoft.com/WindowsServer2003/iis/default.mspx

back to the top

Tools to use

The site http://www.microsoft.com/technet/sysinternals/default.mspx has many utilities that are helpful when troubleshooting Windows NT issues in addition to the File Monitor and Registry Monitor tools that are discussed in the "Troubleshoot the Web server" section. back to the top