Description:
When attempting to determine whether there exists a user file or service permission problem running the Web Agent ISAPI filter/extension within IIS 6.0, by default Windows 2003 is not configured with adequate audit failure logging. Examples of such problems are inadequate user permissions on a Web Agent log directory or within IIS itself (process-level user permissions within an application pool).
Solution:
To increase security audit logging, do the following:
Under 'Start'->'Settings'->'Control Panel'->'Administrative Tools', select 'Local Security Settings'.
Within the configuration window (left pane), navigate to 'Security Settings' -> 'Local Policies' -> 'Audit Policy'. In the right pane, you will find the following audit log defaults:
Windows 2003 System Defaults ---------------------------- Audit account logon events [Success] Audit account management [No auditing] Audit logon events [Success] Audit object access [No auditing] Audit policy change [No auditing] Audit privilege use [No auditing] Audit process tracking [No auditing] Audit system events [No auditing]
For full logging, change these to:
Audit account logon events [Failure] Audit account management [Failure] Audit logon events [Failure] Audit object access [Failure] Audit policy change [Failure] Audit privilege use [Failure] Audit process tracking [Failure] Audit system events [Failure]
After changing these settings, do the following to completely restart IIS and the Web Agent:
Please see the following screenshot for the exact location to change these Windows permission settings:
<Please see attached file for image>