Is this normal behavior or an attack?

Please see the Security Log event below. It appears that I get a similar
entry in the Security log periodically. This example involves
C:\WINDOWS\system32\drivers\etc\protocol Sometimes it involves other files as
well. Namely c:\windows\system32\msdart.dll,
C:\WINDOWS\system32\msjetoledb40.dll, C:\WINDOWS\system32\msjet40.dll, or
C:\WINDOWS\system32\mswstr10.dll.
It appears that w3wp.exe is attempting to access these files and is being
denied access. Is there ever a legitimate reason for w3wp.exe to access any
of these files as the Internet Guest user, or are these likely indicative of
some sort of attempt to circumvent security?

Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 5/20/2007
Time: 9:28:35 PM
User: XXXXX-EXCH\IUSR_XXXXX-DC
Computer: XXXXX-EXCH
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: C:\WINDOWS\system32\drivers\etc\protocol
Handle ID: -
Operation ID: {0,391908395}
Process ID: 5540
Image File Name: C:\WINDOWS\system32\inetsrv\w3wp.exe
Primary User Name: NETWORK SERVICE
Primary Domain: NT AUTHORITY
Primary Logon ID: (0x0,0x3E4)
Client User Name: IUSR_XXXXX-DC
Client Domain: XXXXX-EXCH
Client Logon ID: (0x0,0x175BE8B8)
Accesses: READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
ReadEA
ReadAttributes
WriteAttributes

Privileges: -
Restricted Sid Count: 0
Access Mask: 0x120189


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Re: Is this normal behavior or an attack?

It depends.

w3wp.exe itself does not require those resources, but you may be
running code inside of w3wp.exe that require those resources.

However, if you don't expect such access, then you can view such log
entries as security breach denied.

If you want to get rid of these event log entries, then you will have
to figure out what code running on IIS6 is causing it and stop it. IIS
really doesn't have anything to do with it other than restraining the
process identity and denying the security breach.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//







On May 21, 10:53 am, JNeilWix
wrote:
> Please see the Security Log event below. It appears that I get a similar
> entry in the Security log periodically. This example involves
> C:\WINDOWS\system32\drivers\etc\protocol Sometimes it involves other files as
> well. Namely c:\windows\system32\msdart.dll,
> C:\WINDOWS\system32\msjetoledb40.dll, C:\WINDOWS\system32\msjet40.dll, or
> C:\WINDOWS\system32\mswstr10.dll.
> It appears that w3wp.exe is attempting to access these files and is being
> denied access. Is there ever a legitimate reason for w3wp.exe to access any
> of these files as the Internet Guest user, or are these likely indicative of
> some sort of attempt to circumvent security?
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Object Access
> Event ID: 560
> Date: 5/20/2007
> Time: 9:28:35 PM
> User: XXXXX-EXCH\IUSR_XXXXX-DC
> Computer: XXXXX-EXCH
> Description:
> Object Open:
> Object Server: Security
> Object Type: File
> Object Name: C:\WINDOWS\system32\drivers\etc\protocol
> Handle ID: -
> Operation ID: {0,391908395}
> Process ID: 5540
> Image File Name: C:\WINDOWS\system32\inetsrv\w3wp.exe
> Primary User Name: NETWORK SERVICE
> Primary Domain: NT AUTHORITY
> Primary Logon ID: (0x0,0x3E4)
> Client User Name: IUSR_XXXXX-DC
> Client Domain: XXXXX-EXCH
> Client Logon ID: (0x0,0x175BE8B8)
> Accesses: READ_CONTROL
> SYNCHRONIZE
> ReadData (or ListDirectory)
> ReadEA
> ReadAttributes
> WriteAttributes
>
> Privileges: -
> Restricted Sid Count: 0
> Access Mask: 0x120189
>
> For more information, see Help and Support Center athttp://go.microsoft.com/fwlink/events.asp.

Re: Is this normal behavior or an attack?

Thank you for the response. I had more or less assumed most of what you
pointed out. There are three key sites on IIS. 1) OWA/OMA; 2) Citrix Remote
access; 3) A website for public use (also has some function restricted to
emplyee access.) I'll be getting with the web developer about #3,
specifically. I was hoping someone here could comment on the functions of
the listed DLLs and the protocol file. Is access to any of these required by
OWA/OMA for instance? Is there anything in the information from the event
log that would, if properly decoded, help me identify which site/app was
causing the access?

"David Wang" wrote:

> It depends.
>
> w3wp.exe itself does not require those resources, but you may be
> running code inside of w3wp.exe that require those resources.
>
> However, if you don't expect such access, then you can view such log
> entries as security breach denied.
>
> If you want to get rid of these event log entries, then you will have
> to figure out what code running on IIS6 is causing it and stop it. IIS
> really doesn't have anything to do with it other than restraining the
> process identity and denying the security breach.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>
>
>
>
>
>
> On May 21, 10:53 am, JNeilWix
> wrote:
> > Please see the Security Log event below. It appears that I get a similar
> > entry in the Security log periodically. This example involves
> > C:\WINDOWS\system32\drivers\etc\protocol Sometimes it involves other files as
> > well. Namely c:\windows\system32\msdart.dll,
> > C:\WINDOWS\system32\msjetoledb40.dll, C:\WINDOWS\system32\msjet40.dll, or
> > C:\WINDOWS\system32\mswstr10.dll.
> > It appears that w3wp.exe is attempting to access these files and is being
> > denied access. Is there ever a legitimate reason for w3wp.exe to access any
> > of these files as the Internet Guest user, or are these likely indicative of
> > some sort of attempt to circumvent security?
> >
> > Event Type: Failure Audit
> > Event Source: Security
> > Event Category: Object Access
> > Event ID: 560
> > Date: 5/20/2007
> > Time: 9:28:35 PM
> > User: XXXXX-EXCH\IUSR_XXXXX-DC
> > Computer: XXXXX-EXCH
> > Description:
> > Object Open:
> > Object Server: Security
> > Object Type: File
> > Object Name: C:\WINDOWS\system32\drivers\etc\protocol
> > Handle ID: -
> > Operation ID: {0,391908395}
> > Process ID: 5540
> > Image File Name: C:\WINDOWS\system32\inetsrv\w3wp.exe
> > Primary User Name: NETWORK SERVICE
> > Primary Domain: NT AUTHORITY
> > Primary Logon ID: (0x0,0x3E4)
> > Client User Name: IUSR_XXXXX-DC
> > Client Domain: XXXXX-EXCH
> > Client Logon ID: (0x0,0x175BE8B8)
> > Accesses: READ_CONTROL
> > SYNCHRONIZE
> > ReadData (or ListDirectory)
> > ReadEA
> > ReadAttributes
> > WriteAttributes
> >
> > Privileges: -
> > Restricted Sid Count: 0
> > Access Mask: 0x120189
> >
> > For more information, see Help and Support Center athttp://go.microsoft.com/fwlink/events.asp.
>
>
>

Re: Is this normal behavior or an attack?

> Is there anything in the information from the event log that
> would, if properly decoded, help me identify which site/app
> was causing the access?

Unless the event log entry is written by IIS, you really cannot
identify actions by site/app. This is because IIS runs site/app code
on a thread inside the process, and non-IIS related monitoring only
see the thread/process doing something but have no idea what site/app
is running on that thread. Only IIS has this information -- so unless
IIS is logging that event log entry, you have no generic way to
correlate site/app code, unless you isolate one site/app per process
or app pool identity.

I assume you are running Exchange 2003/2007 on this machine, in which
case OWA/OMA runs as LocalSystem process account and is therefore
unlikely to be the cause of those event log entries. You will be
looking for code running in AppPools configured to run as Network
Service.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//




On May 22, 5:52 am, JNeilWix
wrote:
> Thank you for the response. I had more or less assumed most of what you
> pointed out. There are three key sites on IIS. 1) OWA/OMA; 2) Citrix Remote
> access; 3) A website for public use (also has some function restricted to
> emplyee access.) I'll be getting with the web developer about #3,
> specifically. I was hoping someone here could comment on the functions of
> the listed DLLs and the protocol file. Is access to any of these required by
> OWA/OMA for instance? Is there anything in the information from the event
> log that would, if properly decoded, help me identify which site/app was
> causing the access?
>
>
>
> "David Wang" wrote:
> > It depends.
>
> > w3wp.exe itself does not require those resources, but you may be
> > running code inside of w3wp.exe that require those resources.
>
> > However, if you don't expect such access, then you can view such log
> > entries as security breach denied.
>
> > If you want to get rid of these event log entries, then you will have
> > to figure out what code running on IIS6 is causing it and stop it. IIS
> > really doesn't have anything to do with it other than restraining the
> > process identity and denying the security breach.
>
> > //David
> >http://w3-4u.blogspot.com
> >http://blogs.msdn.com/David.Wang
> > //
>
> > On May 21, 10:53 am, JNeilWix
> > wrote:
> > > Please see the Security Log event below. It appears that I get a similar
> > > entry in the Security log periodically. This example involves
> > > C:\WINDOWS\system32\drivers\etc\protocol Sometimes it involves other files as
> > > well. Namely c:\windows\system32\msdart.dll,
> > > C:\WINDOWS\system32\msjetoledb40.dll, C:\WINDOWS\system32\msjet40.dll, or
> > > C:\WINDOWS\system32\mswstr10.dll.
> > > It appears that w3wp.exe is attempting to access these files and is being
> > > denied access. Is there ever a legitimate reason for w3wp.exe to access any
> > > of these files as the Internet Guest user, or are these likely indicative of
> > > some sort of attempt to circumvent security?
>
> > > Event Type: Failure Audit
> > > Event Source: Security
> > > Event Category: Object Access
> > > Event ID: 560
> > > Date: 5/20/2007
> > > Time: 9:28:35 PM
> > > User: XXXXX-EXCH\IUSR_XXXXX-DC
> > > Computer: XXXXX-EXCH
> > > Description:
> > > Object Open:
> > > Object Server: Security
> > > Object Type: File
> > > Object Name: C:\WINDOWS\system32\drivers\etc\protocol
> > > Handle ID: -
> > > Operation ID: {0,391908395}
> > > Process ID: 5540
> > > Image File Name: C:\WINDOWS\system32\inetsrv\w3wp.exe
> > > Primary User Name: NETWORK SERVICE
> > > Primary Domain: NT AUTHORITY
> > > Primary Logon ID: (0x0,0x3E4)
> > > Client User Name: IUSR_XXXXX-DC
> > > Client Domain: XXXXX-EXCH
> > > Client Logon ID: (0x0,0x175BE8B8)
> > > Accesses: READ_CONTROL
> > > SYNCHRONIZE
> > > ReadData (or ListDirectory)
> > > ReadEA
> > > ReadAttributes
> > > WriteAttributes
>
> > > Privileges: -
> > > Restricted Sid Count: 0
> > > Access Mask: 0x120189
>
> > > For more information, see Help and Support Center athttp://go.microsoft.com/fwlink/events.asp.- Hide quoted text -
>
> - Show quoted text -