3

We host a customer site (the hardware is at a third party data center, but we administer the software). On several different occasions, the customer has reported a problem with the site, and when I login to the machine I find that the IIS configuration has changed - the authentication method has changed (should be basic but it has switched to forms), the default document is enabled (should be disabled), and directory browsing is disabled (should be enabled). The configuration changes are the same each time.

So far I've tried...

  • IIS auditing. The only changes that have been logged are the ones I made every time I've fixed the IIS configuration
  • Configuration change history. I reviewed the c:\inetpub\history and according to the snapshots nothing has changed. In other words, the snapshots only have the correct settings, they never show that there were incorrect settings.
  • Task Scheduler. I've reviewed every single task (including Windows tasks) and don't see anything that would be changing the IIS configuration. Also, while this event has occurred monthly since the site went live, it is not happening on a consistent day of the week (first Monday, 15th of the month, etc.), so it doesn't seem to have a date trigger.

What could possibly be changing my site's IIS settings every month? How can I track down the culprit?

Specs:

  • Windows Server 2008 R2
  • IIS 7.5
  • McAfee Virus Scanner (checked logs, didn't see any smoking gun)

Update To answer some of the questions in the comments: we are not using Exchange or Sharepoint. I have checked the local web.config file and it does not contain the authentication, default doc, or directory browsing settings. These are all being stored in the applicationHost.config.

pandoh
  • 73
  • 1
  • 1
  • 6
  • Are you using any other product on top of IIS? Exchange and SharePoint f.e. are well known for adjusting it (even after you change it) to suit their own needs; there are probably many more which do so. – Massimo Sep 23 '16 at 19:03
  • Could it be that these settings are in a local web.config file and someone is uploading this file every so often? I think replacing the whole web.config file is not picked up as a change in IIS auditing. Check whether the changed settings are in site's web.config file and when that file was modified, find out who logged on to the server around the same time. – Peter Hahndorf Sep 23 '16 at 19:35
  • I've updated the original post to respond to your comments. Any other ideas? – pandoh Sep 23 '16 at 20:32
  • Very weird that the changes are not showing up in IIS Auditing Event log or the change history. I would enable Windows file auditing on applicationHost.config – Peter Hahndorf Sep 23 '16 at 21:05
  • The only way I can think of this happening is that someone restores an older copy of ApplicationHost.config. Changes through the API should show up in the event log and changes to the file itself should at least show up in the `inetpub\history`, but replacing the whole file or even restoring an image of `C:\` does not add an entry to the event log or the history folder. So again Windows file auditing should help. – Peter Hahndorf Sep 24 '16 at 08:42
  • Process Monitor can help, you have to ensure that when running Process Monitor, the Filter -> Drop Filtered Events is highlighted to reduce the memory impact it would leaving it running. There will still be performance impact though. – milope Sep 25 '16 at 13:27

0 Answers0