Detecting Unauthorized Access

You can review IIS logs and Windows security logs to monitor security events over extended periods of time. You can then use the Microsoft Management Console to view the Windows Security Log. The IIS logs can be viewed by using any text editor or word processor. For more information about viewing IIS logs, see Logging Site Activity.

In the Windows Security Log, you can detect unauthorized access attempts, which can appear as warning or error log entries. You can also archive these logs for later use. For more information about auditing, consult the Windows documentation.

To detect possible security problems by reviewing the Windows Security Log
  1. Click Start, point to Settings, click Control Panel, double-click Administrative Tools, then double-click Computer Management.
  2. Expand System Tools.
  3. Expand Event Viewer.
  4. Select Security Log.
  5. Note   If you are not able to view the security log, then the user account you are using does not have privileges to do so. This happens because the domain-level security policies override the local computer-level security policies, which means that you can be logged on as the Administrator of your local computer, but not have access to its security log. To get these permissions, see your network administrator. For more information about security policies, see the Windows documentation.

  6. Inspect the logs for suspicious security events, including the following:
To archive a Windows Security Log
  1. Click Start, point to Settings, click Control Panel, double-click Administrative Tools, then double-click Computer Management.
  2. Expand System Tools.
  3. Expand Event Viewer.
  4. Select Security.
  5. On the Action menu, click Save Log File As.
  6. In the Save As dialog box, select the directory you want to save the file to, and type in a name for the file.
  7. Note   The security log can be saved as an event (.evt) file, a text (.txt) file, or a comma-delimited (.csv) file.

To open an archived Windows Security Log
  1. Click Start, point to Settings, click Control Panel, double-click Administrative Tools, then double-click Computer Management.
  2. Expand System Tools.
  3. Expand Event Viewer.
  4. On the Log menu, select Security.
  5. On the Action menu, point to New and click Log View.
  6. In the Add Another Log View dialog box, select Saved (opens a previously saved log) and browse to the file.
  7. In the Log type drop-down list, select Security.
  8. Click OK to open the file in the viewer.
To detect possible security problems by reviewing IIS log files
  1. In a text editor, such as Notepad, open the log file. For more information about log files, see Logging Site Activity.
  2. Inspect the logs for suspicious security events, including the following:

© 1997-1999 Microsoft Corporation. All rights reserved.