Troubleshooting Web Agent / IIS 6.0 User Permission Issues - Windows 2003 Logging Configuration.

Document ID : KB000053551
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

When attempting to determine whether there exists a user file or service permission problem running the Web Agent ISAPI filter/extension within IIS 6.0, by default Windows 2003 is not configured with adequate audit failure logging. Examples of such problems are inadequate user permissions on a Web Agent log directory or within IIS itself (process-level user permissions within an application pool).

Solution:

To increase security audit logging, do the following:

Under 'Start'->'Settings'->'Control Panel'->'Administrative Tools', select 'Local Security Settings'.
Within the configuration window (left pane), navigate to 'Security Settings' -> 'Local Policies' -> 'Audit Policy'. In the right pane, you will find the following audit log defaults:

Windows 2003 System Defaults
----------------------------
Audit account logon events  [Success]
Audit account management  [No auditing]
Audit logon events   [Success]
Audit object access   [No auditing]
Audit policy change   [No auditing]
Audit privilege use   [No auditing]
Audit process tracking   [No auditing]
Audit system events   [No auditing]

For full logging, change these to:

Audit account logon events  [Failure]
Audit account management  [Failure]
Audit logon events   [Failure]
Audit object access   [Failure]
Audit policy change   [Failure]
Audit privilege use   [Failure]
Audit process tracking   [Failure]
Audit system events   [Failure]

After changing these settings, do the following to completely restart IIS and the Web Agent:

  • Shutdown IIS with the commandline option "iisreset /stop".

  • Wait for LLAWP.exe to terminate (ensure it does not appear in Task Manager).

  • Start IIS with the commandline option "iisreset /start".

  • Request a protected (non-functional) resource to test and log the failure.

  • Review the Windows 'Security', 'Application', and 'System' event logs for all failures from the timestamps of IIS startup and the test request.

Please see the following screenshot for the exact location to change these Windows permission settings:

Figure 1