IIS web server

IIS server monitoring and security: EventLog Analyzer's use cases

Microsoft's Internet Information Server (IIS) is a web server that runs on Windows operating systems that delivers web content to users who request it through a web browser.

EventLog Analyzer, ManageEngine's comprehensive log management solution, monitors both IIS web and FTP servers' activities and secures them from threats.

This tutorial elaborates on the different IIS server monitoring and security use cases covered by ManageEngine EventLog Analyzer, a comprehensive log management platform. Before delving into the use cases, enable logging and configure your IIS web server to send logs to the EventLog Analyzer console.

IIS server performance and health auditing using EventLog Analyzer: Use cases

EventLog Analyzer addresses various IIS web server auditing scenarios through its security auditing reports. These reports come predefined and can be scheduled for generation at specific times, with distribution via email.

Use Case Description Why implement? Available Reports
Web server health analysis Analyze and audit a high-level overview of server events, including successful requests, errors, and security events. Gain quick insights into server environments and instantly identify potential issues.
  • Status Code Summary
  • Client Errors
  • Server Errors
  • Information Reports
  • Success Reports
Client-side error analysis Analyze the frequency and types of client-side errors to identify potential application bugs and user errors. Improve the user experience and application functionality.
  • HTTP Bad Request
  • HTTP URI Too Large
  • HTTP Request Entity Too Large
  • Client Error Reports
Adjust the time period and view trend reports for an effective analysis of the frequency of events.
Additionally, use filters to view specific events for analysis.
Server-side error analysis Analyze the frequency and type of server-side errors to identify server resource issues or application problems. Improve server stability and application performance.
  • HTTP Gateway Timeout
  • Service Unavailable
  • Server Error
Server performance monitoring Analyze reports on server restarts, busy states, and I/O operation aborts to identify potential performance bottlenecks. Improve server stability and responsiveness.
  • Web Server Restart Reports
  • Web Server Busy Reports
  • IO Operation Aborted Reports
Redirection analysis Analyze redirection reports to identify any unexpected redirects or redirect loops impacting the user experience. Optimize website navigation and prevent redirect issues.
  • Redirection Reports

IIS web server log auditing using EventLog Analyzer: Use cases

Use Case Description Why implement? Available Reports
Web server audit log analysis Analyze all detailed events captured in the log files for forensic purposes and to troubleshoot complex issues. Investigate security incidents, diagnose application errors, and understand user behavior. Status Code Summary Report (detailed)
All other reports and searching web server logs using the Search console can be used for further drill-down analysis.
User authentication monitoring Track successful and failed user login attempts to identify potential security breaches or user access issues. Improve security posture and troubleshoot login issues.
  • Failed User Authentication
  • Authentication Changes
  • Logging Changes
Security monitoring Analyze security-related events, like unauthorized access attempts (401 errors), IP address rejections, and access denied reports. Enhance security posture, comply with regulations, and respond quickly to potential threats.
  • Failed User Authentication
  • IP Address Rejected
  • Site Access Denied Reports
  • Security Event Reports
IIS configuration change monitoring Track and analyze all configuration changes made to IIS, including authentication, error pages, logging, modules, request filtering, and SSL settings. Improve security posture, ensure configuration compliance, and troubleshoot configuration-related issues. Reports under theIIS Admin Configuration section provide insights into changes happening to:
  • Authentication
  • Default documents
  • Error pages
  • Logging
  • Modules
  • Request filtering
  • SSLsettings

Use filters to view changes by specific users, location, and more for effective analysis.
Detecting average response time Analyze the average time taken to respond to a request by the server to analyze slow queries or performance issues. Improve the performance of web servers.
  • Average Response Time

Securing IIS web servers using EventLog Analyzer: Use cases

Use case Description Relevant MITRE ATT&CK techniques Relevant rules and capabilities
SQL injection detection Detect SQL injection attacks and repeated SQL injection attempts. T1190 Exploit Public-Facing Applications Correlation rule:
  • Repeated SQL injection attempts

Get alerted on SQL injection attacks using the predefined alert profile.
Cross-site scripting attack detection Detect and block attempts to inject malicious scripts into webpages that can be executed by users' browsers, leading to theft of sensitive data or session hijacking. T1189 Drive-by CompromiseT1190 Exploit Public-Facing Applications
  • Cross-site scripting
Malicious URL request detection Detect URL requests from or to malicious sources that could be used to distribute malware, steal data, or redirect users to phishing sites by correlating network information with dynamic and real-time threat feeds. T1190 Exploit Public-Facing Applications
  • There is an automatically configured rule that blocks any inbound or outbound traffic to malicious sources.
  • Get insights into malicious requests through thePossible malicious URL requestsreport.
Malicious file execution detection Identify and block attempts to upload or execute malicious files on the web server. T1105 Ingestion of Resource,
T1106 Resource Hijacking		 Enable and customize the Malicious file execution alert profile to detect commonly used malware file executions and file executions from unauthorized locations.
Restricted file execution detection Specifically detect and block attempts to execute privileged system files, like cmd.exe, root.exe, or commands associated with Xp cmdshell. T1059 Command and Scripting Interpreter
T1059.003 Windows Command Shell		 Get alerted on:
  • cmd.exe and root.exe file executions
  • XP commandshell executions
with predefined alert profiles.
Admin resource access monitoring Monitor attempts to access administrative resources or directories on the web server. T1069 Lateral Movement Get alerted on specific admin resource access with the following predefined alert profile:
  • Admin resource access
Directory traversal detection Identify and block attempts to access files or directories outside the intended web root using path manipulation techniques. T1069 Lateral Movement Modify the existing alert profile for directory traversal detection to include the use of ".." or other path manipulation techniques within URLs.
Spam mail header detection Identify and block requests containing specific headers commonly associated with spam emails. - Use the predefined Spam mail header detectionalert profile to identify spam emails using headers.
Traffic monitoring from unauthorized locations Detect website traffic from unauthorized or unusual locations.   Analyze traffic trends by viewing:
  • Top Countries
  • Top Usersanalytical dashboard filtered based on location

Tweak the alert profile to get notified when there's a request from an unauthorized location.

Compliance use case

Most regulatory mandates require organizations to deploy web server monitoring solutions to track access and modifications, and to ensure data security and integrity. The below table illustrates how EventLog Analyzer can help you meet compliance use cases for IIS web servers. For detailed solution mapping, check out this space.

Compliance requirements: Solution mapping for file server platforms

EventLog Analyzer reports and alerts Detection rules Regulatory mandates Requirements
IIS Web Server Error Reports
IIS Client Errors
IIS Server Errors
IIS Password Change
IIS Failed User Authentication
IIS HTTP Bad Request
IIS Site Access Denied
IIS IP Address Rejected
IIS Read Access Forbidden
IIS Write Access Forbidden
IIS UNC Authorization Failed
IIS Denied direct request to Global
IIS I/O Operation Aborted
IIS Webserver Restart		 Malicious URL requests
Repeated SQL injection attempts		 GPG Business Traffic Crossing a Boundary (PMC Rule 2)
COCO 2.Authentication and Access Control
CCPA and CPRA Section 1798.150.(a)
FERPA Section 99.31 (a)(1)(ii)
QCF 6.8.1 Data in motion
7.2 Change and Patch Management Service
TISAX 4.2.1
SAMA 3.3.7 Change Management
UAE-NESA T3.2.3
LGPD Art 14
IIS Web Server Attack Reports
IIS Admin Resource Access
IIS SQL Injection
IIS Cross Site Scripting
IIS Possible Malicious URL Request
IIS Possible Malicious File Execution
IIS cmd.exe and root.exe Execution
IIS xp_command_shell Command Execution
IIS Denied Directory Listing
IIS Directory Traversal
IIS Spam Mail HeaderIIS Dos Attacks		   CCPA and CPRA Section 1798.150.(a)
FERPA Section 99.31 (a)(1)(ii)
QCF 4.2 Application Security Service
4.6.2 Threat Modelling
6.8.1 Data in motion
7.2 Change and Patch Management Service
8.2.2 Vulnerability Management and Penetration Testing
SAMA 3.2.1.1 Cyber Security Risk Identification
3.2.1.2 Cyber Security Risk Analysis
3.2.1.3 Cyber Security Risk Response
3.3.6 Application Security
3.3.7 Change Management
CJDN Application Development
UAE-NESA T3.2.3
LGPD Art 14
IIS Admin Configuration Reports
IIS Authentication Changes
IIS DefaultDocument Changes
IIS ErrorPage Changes
IIS Logging Changes
IIS Modules Changes
IIS RequestFiltering Changes
IIS SSL Changes
IIS AllConfiguration Changes		   CMMC C013 - CM.2.061
TISAX 5.2.4
CJDN Application Development
 

Additional Resource

How to view IIS web server logs? 5 best practices for IIS logging IIS log viewing tool IIS log management