Event ID 560 - IUSR Attempting to run MSPaint.exe

  • Thread starter Thread starter Tienna Kim
  • Start date Start date
T

Tienna Kim

Hello,

We recently noticed several failure audits on our web server where the IUSR
is attempting to run applications on the server such as MS Paint and
Shell32.dll.

The IIS logs don't have any entries around the times the failure audits are
being logged. Could the server be under attack? If so, how are they
getting access if it's not being logged in the IIS logs? The server is
pretty well patched up and behind a firewall. Any help would be
appreciated. Thanks.

Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 4/27/2004
Time: 1:28:19 PM
User: DEP02\IUSR_DEP02
Computer: DEP02
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name:
\Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume2\WINNT\system32\MSPA
INT.EXE
New Handle ID: -
Operation ID: {0,173034924}
Process ID: 1440
Primary User Name: DEP02$
Primary Domain: COSVCS
Primary Logon ID: (0x0,0x3E7)
Client User Name: IUSR_DEP02
Client Domain: DEP02
Client Logon ID: (0x0,0x31622)
Accesses READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
ReadEA
ReadAttributes
WriteAttributes

Privileges -
 
I am not an IIS guru and there is a IIS security newsgroup with people a lot more
knowledgeable than me about that but I would suggest that you run the IIS Lockdown
tool on your IIS server if you have not done so, but ONLY after backing it up
including the System State and using IIS Management Console to back up your
configuration in case you lock down a little too hard. One of the things IIS Lockdown
tool does is to refuse the IUSR_machinename account access to places it should not
have within the operating system by giving it explicit deny permissions. See the link
below for more details. Good luck. --- Steve

http://www.microsoft.com/downloads/...C0-BB30-47EB-9A61-FD755D23CDEC&displaylang=en
http://www.microsoft.com/technet/security/prodtech/iis/default.mspx -- TechNet IIS
security center.
 
Thanks Steve.

We already ran the IIS lockdown tool last fall - so I guess it's working
after all. I was hoping to find some info about where the hole is that
allowed the attacker to even get this far. That might be asking for too
much though. I suppose we just always need to be on top of the security
patches and virus definitions and hope for the best. Thanks again.
 
OK. Like I said you might want to post in the
Microsoft.public.inetserver.iis.security newsgroup also. Bunch of helpful experts
over there that might have a better idea of what is going on or what to check. Good
luck. --- Steve
 
Back
Top