1. Enable Web Site Logging Internet Information Services (IIS) logging provides more detailed information than the event logging or performance monitoring features of Windows Server 2003. The IIS logs include the following information: the users who visited the site, what they viewed, and when they last viewed the information. You can monitor other people's access attempts to your website, virtual folders, or files, regardless of whether the visit was successful or not. This includes events such as reading and writing files. Events for any site, virtual folder, or file can be logged separately. By periodically reviewing these log files, you can detect which aspects of your server or site are vulnerable or have other security risks. To enable Web site logging, follow these steps: Start Internet Information Services Manager. To do so, click “Start”, point to “Administrative Tools", and then click "Internet Information Services". Double-click “server_name”, where server_name is the name of the server. Expand the “website” folder. Right-click the site for which you want to enable logging and click “Properties”. On the “Sites” tab, select “Enable Logging”. Note: Logging must be enabled at the same time on the “Website” tab to enable logging and “record access” on the “Home Directory” tab. Select a format in the “activity log format” list. Click the “Properties",“Advanced" tab and select the items you want to monitor in the log. Note: If you selected “ODBC Logging", click “Properties" and provide the ODBC Data Source Name (DSN), table, username, and password, then click “OK"> On the ” tab, choose how you want to schedule logging or change the “log files” folder. For more information, see the "Save Configuration Options for IIS Log Files" section of this article. Click “OK”. Start Internet Information Services Manager by enabling or disabling logging for a specific folder. To do so, click “Start”, point to “Administrative Tools", and then click "Internet Information Services". Double-click “server_name”, where server_name is the name of the server. Expand the “website” folder. Right-click on “site” or find the folder you want to configure and click “properties”. On the "Directory" tab, click “Record Access”. Note: To disable logging, click “record access”. Click “OK”. 2. Save configuration options for IIS log files To set options for saving log files, follow these steps: Open Internet Information Services Manager. To do so, click “Start”, point to “Administrative Tools", and then click "Internet Information Services". Expand your server node. Expand the “website” folder. Right click on “site” and click “properties”. On the "Website" tab, click “Properties”. On the quo;General Properties> tab, select the option to use when starting a new log file. The options are as follows: “Hourly”: Create a log file every hour, starting with the first item that occurs every hour. This feature is typically used for high volume websites. “Daily”: Create a log file every day, starting with the first item that occurs after midnight. “ Weekly”: Create a log file once a week, starting with the first item that occurs after midnight on Saturday. “Monthly”: Create a log file once a month, starting with the first item that occurs after midnight on the last day of the month. Note: For all log file formats except the “World Wide Web Consortium (W3C) Extended Log File Format”, “Midnight” refers to midnight local time. For this file format, “Midnight defaults to midnight Greenwich Mean Time (GMT), but you can change it to midnight local time. To open a new log using the W3C Extended Log File Format and use local time, select “File Naming and Create Use Local Time”. The new log starts at midnight local time, but the time recorded in the log file is still GMT time. “Do not limit file size";: Data is always attached to the same log file. You can access this log file only after you stop the site. “ When the file size reaches ”: When the current log file reaches a certain size, create a new log file. You must specify the size you want. Under “Log File Directory”, type the destination folder where you want to save the log file. Note: Local folders must be listed using the full path. When you specify a folder for log files, you cannot use mapped drives or UNC paths (such as \\\\server1\\share1\\), nor can you use periods or backslash characters. Click “Apply”, then click “OK”. 3. Use Notepad to review IIS logging: To open Notepad, click “Start”, then point to “All Programs, click "Accessories", and then click “Notepad”. On the "File" menu, click “Open” and type the location where the log files are saved. Check the logs for suspicious security events, including: Multiple failed commands attempting to run an executable or script. (In this case, closely monitor the "scripts" folder.) Too many failed login attempts from one IP address, which may be an attempt to increase network traffic or deny access to other users. A failed attempt to access and modify a .bat or .cmd file. Unauthorized attempt to upload a file to a folder containing executable files. Proper security on a secure web server reduces or blocks a variety of malicious and unexpected security threats. For production servers, remove the Active Server Pages (ASP) registration page from a web server that allows users to browse files that contain information about how to create a certificate. If you do not want to delete an ASP page, you can restrict the viewing permissions of the file. These pages are usually located in the root of the website.