Identifying Web Site Logons in the Security Log

I run a Windows Server 2003 Web site that requires basic authentication over Secure Sockets Layer (SSL) for logon. In the Security log, can I distinguish logons to the Web site from other logons such as console logons or logons from the trusted internal network (e.g., Terminal Services logons, network connection logons)?

Enable the Audit logon events policy on your Web server, then look for occurrences of event ID 540 (Successful Network Logon) in which the logon process is Advapi and the logon type is 8. Figure 1 shows an example of such an event. Event ID 540 indicates that a client has connected to the computer from over the network to, for example, access a shared folder or log on to the server via Microsoft IIS. Advapi is the logon process IIS uses for handling Web logons. Logon type 8 indicates a network logon that uses a clear-text password, which is the case when someone uses basic authentication to log on to IIS. Of course, because the browser and server have already established an SSL session, the clear-text password isn't visible to eavesdroppers.

Because some other types of connections can generate an event ID 540 with logon type 8, you should ensure that IIS generated the event by checking the Caller Process ID field. This field's value will match the process identifier (PID) of the W3wp process—IIS's core process. You can find W3wp's PID by looking in Windows Task Manager on the Processes tab. You might need to use View, Select Columns to add the PID column to Task Manager. Event ID 540 also provides the IP address of the Web client in the Source Network Address field.

Note that it's normal for an event ID 576 (Special privileges assigned to new logon) to follow an event ID 540 and an event ID 552 (Logon attempt using explicit credentials) to precede it. If your server has good Windows default security settings, users who log on will quite likely have the SeChangeNotifyPrivilege (aka Bypass traverse checking) privilege, which isn't a security problem. And Windows logs event ID 552 whenever a process impersonates another account, such as IIS impersonating the Web user.