Protect IIS log files by moving them to a secure location

by Michael "Mullins CCNA, MCP" | Oct 05, 2006 8:00:00 PM

Tags: Web servers, Channel management, Web site development, Hacking, Michael Mullins CCNA, MCP, Web, Web server, server, Web site, Right-click, Properties, Microsoft IIS Server, security, Security Solutions Newsletter

Takeaway: Internet Information Services (IIS) continues to be a favorite target for hackers. Make their job harder by moving IIS' log files to a secure remote location. Mike Mullins tells you how in this edition of Security Solutions.

Microsoft's Internet Information Services (IIS) remains one of the most compelling targets for hackers and script kiddies. By default, these Web servers must allow public access to their resources. If I had to guess, I'd say these servers spend more of their time fending off attacks than actually serving up Web pages.

Unless your organization's Web site has been the victim of defacement or injection of some hostile code, a hacker's attempt to break into your Web server can often go unnoticed, thanks to the sheer volume of traffic that the server's likely to receive. But you can make things a little more difficult for hackers to hide their mischief—and easier for yourself to uncover their deeds. All it takes is adding a little security to your Web server's log files.

If a hacker attacks your Web server—or even if you just want to check its security status—Web logs are the first place you should go for information. By default, you can find these logs in %SYSTEMROOT%/System32/logfiles.

However, this is a well-known location, so you should move the log files to a non-system drive that doesn't house your Web site. To change the location of your log files, log on to the Web server with an account that has administrative rights.

Follow these steps:

1. Go to Start, right-click My Computer, and select Explore.
2. Navigate to the drive and folder location where you want to relocate the IIS log files.
3. Right-click inside the right-hand window pane, and select New | Folder.
4. Enter a name for the folder (e.g., MyIISLogs), and press [Enter].
5. Go to Start | Control Panel, double-click the Administrative Tools applet, and double-click Internet Information Services (IIS) Manager.
6. Right-click the Web site, and select Properties.
7. On the Web Site tab, select Properties in the Enable Logging frame.
8. On the General Properties tab, click Browse, and then navigate to the folder you just created to store the IIS log files.
9. Click OK three times.

Repeat these steps for each Web site. Don't forget that you'll need to manually move any previous files from the old log directory to the new one.

Now that your log files have a new home, you need to assign the directory the proper permissions. Follow these steps:

1. Right-click the folder you just created, and select Properties.
2. On the Security tab, deselect the Allow Inheritable Permissions From Parent To Propagate To This Object check box.
3. A warning box will appear that says you're preventing inheritable permissions from propagating; select Remove, and select Add.
4. Add the System and Local Administrator accounts, and select OK.
5. Click Administrators, and set to Full Control.
6. Click System, set to Full Control, and click OK.

You've now tucked away your Web logs in a secure remote location.

Final thoughts

Log files are the only way you'll ever reconstruct events that aspire to bring down your Web server. Move them, monitor them, and consider transferring them daily (or backing them up) to an off-Web location.

Miss a column?

Check out the Security Solutions Archive, and catch up on the most recent editions of Mike Mullins' column.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.

Print/View all Posts Comments on this article

malik gafoor.k[ malik_gafoor@... | 10/06/06