inetpub\wwwroot deleted somehow. OWA, ECP tanked.

Obsolesce

@DustinB3403 said in inetpub\wwwroot deleted somehow. OWA, ECP tanked.:

@G-I-Jones File auditing would at least give you some insight as to what/who might have removed this directory, as for if this was malicious it seems like a small thing to attack if it was so easily recovered.

File auditing would give exact details of who did what and when. I've used this a lot for investigations on Windows servers.

G I Jones

@DustinB3403 @Obsolesce I have no experience with that. Is there a built-in feature or would you recommend a 3rd party?

Obsolesce

@G-I-Jones said in inetpub\wwwroot deleted somehow. OWA, ECP tanked.:

@DustinB3403 @Obsolesce I have no experience with that. Is there a built-in feature or would you recommend a 3rd party?

This is built in. It involves two basic steps:

1. Enable the File System auditing in the System Audit Policies in the Local Security Policy.
2. For the Folders you want to audit, enable auditing in the Advanced Security Settings window Auditing tab.

The auditing results are found in your security event log.

G I Jones

@Obsolesce Appreciated.

Obsolesce

Screenshots, quick example of where to go (not necessarily the settings, that will depend):

Obsolesce

@G-I-Jones said in inetpub\wwwroot deleted somehow. OWA, ECP tanked.:

@Obsolesce Appreciated.

One thing to note, if nothing else, is that enabling this has the potential to really grow your security event log. Make sure to configure that then as well to be handled appropriately, such as archiving, forwarding, etc.

G I Jones

@Obsolesce @Obsolesce Thanks, figured it out. Can't seem to see anything from before today though and this happened yesterday. This is probably because when I initially set up the Exchange Server, I mistakenly put the database on the C drive (65GB) and then had to move it to the E Drive (6TB), but still had the transport logs, and IIS stuff saving to C which must've maxed out recently. Fixed all that this morning but it looks like everything was overwritten already. Thanks for the help anyway.

DustinB3403

@G-I-Jones said in inetpub\wwwroot deleted somehow. OWA, ECP tanked.:

see anything from before today though

That's expected, the logs were never created (and thus don't exist).

G I Jones

@DustinB3403 Ah, you know that crossed my mind. Makes sense.

G I Jones

@DustinB3403 So since this appears to be in preparation for future issues, is the common practice to just audit every drive?

DustinB3403

@G-I-Jones said in inetpub\wwwroot deleted somehow. OWA, ECP tanked.:

@DustinB3403 So since this appears to be in preparation for future issues, is the common practice to just audit every drive?

Most people would send the logs to an aggregate and use that, rather than individual servers. But yes.

Obsolesce

@G-I-Jones said in inetpub\wwwroot deleted somehow. OWA, ECP tanked.:

@DustinB3403 So since this appears to be in preparation for future issues, is the common practice to just audit every drive?

It depends on what you want to audit, and how much you want in your logs.