Auditing Scenarios for Web Application Hosted in IIS – Part 1 – SSL Binding Modified

This post has been republished via RSS; it originally appeared at: IIS Support Blog articles.

I have come across a few instances Root Cause Analysis (RCA) was requested for issues related to a web application that were caused by factors such as:

Changes in permission of the Application Root folder.
Web site being deleted.
SSL certificate binding modified.

Furthermore, there were times when using Process Monitor - Sysinternals | Microsoft Learn was not possible because the problem was intermittent, such as when files were being written to C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys at irregular intervals.

The steps below assisted me in enabling auditing to log the necessary events in each scenario. Please feel free to check other parts of this blog:

Part 2 -
Part 3 -
Part 4 -

Scenario 1 : SSL binding modified:

For capturing SSL certificate changes, we found 3 types of Audits would help:

Registry Auditing – if changes done directly at registry level
Process Auditing (enabled by default) – If the changes are done using netsh.
IIS Configuration Auditing – If the changes are done using IIS Manager

Registry Auditing:

Open regedit and navigate to the registry key HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\HTTP\PARAMETERS\
- Right Click and Select Permissions
- Select Advanced Permissions
- Go to Auditing Tab
- Click on Add
  - Click on Select Principal >> Add Everyone and click on advanced permissions. Select the checked permissions as mentioned in the below image.

Open Local Security Policy Editor (run >> secpol.msc)

Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> Audit Registry >> configure for success and failure )

If changes are made to the Audited Registry folder, we would see an event like below in security event logs:
Reference - 4657(S) A registry value was modified. (Windows 10) | Microsoft Learn