We have a Windows Server 2008 R2 Service Pack 1. We use Active Directory for authentication/authorization.
IIS is being used on this server to serve some internal apps (that are virtual applications under a root website). These apps require Windows Authentication. Authorization to these apps is set to specific AD security groups.
Recently we have noticed the authorization gets changed to "All Users" in addition to the specific security groups. This is obviously a security lapse.
To capture who might be doing this and when, we turned on the Microsoft-Windows-IIS-Configuration/Operational log using Event Viewer. To test this we made some changes to one of the IIS apps and about 16 events got logged in the event log.
We removed "All Users" from authorization, and waited to see if it changes. Sure enough few days later "All Users" have been added back to few (not all) apps. But unfortunately nothing got logged in that log.
Is there another way to capture these changes?