service got disabled

[imported_JFG]

IIS was disabled on my exchange server. I'm 99.9% it's not virus related. We run a cluster, so I didn't notice for a week or so becuase the quorum remained on the same node while all the exchange services flopped over to the 2nd node. Basically I'm just wondering what circumstances would cause a service to become disabled??

 

[spyordie007]

The IISAdmin service was disabled? Obviously not a good thing on an Exchange server...

In answer to your question. There are a lot of ways the service could get changed. The APIs are exposed and service state can be altered by anyone with privilages over that machine from either remotly or locally.

Just to venture a guess I would say that someone with admin privilages ran an installer or application of some sort that disabled the service. Due to the server's role I'd say you're probably right that it wouldnt have been a virus or malware.

If you are running auditing on those services you should be able to review the event log to find out who's account made the change (but that's a big if).

Good Luck

 

[stash]

Somebody messing with group policy?

 

[imported_JFG]

Only 3 of us have access & they've assured me that thed didn't "purposly" do anything. I know our security guy ran MSBA scan a week o so. I wonder if this could be the culprit?

 

[Smilin]

Originally posted by: JFG
Only 3 of us have access & they've assured me that thed didn't "purposly" do anything. I know our security guy ran MSBA scan a week o so. I wonder if this could be the culprit?

MBSA would have advised to disable that service if it was not being used, but it would not have done it itself.