service got disabled

imported_JFG

Senior member
Feb 16, 2005
207
0
0
IIS was disabled on my exchange server. I'm 99.9% it's not virus related. We run a cluster, so I didn't notice for a week or so becuase the quorum remained on the same node while all the exchange services flopped over to the 2nd node. Basically I'm just wondering what circumstances would cause a service to become disabled??
 

spyordie007

Diamond Member
May 28, 2001
6,229
0
0
The IISAdmin service was disabled? Obviously not a good thing on an Exchange server...

In answer to your question. There are a lot of ways the service could get changed. The APIs are exposed and service state can be altered by anyone with privilages over that machine from either remotly or locally.

Just to venture a guess I would say that someone with admin privilages ran an installer or application of some sort that disabled the service. Due to the server's role I'd say you're probably right that it wouldnt have been a virus or malware.

If you are running auditing on those services you should be able to review the event log to find out who's account made the change (but that's a big if).

Good Luck
 

imported_JFG

Senior member
Feb 16, 2005
207
0
0
Only 3 of us have access & they've assured me that thed didn't "purposly" do anything. I know our security guy ran MSBA scan a week o so. I wonder if this could be the culprit?
 

Smilin

Diamond Member
Mar 4, 2002
7,357
0
0
Originally posted by: JFG
Only 3 of us have access & they've assured me that thed didn't "purposly" do anything. I know our security guy ran MSBA scan a week o so. I wonder if this could be the culprit?

MBSA would have advised to disable that service if it was not being used, but it would not have done it itself.