In the IIS logs, our client has found a bunch of 403.7 64 's being
logged. Most of them are to /VirtualDirectoryName, for example:
2008-10-30
06:41:00 W3SVC3 xxx.xxx.xxx.xxx GET /VirtualDirectoryName - 443 -
xxx.xxx.xxx.xxx
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+2.0.50727;+.NET+CLR+1.1.4322;+.NET+CLR+3.0.04506
.30;+.NET+CLR+3.0.04506.648;+.NET+CLR+3.5.21022) 403 7 64
These happen quite often, sometimes 4 or so requests in a row.
Directory
browsing is disabled on the sites, and the default page is set to
default.htm which exists, so theoretically, there should be no requests
for the path.
I have enabled schannel logging, but couldnt find one
matching the timestamp in IIS. For example, in IIS we have one for
2008-10-30 11:49:50, and in event viewer we have one for 11:49:52 and
one for 11:49:45. I also couldnt find a patter that makes it look like
the one is trailing the other by a couple of seconds.
All the IIS requests are on port 443, none are on 80.
Schannel logs information events, but no warnings.
The client confirmed that the system logs and IIS logs were from the same server.
They run Windows 2003 x64 R2 on a NLB cluster. The machines in the testing environment is a single machine only.
I
am able to intermittently reproduce it on my own environment (XP 64).
One out of 20 times doing the exact same actions will give me the error
in the logs. The error does not affect the user at all.
Testers
currently test on Windows XP 32, with IE6, IE7 and Firefox, using
software certs, or in some cases USB tokens. I replicated using a
software cert.
Now this does not sound like something I should
be spending my time on, but the client is being audited, and this has
been raised as a concern by the auditing company.