Enabling Metabase Auditing in IIS 6.0 (Windows 2003 with Service Pack 1)
Windows 2003 Server with Service Pack One (SP1) includes a new feature called
"Metabase Auditing". This feature, when enabled, allows server administrators
to log changes to the IIS metabase. Information logged includes the date and time of the
change, which user account made the change, and the old and new values of the metabase
key in question.
When researching this topic for the Windows 2003 SP1 talk I had to deliver at the
Microsoft Australia 2005 Security Summit Roadshow
I found very little documentation on this feature. So I've decided to write a small FAQ addressing
how to enable Metabase Auditing on your server.
Enabling Metabase Auditing requires executing two separate steps. Firstly Object Access Auditing needs to
be enabled in the local security policy. This can be achieved either via a Domain Group Policy, or by
editing the local security policy directly.
To edit the local security policy, click the start button, choose Run and enter "secpol.msc".
This should bring up the Local Security Policy editor. Expand the "Local Policies" node and
select "Audit Policy" (see diagram)
Double-click on "Audit Object Access" and select whether you wish to audit successes, failures
or both (if you want to see what changes were actually made, you will need to audit successes). See diagram.
Close the Local Security Policy editor. Refresh the local policy by click on the Start button, choose Run
and enter "gpupdate"
Now we need to select which sections of the metabase we wish to audit. Open a command window (Start ->
Run > Cmd), and navigate to %systemroot%\system32 (by default c:\windows\system32). We are going to use
the iiscnfg.vbs script with its enableAudit flag to enable auditing.
The basic syntax to enable auditing is: iiscnfg.vbs /enableAudit <metabase path> [/r]. To
enable auditing on the entire metabase we would use the command:
cscript.exe iiscnfg.vbs /enableAudit / /r
where / represents the root of the metabase, and /r enables auditing recursively on all
nodes and keys underneath the root. For a full list of options supported use:
iiscnfg.vbs /enableAudit /?
Now that we have enabled auditing, we can make a change to our IIS configuration, and view the
resulting audit log. Open IIS Manager, and change a property for your webserver. For this FAQ I
changed the Home Directory setting of the Default Web Site from c:\inetpub\wwwroot to c:\.
The event was logged (see diagram)
And that's all these is to enabling IIS 6.0 Metabase Auditing!
Comments on this FAQ are welcome
PS: for a full list of Metabase auditing events, see this
topic on the Microsoft TechNet website.
PPS: If you'd like to capture these events using MOM 2005, please see my FAQ on monitoring metabase changes with MOM 2005.
Back to FAQ Listing