Auditing the Metabase

  • Article

Applies To: Windows Server 2003 R2, Windows Server 2003 with SP1

Beginning with the SP1 release, IIS 6.0 features metabase auditing to allow tracking of each change that is made to the metabase. Changes to the metabase are recorded under the IIS-metabase event source in the NT Security log as follows:

  • What was changed (metabase node, property, and old and new values).

  • When the change was made (date and time).

  • Who made the change (domain and user name).

  • Success or failure of the change attempt (HRESULT).

Metabase auditing is disabled by default. Enabling metabase auditing requires these tasks:

  • Globally enable object auditing in Windows Server 2003.

  • Enable metabase auditing for IIS 6.0 SP1.

Procedures

Important

You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /user:Administrative_AccountName"mmc systemroot\system32\inetsrv\iis.msc".

To globally enable object auditing in Windows Server 2003

  1. From the Start menu, click Run.

  2. In the Open box, type gpedit.msc, and then click OK.

  3. In the Group Policy Editor, expand Local Computer Policy, and then click Computer Configuration/Windows Settings/Security Settings/ Local Policies/Audit Policy.

  4. Double click Audit object access.

  5. Check both Success and Failure check boxes.

  6. Click OK.

To globally disable object auditing, repeat steps, and then clear the Success and Failure check boxes.

To enable or disable metabase auditing

  1. From the Start menu, open the command-line window.

  2. Enter one of the following commands to execute the script, iiscnfg.vbs, filling in the path to the metabase location:

    iiscnfg /enableAudit path

    iiscnfg /disableAuditpath

    For example, to enable metabase auditing on a Web virtual directory, “MyVdir”, type:

    c:\%systemroot%\system32\iiscnfg.vbs /enableAudit W3SVC/1/ROOT/MyVdir

    For example, to enable metabase auditing on the entire metabase, type:c:\%systemroot%\system32\iiscnfg.vbs /enableAudit / /r

  3. Press Enter.

To verify that metabase auditing is working

  1. Change a metabase setting.

  2. In the NT Security event log, verify that the change to the metabase is recorded under the event-source name “IIS-metabase.”

For more information about metabase auditing, see Metabase Auditing.

For more information about event messages produced by metabase auditing, see Metabase Auditing Event Messages.