Metabase Auditing

  • Article

Applies To: Windows Server 2003 with SP1

Beginning with the Windows Server 2003 Service Pack 1 (SP1) release, IIS 6.0 includes a metabase auditing feature that allows tracking of each change that is made to the metabase. Metabase auditing is enabled by enabling an audit access control entry (ACE) on a node in the metabase. After ACE is enabled, whenever a metabase change takes place on that node, an audit event is published in the NT Security event log.

The following information is recorded in the NT Security event log:

  • What was changed (metabase node, property, and old and new values).

  • When the change was made (date and time).

  • Who made the change (domain and user name).

  • Success or failure of the change attempt (HRESULT).

  • When a change is made remotely (client IP number).

Without metabase auditing, you cannot determine who made changes to the metabase and when those changes were made. IIS 6.0 does feature a metabase history, with up to 10 (configurable) Metabase.xml files stored in the Inetsrv\History folder. However, history files do not reveal what changed, who made the change, and when the change was made.

The auditing requirements for changes to metabase properties differ from changes to metabase keys. For a change to a key, it is necessary to log only the key data, because changes to a key affect everything beneath it (child operations are not audited). Changing a property requires more information, including both the key and the property name.

The following list specifies the audit event content for operations on both metabase keys and metabase properties:

  • Delete key: name of node being deleted

  • Delete property: name of key and name of property being deleted

  • Move key: old node location and new node location

  • Copy key: source node location and new node location

  • Add key: name of node being added

  • Add property: name of key, name of property, and value of property

  • Rename key: names of old node and new node

  • Change property: name of key, name of property, old and new values of property

Note

To avoid disclosing sensitive information, such as passwords, values of secure properties will not appear in audit event log entries.

Enabling and Disabling Metabase Auditing

Metabase auditing is enabled when the following conditions are met:

  • In the Windows Group Policy Editor (gpedit.msc), audit-object access is enabled and auditing is turned on for both successes and failures.

  • ACEs are enabled on the metabase nodes that you want to audit.

  • The command script iiscnfg.vbs was used to enable auditing.

Metabase auditing is disabled when the following conditions are met:

  • In the Windows Group Policy Editor (gpedit.msc), audit-object access is disabled.

  • ACEs are disabled on the metabase nodes that you no longer want to audit.

  • The command script iiscnfg.vbs was used to disable auditing.

For information about metabase audit event log messages, see Metabase Auditing Event Messages.