adOpenStatic Logo
Ken's Blog
Contact Ken
Copyright 2000 -

Enabling Metabase Auditing in IIS 6.0 (Windows 2003 with Service Pack 1)
Windows 2003 Server with Service Pack One (SP1) includes a new feature called "Metabase Auditing". This feature, when enabled, allows server administrators to log changes to the IIS metabase. Information logged includes the date and time of the change, which user account made the change, and the old and new values of the metabase key in question.

When researching this topic for the Windows 2003 SP1 talk I had to deliver at the Microsoft Australia 2005 Security Summit Roadshow I found very little documentation on this feature. So I've decided to write a small FAQ addressing how to enable Metabase Auditing on your server.

Enabling Metabase Auditing requires executing two separate steps. Firstly Object Access Auditing needs to be enabled in the local security policy. This can be achieved either via a Domain Group Policy, or by editing the local security policy directly.

To edit the local security policy, click the start button, choose Run and enter "secpol.msc". This should bring up the Local Security Policy editor. Expand the "Local Policies" node and select "Audit Policy" (see diagram)

Selecting Audit Policy

Double-click on "Audit Object Access" and select whether you wish to audit successes, failures or both (if you want to see what changes were actually made, you will need to audit successes). See diagram.

Enabling Object Access Auditing

Close the Local Security Policy editor. Refresh the local policy by click on the Start button, choose Run and enter "gpupdate"

Now we need to select which sections of the metabase we wish to audit. Open a command window (Start -> Run > Cmd), and navigate to %systemroot%\system32 (by default c:\windows\system32). We are going to use the iiscnfg.vbs script with its enableAudit flag to enable auditing.

The basic syntax to enable auditing is: iiscnfg.vbs /enableAudit <metabase path> [/r]. To enable auditing on the entire metabase we would use the command:

   cscript.exe iiscnfg.vbs  /enableAudit  /  /r

where / represents the root of the metabase, and /r enables auditing recursively on all nodes and keys underneath the root. For a full list of options supported use: iiscnfg.vbs /enableAudit /?

Now that we have enabled auditing, we can make a change to our IIS configuration, and view the resulting audit log. Open IIS Manager, and change a property for your webserver. For this FAQ I changed the Home Directory setting of the Default Web Site from c:\inetpub\wwwroot to c:\. The event was logged (see diagram)

View Event

And that's all these is to enabling IIS 6.0 Metabase Auditing! Comments on this FAQ are welcome

PS: for a full list of Metabase auditing events, see this topic on the Microsoft TechNet website.

PPS: If you'd like to capture these events using MOM 2005, please see my FAQ on monitoring metabase changes with MOM 2005.

Back to FAQ Listing