Metabase Auditing (IIS 6.0)

Beginning with the Windows Server 2003 Service Pack 1 (SP1) release, IIS 6.0 includes a metabase auditing feature that allows tracking of each change that is made to the metabase. Metabase auditing is enabled by enabling an audit access control entry (ACE) on a node in the metabase. After ACE is enabled, whenever a metabase change takes place on that node, an audit event is published in the NT Security event log.

The following information is recorded in the NT Security event log:

What was changed (metabase node, property, and old and new values).

When the change was made (date and time).

Who made the change (domain and user name).

Success or failure of the change attempt (HRESULT).

When a change is made remotely (client IP number).

Without metabase auditing, you cannot determine who made changes to the metabase and when those changes were made. IIS 6.0 does feature a metabase history, with up to 10 (configurable) Metabase.xml files stored in the Inetsrv\History folder. However, history files do not reveal what changed, who made the change, and when the change was made.

The auditing requirements for changes to metabase properties differ from changes to metabase keys. For a change to a key, it is necessary to log only the key data, because changes to a key affect everything beneath it (child operations are not audited). Changing a property requires more information, including both the key and the property name.

The following list specifies the audit event content for operations on both metabase keys and metabase properties:

Delete key: name of node being deleted

Delete property: name of key and name of property being deleted

Move key: old node location and new node location

Copy key: source node location and new node location

Add key: name of node being added

Add property: name of key, name of property, and value of property

Rename key: names of old node and new node

Change property: name of key, name of property, old and new values of property

  Note

To avoid disclosing sensitive information, such as passwords, values of secure properties will not appear in audit event log entries.

Enabling and Disabling Metabase Auditing

Metabase auditing is enabled when the following conditions are met:

In the Windows Group Policy Editor (gpedit.msc), audit-object access is enabled and auditing is turned on for both successes and failures.

ACEs are enabled on the metabase nodes that you want to audit.

Metabase auditing is disabled when the following conditions are met:

In the Windows Group Policy Editor (gpedit.msc), audit-object access is disabled.

ACEs are disabled on the metabase nodes that you no longer want to audit.



© 2014 Microsoft Corporation. All rights reserved. Contact Us |Terms of Use |Trademarks |Privacy & Cookies
Microsoft