Metabase Auditing (IIS 6.0)
Beginning with the Windows Server 2003 Service Pack 1 (SP1) release, IIS 6.0 includes a metabase auditing feature that allows tracking of each change that is made to the metabase. Metabase auditing is enabled by enabling an audit access control entry (ACE) on a node in the metabase. After ACE is enabled, whenever a metabase change takes place on that node, an audit event is published in the NT Security event log.
The following information is recorded in the NT Security event log:
Without metabase auditing, you cannot determine who made changes to the metabase and when those changes were made. IIS 6.0 does feature a metabase history, with up to 10 (configurable) Metabase.xml files stored in the Inetsrv\History folder. However, history files do not reveal what changed, who made the change, and when the change was made.
The auditing requirements for changes to metabase properties differ from changes to metabase keys. For a change to a key, it is necessary to log only the key data, because changes to a key affect everything beneath it (child operations are not audited). Changing a property requires more information, including both the key and the property name.
The following list specifies the audit event content for operations on both metabase keys and metabase properties:
To avoid disclosing sensitive information, such as passwords, values of secure properties will not appear in audit event log entries.
Enabling and Disabling Metabase Auditing
Metabase auditing is enabled when the following conditions are met:
Metabase auditing is disabled when the following conditions are met: