Vous êtes sur la page 1sur 1

Quick Reference Guide

IIS Configuration Auditing Guide
How to audit configuration changes on IIS version 7.5 and above

What is IIS Configuration Auditing What Information is
 IIS configuration auditing is a feature that would allow you to track
changes made to IIS configuration store ( ApplicationHost.config ). It Available through
generates event messages in Operational event logs. Auditing Logs:
Enable IIS Configuration Auditing  Process ID (PID)

 Open Event Viewer eventvwr.msc > Expand Application and Service  Security ID of Account (SID)
Log > Microsoft > Windows > IIS-Configuration > Right click  Path to configuration
Operational > Choose Properties > Click Enable logging > Set
 Old value
Maximum log size to 299968KB > Select Overwrite events as needed >
OK  New value
 Repeat same steps for Application and Service Log > Microsoft >
Windows > IIS-Configuration > Administrative log Will it Affect Server’s
Review Configuration History Settings
No. IIS configuration auditing uses
 On IIS server run in command shell with administrative privileges: native Windows subsystem which is
 cd %windir%\system32\inetsrv capable of handling thousands of
 Appcmd list config /section:configHistory /config:* events per second without any
noticeable CPU overhead
 By default 10 configuration backups are kept. You can modify
 Appcmd set config /section:configHistory -maxHistories:15 Restore Configuration
from Backup
Review Auditing Events Commands:
 Check Operational and Administrative event logs through Event  Appcmd list backups
Viewer. Note: manual changes to the configuration store are not
audited. For example if someone modifies ApplicationHost.config shows list of stored backups
with Notepad it won’t be recorded to audit logs. Also if someone uses  Appcmd restore backup
Appcmd to modify IIS configuration you will see auditing entry, but restores configuration
PID won’t be a valid one.

For Detailed IIS and Windows Server Auditing
Try Netwrix Auditor - netwrix.com/go/trial-ws
 Change auditing: detection, reporting and alerting on all
configuration changes across your entire IT infrastructure with Who,
What, When, Where details and Before/After values.
 Predefined reports and dashboards with filtering, grouping,
sorting, export (PDF, XLS etc.), email subscriptions, drill-down, access
via web, granular permissions and ability to create custom reports.
 AuditArchive™: scalable two-tiered storage (file-based + SQL
database) holding consolidated audit data for 10 years or more. Try Windows Server
 Unified platform to audit the entire IT infrastructure, unlik e
other vendors with a set of hard-to-integrate standalone tools. Auditing For Free:

HQ: 8001 Irvine Center Drive, Phone: 1-949-407-5125 Int'l: 1-949-407-5125
Suite 820, Irvine, CA 92618 Toll-free: 888-638-9749 EMEA: 44 (0) 203-318-0261 netwrix.com/social