Quick Reference Guide

IIS Configuration Auditing Guide

How to audit configuration changes on IIS version 7.5 and above

What is IIS Configuration Auditing What Information is

IIS configuration auditing is a feature that would allow you to track
changes made to IIS configuration store ( ApplicationHost.config ). It Available through
generates event messages in Operational event logs. Auditing Logs:
Enable IIS Configuration Auditing Process ID (PID)

Open Event Viewer eventvwr.msc > Expand Application and Service Security ID of Account (SID)
Log > Microsoft > Windows > IIS-Configuration > Right click Path to configuration
Operational > Choose Properties > Click Enable logging > Set
Old value
Maximum log size to 299968KB > Select Overwrite events as needed >
OK New value
Repeat same steps for Application and Service Log > Microsoft >
Windows > IIS-Configuration > Administrative log Will it Affect Servers
Performance?
Review Configuration History Settings
No. IIS configuration auditing uses
On IIS server run in command shell with administrative privileges: native Windows subsystem which is
cd %windir%\system32\inetsrv capable of handling thousands of
Appcmd list config /section:configHistory /config:* events per second without any
noticeable CPU overhead
By default 10 configuration backups are kept. You can modify
settings:
Appcmd set config /section:configHistory -maxHistories:15 Restore Configuration
from Backup
Review Auditing Events Commands:
Check Operational and Administrative event logs through Event Appcmd list backups
Viewer. Note: manual changes to the configuration store are not
audited. For example if someone modifies ApplicationHost.config shows list of stored backups
with Notepad it wont be recorded to audit logs. Also if someone uses Appcmd restore backup
Appcmd to modify IIS configuration you will see auditing entry, but restores configuration
PID wont be a valid one.

For Detailed IIS and Windows Server Auditing

Try Netwrix Auditor - netwrix.com/go/trial-ws
Change auditing: detection, reporting and alerting on all
configuration changes across your entire IT infrastructure with Who,
What, When, Where details and Before/After values.
Predefined reports and dashboards with filtering, grouping,
sorting, export (PDF, XLS etc.), email subscriptions, drill-down, access
via web, granular permissions and ability to create custom reports.
AuditArchive: scalable two-tiered storage (file-based + SQL
database) holding consolidated audit data for 10 years or more. Try Windows Server
Unified platform to audit the entire IT infrastructure, unlik e
other vendors with a set of hard-to-integrate standalone tools. Auditing For Free:
netwrix.com/go/trial-ws

HQ: 8001 Irvine Center Drive, Phone: 1-949-407-5125 Int'l: 1-949-407-5125

Suite 820, Irvine, CA 92618 Toll-free: 888-638-9749 EMEA: 44 (0) 203-318-0261 netwrix.com/social