« Previous Next »

• 10-19-2009, 6:29 PM

  mimatas Joined on 10-19-2009, 6:15 PM Posts 3

  How do I configure IIS 5.1 to generate security events on configuration change Reply Contact Hello,   This may be a really stupid / simple question, but I've spent hours scouring google and bing to no avail.  I'm deploying a system in a multi-user environment with somewhat restrictive security requirements.  As part of this deployment, I will be restricting access to the IIS Manager application (iis.msc) to only an administrators group (using windows file permissions, as that's currently the only way I know how).  However, in addition to that, I would like to have a security event logged to the security event viewer whenever an administrator makes changes to the IIS configuration.  In an ideal world, I'd like the event to be as specific as possible with respect to the settings modified... however, I'm willing to settle for just a record of the user that made the change. I know I can audit read access to iis.msc using the generic windows file auditing, which will tell me whenever an admin tries to run iis.msc, but doesn't tell me whether or not something was changed.  Is there a way to audit changes to IIS configurations (specifically, to directory security settings)?  If it helps, I'm using IIS 5.1 on XP, though this will likely be deployed on a 2003 machine, as well as possible deployments using IIS 6 or 7 (still TBD) on server 2008. Thanks in advance for the help,    Mim

  Tags: IISSecurityloggingauditing

• 10-19-2009, 6:58 PM

  In reply to

  Rovastar Joined on 03-13-2008, 2:00 PM London, UK Posts 1,805

  Re: How do I configure IIS 5.1 to generate security events on configuration change Reply Contact You need to be member of the local admin group to change the IIS settings so I do not see the need for restricting the msc. As for a log well the changes made in the manager will be reflected in the metabase (iis6) or the config files ( iis7) and you can cahnge these directly too. So maybe you can have a log on changes made to these files. But how many people are you thinking of giving access to the IIS box? Surely only trusted administrators anyway.       http://www.iisportal.com

• 10-19-2009, 7:53 PM

  In reply to

  mimatas Joined on 10-19-2009, 6:15 PM Posts 3

  Re: How do I configure IIS 5.1 to generate security events on configuration change Reply Contact Thanks so much for your quick response.  Is there a local policy setting that I can change to configure the groups that can modify IIS settings?  Unfortunately, our local admins group is effectively empty, and instead we have two admins group (separation of duties), one for security admins, another for application admins.  In this case, we need to restrict access to IIS config to only security admins... which is why I was planning on restricting access to the MSC (or, now that I know 5.1 uses a metabase, maybe I could restrict permissions on that).  It sounds like there might be a local policy and/or GPO that I can go mess with to more gracefully control access, though. I'll look at auditing changes to the metabase.bin file as a way to record IIS config changes.  This sounds like it would solve my problem.  Thank you again for your quick response.  I really appreciate the help.  Mim

• 10-19-2009, 8:00 PM

  In reply to

  Rovastar Joined on 03-13-2008, 2:00 PM London, UK Posts 1,805

  Re: How do I configure IIS 5.1 to generate security events on configuration change Reply Contact I would look at the production platform you are going to deploy. I am not sure with IIS 5.1 with XP if everything will be the same. Like I said only local admin can run the iis manager so you will ahve to make both your admin groups access to this. I am not really sure what an application admin is in your case. I hope you don't mean devs! With IIS7 there are various delegation you can use that will give limited access to the different sites/app for the app admin that want to use it. It could be something worth looking at as this will give you more flexibility and reduce the need for overall full power 'local admin' administrators and have more control if you need a multi-tier admin system. And it sounds like you will need this for your application administrators. http://learn.iis.net/page.aspx/155/an-overview-of-feature-delegation-in-iis-70/ http://www.iisportal.com

• 10-19-2009, 8:16 PM

  In reply to

  mimatas Joined on 10-19-2009, 6:15 PM Posts 3

  Re: How do I configure IIS 5.1 to generate security events on configuration change Reply Contact An application admin is basically the same as a system admin.  He is responsible for ensuring the day-to-day operational success of the system, but does not have access to change security settings (add users/groups, view/clear the security event log, etc).  Then we have security admins who can modify users, adjust security settings, and perform security audits, but do not necessarily have permission to perform other administrative tasks. I did notice that the metabase.bin file was restricted to only admins.  I might try changing these permissions to see if I can enable the IIS manager for other users, which would allow me to have Security admins that were not part of the local admin group. Furthermore, we will likely have IIS deployed on client workstations.  I know this sounds odd, but it's an operational necessity. Unfortunately, our customer has control of our deployment environment, and while we can give recommendations, the ultimate decision is theirs, so I'm trying to come up with solutions that will work regardless of their decision. I just attempted to try your idea of auditing changes to the metabase.bin file, and unfortunately it didn't work.  You did give me some good ideas, though.  I read somewhere that IIS also uses parts of the registry to store some settings, so I may see if auditing those registry entries will do what I need.  I'm surprised that there is no built-in auditing functionality for IIS, though.  I feel like a lot of people would like to have a record of when their web server is reconfigured.  Adding windows audit requests to random files/registry entries seems a bet extreme for what I would expect to be a standard feature. I really appreciate your responses.  I will certainly look into IIS 7, and possibly try to recommend that to our customer, but as I said, it may not be an option.  In the meantime, any other ideas about how to get the security events I need?  Thanks,  Mim