Metabase auditing on IIS 7.5

Metabase auditing is a very useful feature which allows us to track changes that are made to the IIS metabase. It was introduced with SP1 on Windows 2003 (IIS 6.0). When enabled information such as time and user account that made the change to the metabase get logged to the event logs which can be very useful to track changes.

The feature was unfortunately not included in IIS 7.0. But with IIS 7.5 (the IIS that ships with Windows 7 / Windows 2008 R2) we again have an auditing feature. Not sure if it can be called Metabase Auditing as IIS 7.5 no longer has a centralized metabase :) But unlike the previous version enabling auditing is a bit simpler

Open up your Event Viewer

Expand Application and Service Logs > Microsoft > Windows

Scroll to IIS-Configuration

Right click on Operational and select Enable Log

Once enabled changes to the configuration will get logged as Information Events something similar to the one below

 

To disable you just need to again right click on Operational and select Disable Log.

The best part is that now you can configure your Event Viewer to send out emails when an event occurs. You can just right click on the event and select “Attach Task To This Event…” follow the wizard to configure your SMTP server. So the moment someone makes a change to your IIS configuration you can get notified over email.