DCSIMG
Who changed my IIS 7.5 configuration? - Ido Flatow's Blog Veni Vidi Scripsi

Ido Flatow's Blog

Veni Vidi Scripsi

News

Have you heard me speak?
Leave Feedback
Upcoming Events
Visual Studio Live! 2011 - 10/17/2011
Find me here: No Fee Speakers, Asia Speakers, South Pacific Speakers, Europe Speakers, Africa Speakers, Latin America Speakers, South America Speakers, United States Speakers, Canada Speakers, Men Speakers, English Speakers
Powered
<style type='text/css' media='screen' id='sm_css'> #smix {overflow: visible;height: auto;border-radius: 10px;max-width: 250px;background-color: #323232;text-align: left;font-size: 12px;line-height: 16px;font-family:'Lucida Sans Unicode','Lucida Grande',Verdana,Arial,Helvetica,sans-serif;-webkit-border-radius: 10px;-moz-border-radius: 10px;border-radius: 10px;} #smix a {color: #0056CC;text-decoration: none;} #smix .sm_head {color: #fff; line-height: 1em;font-size: 1.4em;padding: 10px;color: #fff;} #smix .sm_lanyard_wrapper {background-color: #fff;;clear: both;width: 97%;margin: 0 auto;margin-bottom: 0px;} #smix .sm_lanyard_content {padding: 7px;}#smix button.sm_rec, #smix a.sm_rec, #smix input[type=submit].sm_rec { padding: 6px 10px; -webkit-border-radius: 2px 2px;-moz-border-radius: 2px; border-radius: 2px; border: solid 1px rgb(153, 153, 153); background: -webkit-gradient(linear, 0% 0%, 0% 100%, from(rgb(255, 255, 255)), to(rgb(221, 221, 221))); color: #333; text-decoration: none; cursor: pointer; display: inline-block; text-align: center; text-shadow: 0px 1px 1px rgba(255,255,255,1); line-height: 1; }#smix .sm_rec:hover { background: -webkit-gradient(linear, 0% 0%, 0% 100%, from(rgb(248, 248, 248)), to(rgb(221, 221, 221))); }#smix .sm_rec:active { background: -webkit-gradient(linear, 0% 0%, 0% 100%, from(rgb(204, 204, 204)), to(rgb(221, 221, 221))); }#smix .sm_rec.medium { padding: 3px 7px; font-size: 13px; }#smix .sm_rec span.icon.thumbs_up {background-position: 0px 36px;vertical-align: text-top;display: inline-block;margin-right: 4px;height: 18px;width: 16px;background-image: url(http://speakermix.com/images/new/thumbsold.png);}#smix .sm_rec:hover span.icon.thumbs_up {background-position: 0px 18px;} #smix .sm_events {padding:2px 0px 4px 0px;} #smix .sm_section {font-size: 10px; border-bottom: 1px solid silver; margin-bottom: 6px;} #smix .sm_subline {font-size:120%;margin-top:4px;font-weight:bold} #smix .powered {text-align: right} #smix .powered img {margin: 7px} </style>
Sela Technology Center

Advertisement

Who changed my IIS 7.5 configuration?

I was asked today whether you can find out who was the last person to change the IIS 7.5 configuration files in case someone made a mess with the configuration.

This question is a decade-old question that bothers developers and IT all around the world - “Who touched my stuff?”

When talking about code changes in your applications, it is quite easy to open the source control tool you are using (VSS, SVN, ClearCase, TFS…) and search the history list for the person who recently changed the files.

When working with IIS configuration, it is a different story, because the configuration files of IIS 7.5 are not stored in a source control, and the only way to check who changed the configuration is by using security audits, if you’ve set them right in the GPO, and then check the event viewer’s security logs.

So what can we do in order to find out who is to blame? apparently, there is a simple way to do it, because IIS 7.5 sends trace messages for each configuration change it detects!

So to audit your configuration changes, just follow these steps:

  1. Open the event viewer.
  2. Expand Applications and Services Logs | Microsoft | Windows | IIS-Configuration.
  3. Right-click the Operational option and select Enable Log.
    image
  4. From this point on, every configuration change that is made in IIS 7.5 will be logged, whether the configuration change causes the applicationHost.config to be changed or an application’s web.config file to be changed.
    Every configuration change will be logged with the information about the section that was changed, the value it was set to, the time, and most important – the user that was responsible for the change.
    image

Now there are some important things to note:

  1. The auditing process uses ETW which is a highly-performing infrastructure of the Windows operation system, so you shouldn’t see any noticeable CPU overhead.
  2. It is advisable to limit the size of the log file that is created, because every small change to the configuration, such as creating a virtual directory, or changing the configuration of the application pool, will cause several log messages to be written.
  3. Auditing is performed whenever you change the configuration through a controlled application, such as the appcmd.exe or the IIS Manager application. If the change is made by manually editing the configuration file (either the applicationHost.config or the web.config), the change won’t be audited.

By the way, a similar metabase auditing feature also exists for IIS 6. For more information on how to audit IIS 6 configuration changes, see the following TechNet article.

So turn on your logs and start catching those hooligans.

kick it on DotNetKicks.com Shout it
Posted: Aug 08 2011, 05:51 PM by Ido Flatow | with 1 comment(s)
תגים:, , , ,

Comments

DotNetKicks.com said:

You've been kicked (a good thing) - Trackback from DotNetKicks.com

# August 8, 2011 6:01 PM
Leave a Comment

(required) 

(required) 

(optional)

(required) 


Enter the numbers above: