IIS6, Enable Web Site Content Auditing

Enable Web Site Content Auditing in The Network Encyclopedia Tutorials and Documentation (IIS 6.0 Deployment Guide)

Enable Web Site Content Auditing

Once you have enabled security auditing, you must also enable auditing on the Web site content (files and folders) in order to track any modification or deletion of the content.

Before you set up auditing for files and folders, you must first enable object access auditing. This security setting determines whether to audit the event of a user accessing an object, such as a file, folder, or printer. Enabling object access auditing is accomplished by defining auditing policy settings for the object access event category of the Audit Policies in Local Security Settings. If you do not enable object access auditing, you receive an error message when you set up auditing for files and folders, and no files or folders are audited. After object access auditing is enabled, you can view the security log in Event Viewer to review the results of your changes. You can then set up Web site content auditing.

 
Tip:
  Because the security log is limited in size, carefully select the files and folders to be audited. In addition, consider the amount of disk space that you want to devote to the security log. The maximum size for the security log is defined in Event Viewer.

If file or folder auditing has been inherited from the parent folder, you will see the following.

In the Auditing Entry for File or Folder dialog box, in the Access box, the check boxes are unavailable.

-or-

In the Advanced Security Settings for File or Folder dialog box, the Remove button is unavailable.

Requirements

Credentials: You must be logged on as a member of the Administrators group or you must have been granted the Manage auditing and security log right in Group Policy to perform this procedure.
Tools: Windows Explorer
File system: To enable auditing of Web site content, the disk volumes on which the Web site is stored must use the NTFS file system.

Recommendation

As a security best practice, log on to your computer using an account that is not in the Administrators group, and then use the Run as command to run IIS Manager as an administrator. At the command prompt, type runas /user:administrative_accountname mmc %systemroot%\system32\inetsrv\iis.msc.

Procedures

  To enable object access auditing
 
1. Open Administrative Tools, and then click Local Security Policy.
2. Expand Local Policies, and then click Audit Policy.
3. Right-click Audit object access, and then click Properties.
4. Enable auditing by clicking one of the following:
Click Success to generate an audit entry when a user successfully accesses an object.
Click Failure to generate an audit entry when a user unsuccessfully attempts to access an object.
If you clear both check boxes, object access auditing is turned off.
5. Click OK.
  To apply or modify auditing policy settings for a local file or folder
 
1. Open Accessories, and then click Windows Explorer.
2. Right-click the file or folder for which you want to set audit policy settings, click Properties, and then click the Security tab.
3. Click Advanced, and then click the Auditing tab.
4. Do one of the following:
To set up auditing for a new user or group, click Add. In Enter the object name to select, type the name of the user or group that you want to audit, and then click OK.
To remove auditing for an existing group or user, click the group or user name, click Remove, click OK, and then skip the rest of this procedure.
To view or change auditing for an existing group or user, click the name of the group or user, and then click Edit.
5. In the Apply onto box, click the location where you want auditing to take place.
6. In the Access box, indicate what actions you want to audit by selecting the appropriate check boxes:
To audit successful events, select the Successful check box.
To stop auditing successful events, clear the Successful check box.
To audit unsuccessful events, select the Failed check box.
To stop auditing unsuccessful events, clear the Failed check box.
To stop auditing all events, click Clear All.
7. If you want to prevent subsequent files and subfolders of the original object from inheriting these audit entries, select the Apply these auditing entries to objects and/or containers within this container only check box.