{"id":1785,"date":"2020-09-04T15:30:55","date_gmt":"2020-09-04T13:30:55","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/lavanack\/?p=1785"},"modified":"2022-12-09T09:50:12","modified_gmt":"2022-12-09T08:50:12","slug":"iis-configuration-auditing","status":"publish","type":"post","link":"https:\/\/laurentvanacker.com\/index.php\/2020\/09\/04\/iis-configuration-auditing\/","title":{"rendered":"Audit de Configuration IIS \/ IIS Configuration Auditing"},"content":{"rendered":"<p><a href=\"#en-us\" name=\"fr-fr\">Go to English version<\/a><\/p>\n<p>[MAJ : 04\/09\/2020] Ajout d&rsquo;un script PowerShell pour filtrer les informations utile du journal d\u2019\u00e9v\u00e9nements.<\/p>\n<p>L&rsquo;article de blog <a title=\"https:\/\/blogs.msdn.microsoft.com\/webtopics\/2010\/03\/19\/iis-7-5-how-to-enable-iis-configuration-auditing\/\" href=\"https:\/\/blogs.msdn.microsoft.com\/webtopics\/2010\/03\/19\/iis-7-5-how-to-enable-iis-configuration-auditing\/\">https:\/\/blogs.msdn.microsoft.com\/webtopics\/2010\/03\/19\/iis-7-5-how-to-enable-iis-configuration-auditing\/<\/a> explique en d\u00e9tails l&rsquo;audit de Configuration IIS.\u00a0 J&rsquo;aimerai ajouter quelques informations dans cet article.<\/p>\n<p>Je recommende d&rsquo;augmenter la taille du log \u00e0 Mo de mani\u00e8re \u00e0 avoir un historique plus long des changements de configuration. Vous pouvez augmenter la taille en faisant un click droit sur le nom du log et en choisissant <strong>Propri\u00e9t\u00e9s<\/strong>. <b><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter\" style=\"float: none; padding-top: 0px; padding-left: 0px; margin-left: auto; padding-right: 0px; margin-right: auto; border-width: 0px;\" title=\"Application and Services Logs \/ Microsoft \/ Windows \/ IIS-Configuration\/Operational event log \" src=\"http:\/\/laurentvanacker.com\/wp-content\/uploads\/2017\/03\/image350.png\" alt=\"Application and Services Logs \/ Microsoft \/ Windows \/ IIS-Configuration\/Operational event log \" width=\"604\" height=\"435\" border=\"0\" \/><\/b><\/p>\n<p align=\"justify\">Pour rappel, l&rsquo;audit de configuration IIS affiche l&rsquo;\u00e9l\u00e9ment de configuration qui a \u00e9t\u00e9 modifi\u00e9, l&rsquo;utilisateur qui a initi\u00e9 la modification ainsi que les valeurs avant et apr\u00e8s changement. Dans la capture d&rsquo;\u00e9cran ci-dessous l&rsquo;administrateur local a chang\u00e9 la liaison du \u00ab\u00a0Site Web par d\u00e9faut\u00a0\u00bb de \u00ab\u00a0*: 80:\u00a0\u00bb \u00e0 \u00ab\u00a0*: 81:\u00a0\u00bb (Seul le num\u00e9ro de port a chang\u00e9) le 15 Mars 2017 \u00e0 06:15:48.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter\" style=\"float: none; padding-top: 0px; padding-left: 0px; padding-right: 0px; border-width: 0px;\" title=\"Event log entry\" src=\"http:\/\/laurentvanacker.com\/wp-content\/uploads\/2017\/03\/image351-1.png\" alt=\"Event log entry\" width=\"604\" height=\"506\" border=\"0\" \/><\/p>\n<p align=\"justify\">Remarque: Un seul changement peut g\u00e9n\u00e9rer plusieurs entr\u00e9es de journal dans ce journal d&rsquo;\u00e9v\u00e9nements en fonction des sections de configuration.<\/p>\n<p>Si vous souhaitez activer l&rsquo;audit de configuration et augmenter la taille du journal \u00e0 10 Mo via un script, je propose les deux possibilit\u00e9s suivantes:<\/p>\n<ul>\n<li>\u00c0 partir d&rsquo;une invite de commande \u00e9lev\u00e9e :<\/li>\n<\/ul>\n<pre class=\"brush: plain; collapse: true; light: false; title: ; toolbar: true; notranslate\" title=\"\">\r\nREM To enable the configuration auditing and increase the log size to 10 MB.\r\nwevtutil Set-Log Microsoft-IIS-Configuration\/Operational \/e:true \/ms:10485760\r\n<\/pre>\n<div id=\"scid:9D7513F9-C04C-4721-824A-2B34F0212519:3d694b0c-259e-4721-8b5e-2b367552622a\" class=\"wlWriterEditableSmartContent\" style=\"float: none; margin: 0px; padding: 0px;\"><\/div>\n<ul>\n<li>\u00a0A partir d&rsquo;un invite PowerShell \u00e9lev\u00e9 :<\/li>\n<\/ul>\n<pre class=\"brush: powershell; collapse: true; light: false; title: ; toolbar: true; notranslate\" title=\"\"> # To enable the configuration auditing and increase the log size to 10 MB. \r\n$logName = &quot;Microsoft-IIS-Configuration\/Operational&quot; \r\n$log = New-Object System.Diagnostics.Eventing.Reader.EventLogConfiguration $logName \r\n$log.IsEnabled=$true \r\n$log.MaximumSizeInBytes=10MB \r\n$log.SaveChanges() <\/pre>\n<div id=\"scid:9D7513F9-C04C-4721-824A-2B34F0212519:b117f048-599f-4197-b89a-cf623849bb48\" class=\"wlWriterEditableSmartContent\" style=\"float: none; margin: 0px; padding: 0px;\"><\/div>\n<div>Je mets \u00e9galement \u00e0 disposition le script <a href=\"https:\/\/github.com\/lavanack\/laurentvanacker.com\/blob\/master\/Windows%20Powershell\/IIS\/Get-IISConfigurationOperationLogEvent.ps1\">suivant<\/a>\u00a0qui vous permettra de lister rapidement les modifications faites dans la configuration IIS.<\/div>\n<div>\n<p>Dans la capture d&rsquo;\u00e9cran suivante (affich\u00e9e sous forme de GridView), on peut distinguer (A lire dans l&rsquo;ordre chronologique &#8211; du bas vers le haut) :<\/p>\n<ul>\n<li>Arr\u00eat du \u00ab\u00a0Default Web Site\u00a0\u00bb<\/li>\n<li>Cr\u00e9ation d&rsquo;un site \u00ab\u00a0www.microsoft.com\u00a0\u00bb (Id :2) \u00e9coutant sur le port 80 en HTTP et utilisant un application pool homonyme<\/li>\n<li>Cr\u00e9ation de l&rsquo;application pool \u00ab\u00a0www.microsoft.com\u00a0\u00bb<\/li>\n<li>Localisation du site \u00ab\u00a0www.microsoft.com\u00a0\u00bb sur \u00ab\u00a0C:\\inetpub\\wwwroot\u00a0\u00bb<\/li>\n<li>Ajour d&rsquo;un binding HTTP sur le port 443 avec un Host Header Name \u00ab\u00a0www.microsoft.com\u00a0\u00bb (\u00ab\u00a0*:443:www.microsoft.com\u00a0\u00bb)<\/li>\n<li>Le tout fait par le compte \u00ab\u00a0contoso\\administrator\u00a0\u00bb entre 15:06:35 et 15:07:25 le 04 Septembre 2020<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2940\" src=\"https:\/\/laurentvanacker.com\/wp-content\/uploads\/2020\/09\/Get-IISConfigurationOperationLogEvent.jpg\" alt=\"\" width=\"1697\" height=\"454\" srcset=\"https:\/\/laurentvanacker.com\/wp-content\/uploads\/2020\/09\/Get-IISConfigurationOperationLogEvent.jpg 1697w, https:\/\/laurentvanacker.com\/wp-content\/uploads\/2020\/09\/Get-IISConfigurationOperationLogEvent-300x80.jpg 300w, https:\/\/laurentvanacker.com\/wp-content\/uploads\/2020\/09\/Get-IISConfigurationOperationLogEvent-1024x274.jpg 1024w, https:\/\/laurentvanacker.com\/wp-content\/uploads\/2020\/09\/Get-IISConfigurationOperationLogEvent-768x205.jpg 768w, https:\/\/laurentvanacker.com\/wp-content\/uploads\/2020\/09\/Get-IISConfigurationOperationLogEvent-1536x411.jpg 1536w\" sizes=\"auto, (max-width: 1697px) 100vw, 1697px\" \/><\/p>\n<\/div>\n<p align=\"justify\"><img decoding=\"async\" src=\"http:\/\/laurentvanacker.com\/wp-content\/uploads\/2017\/01\/012717_1333_Fusionnerde1.png\" alt=\"\" \/><\/p>\n<p align=\"justify\"><a href=\"#fr-FR\" name=\"en-us\">Aller \u00e0 la version fran\u00e7aise<\/a><\/p>\n<p>[MAJ : 09\/04\/2020] Adding a PowerShell script to filter the useful information from the eventlog.<\/p>\n<p>The <a title=\"https:\/\/blogs.msdn.microsoft.com\/webtopics\/2010\/03\/19\/iis-7-5-how-to-enable-iis-configuration-auditing\/\" href=\"https:\/\/blogs.msdn.microsoft.com\/webtopics\/2010\/03\/19\/iis-7-5-how-to-enable-iis-configuration-auditing\/\">https:\/\/blogs.msdn.microsoft.com\/webtopics\/2010\/03\/19\/iis-7-5-how-to-enable-iis-configuration-auditing\/<\/a> blog article explains in details the IIS Configuration Auditing.\u00a0 I would like add some details in this article.<\/p>\n<p>I recommend to increase the log size to 10 MB to have a longer history about the configuration changes. You can increase the size by right-clicking on the log name in the Event Viewer and choose <strong>Properties<\/strong>.<\/p>\n<p><b><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter\" style=\"float: none; padding-top: 0px; padding-left: 0px; padding-right: 0px; border-width: 0px;\" title=\"Application and Services Logs \/ Microsoft \/ Windows \/ IIS-Configuration\/Operational event log \" src=\"http:\/\/laurentvanacker.com\/wp-content\/uploads\/2017\/03\/image350.png\" alt=\"Application and Services Logs \/ Microsoft \/ Windows \/ IIS-Configuration\/Operational event log \" width=\"604\" height=\"435\" border=\"0\" \/><\/b><\/p>\n<p>&nbsp;<\/p>\n<p>As a reminder, the IIS configuration auditing displays the configuration element which was changed, the user who initiated the change, and the original and the new value of the element. In the screenshot below the local administrator has changed the binding of the \u201cDefault Web Site\u201d from \u201c*:80:\u201d to \u201c*:81:\u201d (Only the port number has changed\u201d) the March 15th 2017 at 06:15:48 AM.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter\" style=\"float: none; padding-top: 0px; padding-left: 0px; padding-right: 0px; border-width: 0px;\" title=\"Event log entry\" src=\"http:\/\/laurentvanacker.com\/wp-content\/uploads\/2017\/03\/image351-1.png\" alt=\"Event log entry\" width=\"604\" height=\"506\" border=\"0\" \/><\/p>\n<p>Note : A single change can generate multiple log entries in this dedicated event log depending of the configuration sections to commit.<\/p>\n<p>&nbsp;<\/p>\n<p>If you want to enable the configuration auditing and increase the log size to 10 MB via a script I propose the two following possibilities :<\/p>\n<ul>\n<li>From an elevated command prompt:<\/li>\n<\/ul>\n<pre class=\"brush: plain; collapse: true; light: false; title: ; toolbar: true; notranslate\" title=\"\"> \r\nREM To enable the configuration auditing and increase the log size to 10 MB. \r\nwevtutil Set-Log Microsoft-IIS-Configuration\/Operational \/e:true \/ms:10485760 \r\n<\/pre>\n<div id=\"scid:9D7513F9-C04C-4721-824A-2B34F0212519:730f48e3-d634-4f60-a9c7-2dddc7b6a6d6\" class=\"wlWriterEditableSmartContent\" style=\"float: none; margin: 0px; padding: 0px;\"><\/div>\n<ul>\n<li>From an elevated PowerShell prompt:<\/li>\n<\/ul>\n<pre class=\"brush: powershell; collapse: true; light: false; title: ; toolbar: true; notranslate\" title=\"\"> \r\n# To enable the configuration auditing and increase the log size to 10 MB. \r\n$logName = &quot;Microsoft-IIS-Configuration\/Operational&quot; \r\n$log = New-Object System.Diagnostics.Eventing.Reader.EventLogConfiguration $logName \r\n$log.IsEnabled=$true \r\n$log.MaximumSizeInBytes=10MB \r\n$log.SaveChanges()\r\n<\/pre>\n<div id=\"scid:9D7513F9-C04C-4721-824A-2B34F0212519:18703894-8e35-40e4-85c2-96f066df382c\" class=\"wlWriterEditableSmartContent\" style=\"float: none; margin: 0px; padding: 0px;\">I also provide the following <a href=\"https:\/\/github.com\/lavanack\/laurentvanacker.com\/blob\/master\/Windows%20Powershell\/IIS\/Get-IISConfigurationOperationLogEvent.ps1\">script<\/a>\u00a0which will allow you to quickly list the modifications made in the IIS configuration.<\/div>\n<div>\n<p>In the following screenshot (displayed as a GridView), we can distinguish (To be read in chronological order &#8211; from bottom to top):<\/p>\n<ul>\n<li>Stopping the \u00ab\u00a0Default Web Site\u00a0\u00bb<\/li>\n<li>Creation of a \u00ab\u00a0www.microsoft.com\u00a0\u00bb site (Id: 2) listening on port 80 in HTTP and using an application pool of the same name<\/li>\n<li>Creation of the \u00ab\u00a0www.microsoft.com\u00a0\u00bb pool application<\/li>\n<li>Location of the site \u00ab\u00a0www.microsoft.com\u00a0\u00bb on \u00ab\u00a0C: \\ inetpub \\ wwwroot\u00a0\u00bb<\/li>\n<li>Update of an HTTP binding on port 443 with a Host Header Name \u00ab\u00a0www.microsoft.com\u00a0\u00bb (\u00ab\u00a0*: 443: www.microsoft.com\u00a0\u00bb)<\/li>\n<li>All done by the account \u00ab\u00a0contoso \\ administrator\u00a0\u00bb between 03:06:35 PM and 03:07:25 PM on September 04, 2020<\/li>\n<li><\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2940\" src=\"https:\/\/laurentvanacker.com\/wp-content\/uploads\/2020\/09\/Get-IISConfigurationOperationLogEvent.jpg\" alt=\"\" width=\"1697\" height=\"454\" srcset=\"https:\/\/laurentvanacker.com\/wp-content\/uploads\/2020\/09\/Get-IISConfigurationOperationLogEvent.jpg 1697w, https:\/\/laurentvanacker.com\/wp-content\/uploads\/2020\/09\/Get-IISConfigurationOperationLogEvent-300x80.jpg 300w, https:\/\/laurentvanacker.com\/wp-content\/uploads\/2020\/09\/Get-IISConfigurationOperationLogEvent-1024x274.jpg 1024w, https:\/\/laurentvanacker.com\/wp-content\/uploads\/2020\/09\/Get-IISConfigurationOperationLogEvent-768x205.jpg 768w, https:\/\/laurentvanacker.com\/wp-content\/uploads\/2020\/09\/Get-IISConfigurationOperationLogEvent-1536x411.jpg 1536w\" sizes=\"auto, (max-width: 1697px) 100vw, 1697px\" \/><\/p>\n<\/div>\n<p>Laurent.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Go to English version [MAJ : 04\/09\/2020] Ajout d&rsquo;un script PowerShell pour filtrer les informations utile du journal d\u2019\u00e9v\u00e9nements. L&rsquo;article de blog https:\/\/blogs.msdn.microsoft.com\/webtopics\/2010\/03\/19\/iis-7-5-how-to-enable-iis-configuration-auditing\/ explique en [&#8230;]<\/p>\n","protected":false},"author":2,"featured_media":2465,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[25],"class_list":["post-1785","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-iis","tag-iis"],"_links":{"self":[{"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/posts\/1785","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/comments?post=1785"}],"version-history":[{"count":13,"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/posts\/1785\/revisions"}],"predecessor-version":[{"id":3063,"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/posts\/1785\/revisions\/3063"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/media\/2465"}],"wp:attachment":[{"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/media?parent=1785"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/categories?post=1785"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/laurentvanacker.com\/index.php\/wp-json\/wp\/v2\/tags?post=1785"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}