I am attempting to monitor changes to IIS server configuration with TripWire, and have noticed the IIS 6.0 MetaBase.xml file is frequently changed. I understand that IIS frequently backs up the MetaBase, but why would values for the various ACL and password entries change with each revision?
The values that change:
AdminACL
AnonymousUserPass
LogOdbcPassword
WAMUserPass
UNCPassword
New revisions are triggered by simply opening iis.msc, even though none of the settings are changed.
-
It appears to be salting the vaues on each export.
These propeties are all "SECURE" properties (see http://technet.microsoft.com/en-us/library/cc775980%28WS.10%29.aspx) and Microsoft makes an attempt to obscure them in the XML file.
The encryption appears to be "salted" with the timestamp, version number, or both (I can't get a clear description of the algorithm anywhere) of the XML file. It appears that the IIS management snap-in calls the IIsComputer.SaveData (http://msdn.microsoft.com/en-us/library/ms524872.aspx) API and that, in turn, writes a fresh XML export with the newly-salted values.
From Evan Anderson
0 comments:
Post a Comment