It is not difficult to find an IIS configuration setting that you can flip and make your webserver instantly insecure. For this reason it is very important to monitor and track the changes of the IIS configuration. Fortunately IIS provides this feature, but you cannot turn it on in IIS Manager.
Instead start Event Viewer, and navigate to the Application and Services Logs –> Microsoft –> Windows –> IIS Configuration –> Operational branch. Right click on this log and click Enable Log to turn on auditing:
From now on all IIS configuration changes appear in this log:
The General view doesn’t provide too much information beside the modified setting, the modification date and the user, but you can find more in the Details view:
It’s important to know that only those changes show up in the log that are done via IIS Manager, appcmd or the object model; if you use Notepad and edit the applicationHost.config directly it won’t be logged.