We host a customer site (the hardware is at a third party data center, but we administer the software). On several different occasions, the customer has reported a problem with the site, and when I login to the machine I find that the IIS configuration has changed - the authentication method has changed (should be basic but it has switched to forms), the default document is enabled (should be disabled), and directory browsing is disabled (should be enabled). The configuration changes are the same each time.
So far I've tried...
- IIS auditing. The only changes that have been logged are the ones I made every time I've fixed the IIS configuration
- Configuration change history. I reviewed the c:\inetpub\history and according to the snapshots nothing has changed. In other words, the snapshots only have the correct settings, they never show that there were incorrect settings.
- Task Scheduler. I've reviewed every single task (including Windows tasks) and don't see anything that would be changing the IIS configuration. Also, while this event has occurred monthly since the site went live, it is not happening on a consistent day of the week (first Monday, 15th of the month, etc.), so it doesn't seem to have a date trigger.
What could possibly be changing my site's IIS settings every month? How can I track down the culprit?
Specs:
- Windows Server 2008 R2
- IIS 7.5
- McAfee Virus Scanner (checked logs, didn't see any smoking gun)
Update To answer some of the questions in the comments: we are not using Exchange or Sharepoint. I have checked the local web.config file and it does not contain the authentication, default doc, or directory browsing settings. These are all being stored in the applicationHost.config.