metabase.xml and applicationHost.config file and security

what are the default locations for these files, and what are the security implications if unauthorised access can access/edit them? many IIS security references say access to them is key and unauthorised access poses an issue, but I'd like to understand what they are for and why they are such a concern to security teams. do they contain plain text passwords or something?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Gaurav SinghHead - Managed ServicesCommented:
Can you please let us know the which OS you are using windows 2003/2008??
pma111Author Commented:
both in this case, albeit 2003 not for much longer
Gaurav SinghHead - Managed ServicesCommented:
Default location is C:\windows\system32\inetsrv\config.  You should not be doing any thing manually to these. Altering a single letter in file will corrupt your IIS. These files are the heart of IIS.
Dan McFaddenSystems EngineerCommented:
1. the "metabase.xml" file is only for IIS6.  It does not exist for IIS7+
2. the "applicationHost.config" file is only for IIS7+.  This file replaced the metabase.xml file structure

Editing both of these files is allowed, though playing with these files should be done with the utmost care.  Using a decent text editor is safe.

*** Always backup the files before you edit them! ***

metabase link:

applicationHost.config link:

Unauthorized access to these files would mean that someone has unauthorized access to your server meaning your server is/was compromised.  The implications are that your web application may not function due to improper configuration or at worst, IIS cannot load and run.

Both of the files provide the base server configuration for IIS.  Meaning these files contain the global settings for all of the features available after IIS is installed on a server.

There are situations where you may want to change the global (inheritable) settings of the server, this is where you would manage those changes.  Both files are plain text in an XML or XML-like format.

Neither file should contain password as those configuration type items usually reside in an application web.config which is a file local to the app in its root folder.

As mentioned above by Gaurav, these files are the heart of IIS's config and should be treated as a such.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.