Microsoft IIS binary files are installed on the system disk by default. However, for security reasons, we want to change the name and location of the metabase. How can we go about accomplishing this task, and can you think of any reasons why we shouldn't make these changes?

By default, the metabase resides in metabase.bin in \winnt\system32\insetsrv. To change the metabase's location and name, you can edit the registry: Add the value MetadataFile (of type REG_SZ) to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\INetMgr\Parameters subkey, and type the full metabase pathname, including filename. The metabase should have Full Control permissions for SYSTEM (i.e., the System account) and the local Administrators group, but you should enable no other permissions.

The technique for relocating the metabase is simple, but is it a good idea? I don't like to rely on techniques that fall under the category of "security by obscurity." The default ACLs on the metabase prevent all but the most serious security breaches from affecting metabase content. If someone gains elevated privileges through the System or Administrator account, the security game is probably over anyway. Nevertheless, if you require a highly secure sever, you should use all the tools at your disposal, including obscurity techniques.