.NET Framework 2.0 Security Guidelines - Event Log
From Guidance Share
- J.D. Meier, Alex Mackman, Blaine Wastell, Prashant Bansode, Chaitanya Bijwe
[edit]
Do not log sensitive data
Do not log sensitive user information, such as credentials, credit card numbers, or user IDs. When the information has been sent to the log, it can be viewed by anyone with access to the event log. To prevent the disclosure of sensitive data, do not log it in the first place. The event log is a useful location to store application execution information and error information.
[edit]
Do not expose event log data to unauthorized users
Direct access to the event log through tools such as the Event Viewer is restricted to administrators. Do not expose event log data to less privileged users because the log may contain information about application or system internals that could be useful to an attacker.