ASP.NET 1.1 Security Guidelines - Auditing and Logging

From Guidance Share

Jump to: navigation, search

- J.D. Meier, Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla and Anandha Murukan


Create an application specific event source

The default ASP.NET process identity for Web applications can write new records to the event log, but it does not have sufficient permissions to create new event sources. To address this issue, you should create the event sources used by your application at installation time, when administrator privileges are available. A good approach is to use a .NET installer class, which can be instantiated by the Windows Installer (if you are using .msi deployment) or by the InstallUtil.exe system utility.


If you are unable to create event sources at installation time, and you are in deployment, the administrator should manually create new event source entry beneath the following registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\<LogName>


To create an application event source at installation time

  • Right-click your project in the Solution Explorer window in Visual Studio .NET, point to Add, and then click Add Component.
  • Select Installer Class from the list of templates and provide a suitable class file name.

    This creates a new installer class annotated with the RunInstaller(true) attribute.
          RunInstaller(true)
          public class EventSourceInstaller : System.Configuration.Install.Installer
          {
           . . .
          }
    
  • Display the new installer class in Design view, display the Toolbox, and then click Components in the Toolbox. Drag an EventLogInstaller component onto the Designer work surface.

    Note If EventLogInstaller does not appear in the Toolbox, right-click the Toolbox, and then click Add/Remove Items. Then select EventLogInstaller to add this component type.
  • Set the following EventLogInstaller properties:
    • Log. Set this property to "Application" which is the name of the event log you should use. You can use the default Application log or create an application-specific log.
    • Source. Set this property to the event source name. This is usually your application name.
  • Build your project and then create an instance of the installer class at installation time.
    Installer class instances are automatically created and invoked if you use a .NET Setup and Deployment project to create a Windows installer file (.msi). If you use xcopy or equivalent deployment, use the InstallUtil.exe utility to create an instance of the installer class and to execute it.
  • To confirm the successful generation of the event source, use a registry editor and navigate to:
          HKLM\System\CurrentControlSet\Services\EventLog\Application\{source name}
    

    Confirm that the key exists and that it contains an EventMessageFile string value that points to the default .NET Framework event message file:

          \Windows\Microsoft.NET\Framework\{version}\EventLogMessages.dll
    

    Note You should not grant write permission to the ASP.NET process account (or any impersonated account if your application uses impersonation) on the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\ registry key. If you allow write access to this key and the account is compromised, the attacker can modify any log-related setting, including access control to the log, for any log on the system.


References

Personal tools