ASP.NET 2.0 Security Practices - Auditing and Logging

From Guidance Share

Jump to: navigation, search

How to use health monitoring in ASP.NET

You can use the health monitoring feature introduced in ASP.NET version 2.0 to instrument key application events. You can choose where to log events by configuring an appropriate provider. You can instrument built-in events or create custom events by deriving from one of the provided base events to monitor specific business logic or operations in your Web application. By default, health monitoring tracks all Web infrastructure error events (inheriting from System.Web.Management.WebErrorEvent) and all audit failure events (inheriting from System.Web.Management.WebFailureAuditEvent). You need to identify the additional security-related events that you want to instrument.

To configure health monitoring:

In Web.config, configure the events that you want to instrument by using the <eventMappings> element, specifying a user friendly name and type of the event. You can configure event mappings for custom events and for any of the standard events in System.Web.Management, such as WebFailureAuditEvent and WebAuthenticationFailureAuditEvent. Configure the provider that you want to use as your event sink by using a <providers> element, specifying a user friendly name and type of the provider. Providers are supported for SQL Server, the Windows event log, WMI, e-mail, and trace. You can also create custom providers. Configure the <profiles> element by specifying the following: minInstances. This is the minimum occurrences after which the event should be logged.

maxLimit. This is the maximum limit for the occurrences to be logged.

minInterval. This is the minimum interval between which the same event can be logged.

Note that this is optional because you can specify the same information in a <rules> configuration. By using a <profiles> element, you benefit from reuse because you can use the same profile for multiple different rules.

Configure the <rules> element, specifying the event name, the provider name, and the profile name. You can specify the profile to be used or you can configure the profile information for a rule by setting the minInstances, maxLimit and minInterval directly on the <rules> element. The following configuration file example shows the structure of a typical health monitoring configuration.

Copy Code

<configuration> <system.web> ..... <healthMonitoring

 Enabled="true|false"
 heartBeatInterval="time interval">
 <bufferModes>... </bufferModes>
 <providers>... </providers>
 <eventMappings>... </eventMappings>
 <profiles>... </profiles>
 <rules>... </rules>

</healthMonitoring> ..... </system.web> </configuration>

For more information, see How To: Use Health Monitoring in ASP.NET 2.0.

How to write to the event log By default, ASP.NET applications that run under the default Network Service identity can write to the Windows event log by using an existing event source, but they cannot create new event sources. If your application needs to use application specific event sources, you should create them at installation time when administrator privileges are available. A good approach is to use a .NET installer class, which can be instantiated by the Windows Installer (if you are using .msi deployment) or by the InstallUtil.exe system utility.

If you are unable to create event sources at installation time, and you are in deployment, the administrator should manually create new event source entry beneath the following registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\<LogName> 

Note You should not grant write permission to the ASP.NET process account (or any impersonated account if your application uses impersonation) on the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\ registry key. If you allow write access to this key and the account is compromised, the attacker can modify any log-related setting, including access control to the log, for any log on the system. Note When you use the event log provider with ASP.NET health monitoring, events are logged by using an event source named "ASP.NET xxxxxx" where xxxxxx represents the .NET Framework version number. This event source is created when you install the .NET Framework. This is not configurable and you cannot change the event source used by health monitoring events.


For more information on auditing and logging, see How To: Instrument ASP.NET 2.0 Applications for Security.


How to write to the event log

By default, ASP.NET applications that run under the default Network Service identity can write to the Windows event log by using an existing event source, but they cannot create new event sources. If your application needs to use application specific event sources, you should create them at installation time when administrator privileges are available. A good approach is to use a .NET installer class, which can be instantiated by the Windows Installer (if you are using .msi deployment) or by the InstallUtil.exe system utility.

If you are unable to create event sources at installation time, and you are in deployment, the administrator should manually create new event source entry beneath the following registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\<LogName> 

Note You should not grant write permission to the ASP.NET process account (or any impersonated account if your application uses impersonation) on the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\ registry key. If you allow write access to this key and the account is compromised, the attacker can modify any log-related setting, including access control to the log, for any log on the system. Note When you use the event log provider with ASP.NET health monitoring, events are logged by using an event source named "ASP.NET xxxxxx" where xxxxxx represents the .NET Framework version number. This event source is created when you install the .NET Framework. This is not configurable and you cannot change the event source used by health monitoring events.


For more information on auditing and logging, see How To: Instrument ASP.NET 2.0 Applications for Security.

Personal tools