tags:

views:

166

answers:

1
+1  Q: 

is it dangerous to change Windows Server 2008 EventLog security settings

I have an ASP.NET application running on a Windows Server 2008 box with IIS 7. The application started on Windows Server 2003 with IIS 6.

When I changed servers I learned about how Microsoft changed the default settings for IIS 7 to be more secure. One of the changes was, the user account set as the identity for the Application Pool had to explicitly be given permission to read/write the Event Log.

My question is, if I give the local account (in this case NETWORK SERVICE) read/write ability on just the Application log inside of the event log, am I creating a security liability?

I can look at other methods for reporting on site conditions, but the Event Log was a nice way to do it back in the Windows Server 2003 days.

+1  A: 

I personally don't see the problem with it. The Event Log is a perfect place to ... well.. log things.

Given the option to either grant write access on the Application log for NETWORK SERVICE, or change the local account your IIS site runs as to a more powerful user which as inherent rights to the event log, I would think granting access to NETWORK SERVICE would be a better approach.

We use the Event Log extensively in our web apps, but create a separate Log name for each application. This allows you to keep things tidy and grant very specific access.

KP  2010-02-17 20:02:04
I would agree that it is the better of your two options, but I could also set up a system to email ad admin when something happens that should be noted, and that would not take any account privilege changes. It would though take more coding, hence why if this isn't a real security problem I would prefer to just give the account access.Thanks!
Justin C  2010-02-17 20:49:13
Yeah I'd agree. We use both email and event logging, but I prefer there always to be an event log, in case any email issues occur where the issue cannot be sent. You're other option is to log to a text file within the site architecture (`~/Logs/mylog.txt` for example). In most cases no extra security privileges are required.
KP  2010-02-17 20:53:28
so all that said, why would the default setup change in IIS 7. I was assuming that the change was because there were potential security concerns with having an IIS account that has rights over the Event Log. I just can't seem to think about what the security risk is.
Justin C  2010-02-17 21:54:51
I agree. I don't really see the big security risk. I think MS is simply trying to be more proactive, and locking everything down better by default. Even though it takes a bit of work after the fact to 'open' things up, it allows you to make very specific changes only where needed. It's easier then to fine tune security to your needs, rather than having everything wide open by default, which seemed to be their old mantra...
KP  2010-02-18 14:13:58

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps