Security- access to Event Viewer

[Guest]

Hi Patrick

I am having a very similar problem with the (ASP.Net) Web Service I developed.

My WebService logs events into the event log. If I configure the Web Service (as a virtual directory) under the Default Site, everything is fine

However, if I run it in a virtual directory under a different site it gives me exactly the same error you are getting.

Funny that I have compared all security related settings between the default and the other site and could not find any significant differences

I think we both need good luck to find where the real problem lies.

Cheers

Behcet.

 

[Steven Cheng[MSFT]]

Hi Patrick,

Thanks for your effort!

I would like to double confirm the following setting with you: Have you
enabled "Impersonate=true" in the config file now?

Patrick, if we have not enabled Impersonate (Impersonate=false), the
aspnet_wp.exe will run with the account in <processmodel>. However, if we
enabled "Impersonate=true", then the aspnet_wp.exe will run with the
authenticated user account or the anonymous account.

Please perform the following steps to check the settings:

If "Impersonate=false" in the config file:
---------------------------------------

Please make sure you have not modify the permission for the "ASPNET"
account. By default, the ASPNET user account has access to write to the
application event log. You can also replace "machine" in <processmodel>
with another user account, who has permission to write Event items to
perform a test. Please let me know the result.

If "Impersonate=true" in the config file:
---------------------------------------

Please make sure the current logon user or anonymous account (if we enabled
"Anonymous" authentication for the web application) has write permission to
the Event log.

For detail security settings for the event log, please check the following
articles:

Event Logging Security
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/debug/base/
event_logging_security.asp

For more information about security descriptor definition language (SDDL)
used for the setting, please also check the following information:

Security Descriptor Definition Language
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/se
curity/security_descriptor_definition_language.asp

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Get Preview at ASP.NET whidbey
http://msdn.microsoft.com/asp.net/whidbey/default.aspx

 

[Patrick]

According to
http://msdn.microsoft.com/library/en-us/debug/base/event_logging_security.asp?frame=true ,
everyone could write to the Event Viewer!

After setting impersonate=true in machine.config and iisreset, I am still
getting System.InvalidOperationException: Cannot open log for source {0}.
You may not have write access.....

However, taking IWAM_Machine user out of the Guests Security group works!
We had a Domain Controller Security Policy "Restrict guest access to
Application Log" under Security Settings-> Event Log-> Settings for Event
Logs set to ENABLED.

Does IWAM_Machine user needs to be a member of the guest account group?

 

[Patrick]

Also wonder what the effect would be if I "move" the Logging code to a Class
Library and call a public method in the class library from the ASP.NET code
to do the logging?

 

[Vilmar]

Hey guys,
I am so sorry by my mistake, but a friend of mine who works with .net said
that to me.
thanks by correction guys,

 

[Felix Wang]

Hi Patrick,

I don't think this makes any differences, unless the class library is
working as a serviced component, or something similar.

Regards,

Felix Wang
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

 

[Felix Wang]

Hi Patrick,

By default, it is the IUSR account that is a member of the Guests group.
You may refer to the following article for more information on the IWAM
account:

Changes to the IWAM Account in IIS 5.0
http://support.microsoft.com/?id=236855

I hope the information is useful to you.

Regards,

Felix Wang
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

 

[Patrick]

On a fresh built of IIS5.0 on Win2K SP4, both IUSR_machineName and
IWAM_MachineName are member of the Guests built-in groups. The article
listed below does not mention about group membership, but I wonder if there
would be any other undesirable "side effects" if I take IWAM_machinename out
of the guests group?

 

[Steven Cheng[MSFT]]

Hi ,

By defalut on Windows 2000, the work process for ASP.NET will run with the
account ¡°ASPNET¡±.

However if you install the .NET Framework version 1.1 on a domain
controller, the installation does not create the local ASPNET account.
Instead, ASP.NET applications run under other identities. On Windows 2000
domain controller servers, ASP.NET applications run under the
IWAM_machinename identity.

Please check if this is a domain controller. If this is a domain
controller, please make sure the iwam and iuser accounts have the
appropriate rights:

Access this computer from the network iuser_machinename and
iwam_machinename

Logon as a batch job iuser_machinename
and iwam_machinename

Logon Locally
iuser_machinename


Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Get Preview at ASP.NET whidbey
http://msdn.microsoft.com/asp.net/whidbey/default.aspx

 

[Steven Cheng[MSFT]]

Hi Patrick,

Have you got any further ideas? If there is anything else we can help,
please feel free to post here. Thanks.


Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Get Preview at ASP.NET whidbey
http://msdn.microsoft.com/asp.net/whidbey/default.aspx