Cannot read a Security Log from ASP.net web service

I

Ian Wright

I'm attempting to read the security event log for a WinXP Pro machine using
a web form that calls a web service. Both files are stored in the same
directory in IIS. The directory is set to use Windows Integrated security
and I've set up the web app to use impersonation with the local admin
account on a WinXP Pro box.

I get the following error though whenever I attempt to iterate over the
Entries collection of the EventLog object:

Cannot open log Security on machine .. Windows has not provided an error
code.

The application log and the system log can both be read though using the
same web service. I've altered the machine.config file to use both the
LOCAL and Administrator accounts with the same result. If I put the same
code into a Win form project, it works just fine and I'm able to view the
entries of the security log. Within the web method, I can see that the
current user making the request is the local administrator by using the
IIdentity interface of the User object. Explicitly impersonating the local
admin using objects of the System.Security namespace doesn't help either.

Signing the web service with sn.exe and putting it into the GAC has not
helped. I created a code permission that included full privileges to the
registry and event logs and set my sn assembly to use it, but the same error
occurs. Using Regmon.exe, I can see the requests to the registry keys that
are made, but no error messages are reported.

Can anyone provide suggestions for a fix?
 
E

Eric Marvets

Its all about the process identity. You could put the ASPNET account in the
Administrators group and it would work, but that's a security risk.

Here's what you do. Open regedit. Find
'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security' and
go to Edit -> Permissions. Give the ASPNET account full control to this
key.

--
Eric Marvets
Principal Consultant

the bang project

<shameless self promotion>

Email (e-mail address removed) for Information on Our Architecture and
Mentoring Services

</shameless self promotion>
 
I

Ian Wright

Good suggestion, but I tried that a little earlier just to see if it would
work (and yes, it's a very bad idea to grant that permission to the ASPNET
account). Anyway, the error is still the same. It looks to me as though
it's just a defect in the runtime/IIS. Maybe MS just decided to lock down
the security log so that nothing even remotely related to the ASPNET process
can touch it.

Here's the error I get after adding the ASPNET account to the Admin group:

Cannot open log Security on machine .. Windows has not provided an error
code.

at System.Diagnostics.EventLog.OpenForRead()
at System.Diagnostics.EventLog.get_EntryCount()
at System.Diagnostics.EventLogEntryCollection.get_Count()
at System.Diagnostics.EntriesEnumerator.MoveNext()
at EventLogArchiver.ServerEventLogReader.GetServerEvents(String LogName) in
c:\inetpub\wwwroot\EventLogArchiver\ServerEventLogReader.asmx.vb:line 71

TY Eric for taking the time to respond.
 
E

Eric Marvets

Have you turned on auditing and looked at the security or even the
application log for a better error message? I have had no problems doing
this in the past.

--
Eric Marvets
Principal Consultant

the bang project

<shameless self promotion>

Email (e-mail address removed) for Information on Our Architecture and
Mentoring Services

</shameless self promotion>
 
I

Ian Wright

There are no events recorded in the either of the logs you mentioned that
have to do with my problem.

I looked at the Programming .NET Security book by Freeman and Jones. In
there, they point out that the security log requires a special permission
("Manage auditing and security log") in order to do certain operations (p.
514). Even after explicitly adding the ASPNET account to this user right
group though, it still fails with the same error. I've also added the
ASPNET account with Full Control rights to the registry key for the Services
stuff to no avail.

At this point, my hunch is that the functionality I need is broken as the
result of a recent MS security patch. The same error happens on both of my
WinXP machines. I'll try a Win2K box tomorrow. The thing that's so
frustrating is that even by granting the ASPNET the highest privileges and
access to the system, the web service cannot enumerate thru the log
collection. Perhaps service pack 2 addresses this bug.
 
C

Chris Rolon

The user account that ASP .Net runs under on the 1.1 framework is "Network
Service". Check to make certain that you have granted the right account the
necessary privileges.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,743
Messages
2,569,478
Members
44,898
Latest member
BlairH7607

Latest Threads

Top