Auditing and Logging | Improving Web Application Security: Threats and Countermeasures

Auditing and logging should be performed across the tiers of your application to avoid potential repudiation threats where users deny performing certain transactions or key operations.

Audit User Transactions

If your Web application or Web service is configured for impersonation, the identity of the original caller automatically flows to an Enterprise Services application and is available using SecurityCallContext.OriginalCaller . This is useful for auditing in the middle tier . The following code shows how to access this information:

 [ComponentAccessControl] public class YourServicedComponent : ServicedComponent {   public void ShowCallers()   {     SecurityCallers callers = SecurityCallContext.CurrentCall.Callers;     foreach(SecurityIdentity id in callers)     {       LogEvent(id.AccountName);     }   }   private void LogEvent(string message)   {     try     {       if (!EventLog.SourceExists(appName))       {         EventLog.CreateEventSource(appName, eventLog);       }       EventLog.WriteEntry(appName, message, EventLogEntryType.Information );     }     catch (SecurityException secex)     {       throw new SecurityException(             "Event source does not exist and cannot be created.", secex);     }   } }

To successfully write to the event log, an event source must exist that associates the Enterprise Services application with a specific event log. The above code creates the event source at run time, which means that the serviced component process account must have the relevant permissions in the registry.

Task To enable the serviced component process identity to create event sources

Use regedit32.exe to update the permissions on the following registry key to grant access to the serviced component process account:
```
 HKLM\SYSTEM\CurrentControlSet\Services\Eventlog 
```
The account(s) must have the following minimum permissions:
- Query key value
- Set key value
- Create subkey
- Enumerate subkeys
- Notify
- Read

An alternate strategy is to use an Installer class and create the event source for the application at installation time, when administrator privileges are available. For more information about this approach, see "Auditing and Logging" in Chapter 10 "Building Secure ASP.NET Web Pages and Controls."