Writing to the Event Log from ASP.NET fails when running on Windows Server 2003 SP1

2005-07-20 james 13 comments

You have an ASP.NET application running on your Windows Server 2003 and you’re merrily logging events to the Application Event Log (or any event log for that matter). Then you upgrade to Windows Server 2003 SP1 and see something like this:

Security Exception

Description: The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application’s trust level in the configuration file.

Exception Details: System.Security.SecurityException: Requested registry access is not allowed.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[SecurityException: Requested registry access is not allowed.]
   Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean writable) +473
   System.Diagnostics.EventLog.CreateEventSource(String source, String logName, String machineName, Boolean useMutex) +443
   System.Diagnostics.EventLog.WriteEntry(String message, EventLogEntryType type, Int32 eventID, Int16 category, Byte[] rawData) +348
   System.Diagnostics.EventLog.WriteEntry(String message, EventLogEntryType type, Int32 eventID, Int16 category) +21
   AspNetTest.WebForm1.Page_Load(Object sender, EventArgs e) in c:\dev\aspnettest\webform1.aspx.cs:23
   System.Web.UI.Control.OnLoad(EventArgs e) +67
   System.Web.UI.Control.LoadRecursive() +35
   System.Web.UI.Page.ProcessRequestMain() +2112
   System.Web.UI.Page.ProcessRequest() +218
   System.Web.UI.Page.ProcessRequest(HttpContext context) +18
   System.Web.CallHandlerExecutionStep.System.Web.HttpApplication+IExecutionStep.Execute() +179
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +87

What happened? The problem is caused by Microsoft tightening up security around the event logs in Windows Server 2003 SP1. (See the section entitled “Tighter ACLs on Event Logs”.)Tightening security is a good idea, but logging events to the event log from an ASP.NET application is a rather common thing to do. So how do we re-enable the ability of ASP.NET to write to the event log?

I have seen information on the web, the sources of which shall remain nameless to protect the seriously misled, that basically tells you to modify your ASP.NET process identity in machine.config from machine to system so that your application can write to the event log. What a collosally bad idea! What’s so bad about this? Imagine that you’re going away for holidays and you ask a friend to water your plants. You realize that your friend cannot open the locked front door. So what do you do? You leave the door unlocked for two weeks while you’re away. That way your friend can get in and water the plants. Does this sound reasonable to you? Of course not. You give your friend a key to get into the house.

So how do you give ASP.NET a key to the event log? I’m glad you asked. There is a custom security descriptor on each event log that determines which users can access that particular event log. Where is this custom security descriptor stored? In the registry of course. So fire up regedt32 and browse to the following registry key:

HKLM\SYSTEM\CurrentControlSet\Services\EventLog\{logName}\CustomSD

where {logName} is Application in our case. You should see a string value that looks like:

O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)

What the heck is this? It’s Security Descriptor Description Language (SDDL), my dear Watson. SDDL is a text-based (and human authorable, believe it or not) representation of a security descriptor.

What does it mean in simple terms? The first part is some general information about the security descriptor:

O:BA	Object owner is built-in administrators
G:SY	Primary Group is SYSTEM
D:	This is a discretionary access control list (DACL) as opposed to a SACL or audit entry

Next come the access control entries (ACE). I’ll only talk about the fields needed for the custom security descriptor on the event logs. You can find full information about the ACE format here. First is allow (A) or deny (D). Hex number in the middle is a permissions bitmask:

0x1	READ
0x2	WRITE
0x4	CLEAR
0xf000	DELETE, READ_CONTROL, WRITE_DAC, and WRITE_OWNER

Last comes the SID, which has abbreviated forms for most common built-in accounts.

So here are the ACEs:

(D;;0xf0007;;;AN)	Deny everything to Anonymous
(D;;0xf0007;;;BG)	Deny everything to Builtin Guests
(A;;0xf0007;;;BA)	Allow everything to Builtin Administrators
(A;;0x7;;;SO)	Allow read, write, and clear to Server Operators
(A;;0x3;;;IU)	Allow read and write to Interactive Users
(A;;0x3;;;SU)	Allow read and write to Service Accounts*
(A;;0x3;;;S-1-5-3)	Allow read and write to Batch Accounts*

* These two are not an actual groups, but are flags in the security token, which can be configued by local or group security policy.

You’ll notice that Network Service isn’t mentioned anywhere on that list. Simply add (A;;0x3;;;NS) to the end of the list and Network Service will be permitted read and write access to the event log. Note that if you are using impersonation (<identity impersonate=”true” /> in your web.config), the event log access will be done under the credentials of the impersonated user. In this case, you’ll want to permit authenticated users read and write access, which can be done using (A;;0x3;;;AU). You should now be merrily writing to the event logs from your ASP.NET applications with your security intact.

Afterword: After writing this blog post, I discovered that Dominick Baier has a blog entry about the same problem. Dominick is extremely knowledgeable about all things security on the Windows platform. If you haven’t subscribed to his RSS feed, do so now!

Edit: I originally attributed the information on http://www.leastprivilege.com to Keith Brown. I feel so embarassed. Keith’s blog is http://www.pluralsight.com/blogs/Keith. Both Keith and Dominick are definitely Windows security gurus. I highly recommend subscribing to both of their blogs! Sorry, guys!

How to Reproduce this Error

To reproduce the problem, create a new event source called “AspNetTest” that can write to the local Application log by running the following code in a console app as a local administrator:

string sourceName = “AspNetTest”;

string logName = “Application”;

string machineName = “.”;

if(!EventLog.SourceExists(sourceName, machineName)) {

    EventLog.CreateEventSource(sourceName, logName, machineName);

}

Create an ASP.NET web application using the wizard and add the following two lines to Page_Load of WebForm1:

private void Page_Load(object sender, System.EventArgs e) {

    EventLog log = new EventLog(“Application”, “.”, “AspNetTest”);

    log.WriteEntry(“Writing from AspNetTest application”, EventLogEntryType.Information, 42, 42);

}

When run on Windows Server 2003 SP1, you will see a security exception like the one above. Modify the CustomSD on the Application event log and browse to WebForm1.aspx again. The web application will successfully write into the event log, which you can verify using the Event Viewer.

ASP.NET none

#1 | Written by dominick about 19 years ago. Reply

btw – i am not keith brown – but thanks for the "knowledgeable"… 🙂

dominick
#2 | Written by James Kovacs about 19 years ago. Reply

Apologies, Dominick. I keep your blogs beside each other in my RSS reader and got my Windows security gurus mixed up. Problem corrected. I hope you’ll forgive me.
#3 | Written by T. Confused. about 18 years ago. Reply

Ok, I added (A;;0x3;;;NS) to the registry key, rebooted the server, and it still won’t write to the event log, even though it writes to the event log in Windows XP, but not Win 2003 Sp1???
#4 | Written by Steve Hall about 17 years ago. Reply

Hello James, thanks for the clear post. One addition for us was to set the .net impersonation=false in the webservice web.config before it could write to the log.
#5 | Written by James Kovacs about 17 years ago. Reply

Good point, Steve, regarding turning off impersonation. With impersonation on, you will be writing to the event log as the incoming user. If you need to use impersonation, you could ACL the event log as above except use some group account that application users belong to rather than Network Service.
#6 | Written by Stan Chu about 17 years ago. Reply

We’ve had the same problem and we have impersonation=true in our web.config.

The account that the application runs under is the IUSR_<machine_name> account. This account by default belongs to the Guests group. The Guests group (as per the CustomSD setting) is denied access to access the eventlog. Figuring this out finally fixed the problem.

However, a question comes to mind. Is it better to change the permissions for the Built-in Guests group in CustomSD (to give the group access) or should we remove this IUSR_<machine_name> account from the Guests group? I’m thinking the first one would better as the second would open up the IUSR_<machine_name> account.
#7 | Written by James Kovacs about 17 years ago. Reply

That’s correct, Stan. If you have impersonate="true" in web.config and anonymous enabled in IIS, the incoming user will be IUSR_<machine_name>. If possible, I would set impersonate="false" in this scenario, which would then cause writes to the event log under the Network Service. If that’s not possible, I would probably remove IUSR_<machine_name> from the Guests group as I wouldn’t want to give the Guests group permission to write to the event log. Removing IUSR_<machine_name> from Guests just means that ACLs applied to Guests no longer apply to IUSR_<machine_name>. You can always explicitly add those ACLs to IUSR_<machine_name>.
#8 | Written by Sherry about 17 years ago. Reply

Thanks so much for this useful post!!! It resolved my problem immediately… I’ve been scouring the net all week for a solution.
#9 | Written by GR about 16 years ago. Reply

James,
Thanks for this posting it describes the issue & resolution clearly.
When I follow the steps for "(A;;0x3;;;AU)" it works fine. However I get an error when I use "(A;;0x3;;;NS)" which is a problem as our application (MOSS 2007) is running under the Network Service.

Any ideas why?
Thanks
#10 | Written by Arto Kainu about 14 years ago. Reply

Hi James,
I just found your article because of having this kind of difficulties on Windows X P(SP3). I tried to find out the registry key but there’s no such key. So Win XP doesn’t have this at all? But still I’m not able to write to the event log from my asp.net application. Any ideas why is that?

— Arto
#11 | Written by rickybadboy.blogspot.com about 14 years ago. Reply

One addition for us was to set the .net impersonation=false in the webservice web.config before it could write to the log.
#12 | Written by www.google.com/accounts/o8/id?id=AItOawlScACVByeO5VTSN4zqUYfyJvA8ACOF-Ao about 14 years ago. Reply

Hi Friends,
I am new here and really enjoyed this article.
I got lots of information from here, and do keep us update.
With some more stuffs.
#13 | Written by Peter Lewis about 13 years ago. Reply

Hi, thanks for the very useful info. It’s new and news to me. One question: is a reboot needed after making the changes? I have made a change on a production server but it doesn’t seem to have effect. I can’t tell whether there’s an error in my change or whether the change is not taking effect yet.

Thanks.

James Kovacs' Weblog

Recent Posts

Browse by Tags

Archives

Categories

Writing to the Event Log from ASP.NET fails when running on Windows Server 2003 SP1

Leave a Comment