is it dangerous to change Windows Server 2008 EventLog security settings
I have an ASP.NET application running on a Windows Server 2008 box with IIS 7. The application started on Windows Server 2003 with IIS 6.
When I changed servers I learned about how Microsoft changed the default settings for IIS 7 to be more secure. One of the changes was, the user account set as the identity for the Application Pool had to explicitly be given permission to read/write the Event Log.
My question is, if I 开发者_JS百科give the local account (in this case NETWORK SERVICE) read/write ability on just the Application log inside of the event log, am I creating a security liability?
I can look at other methods for reporting on site conditions, but the Event Log was a nice way to do it back in the Windows Server 2003 days.
I personally don't see the problem with it. The Event Log is a perfect place to ... well.. log things.
Given the option to either grant write access on the Application log for NETWORK SERVICE, or change the local account your IIS site runs as to a more powerful user which as inherent rights to the event log, I would think granting access to NETWORK SERVICE would be a better approach.
We use the Event Log extensively in our web apps, but create a separate Log name for each application. This allows you to keep things tidy and grant very specific access.
精彩评论