Re: AspErrorsToNTLog no longer works in IIS6

From: Brian Lalonde (brianl_at_stcu.org)
Date: 03/10/05 

Date: Thu, 10 Mar 2005 07:34:39 -0800

Am I to assume IIS6 no longer offers a way to audit VBScript errors?

David Wang [Msft] wrote:
>>Shouldn't this be the developer's decision?
>
>
> Yes, it is the developer's decision. We are simply making it disabled by
> default and forcing developers to actively enable it.
>
>
>>Is that the right link? I don't see how allowing users to log in
>>when the security log is full has any relevance.
>
>
> The security implication is that anonymous remote requests can be used to
> fill the event log and cause the server to stop responding (for very legal
> reasons -- failure to log to the event log results in lack of repudiation
> which in itself is a security vulnerability/violation).
>
>
>>As AspErrorsToNTLog is already off by default, I don't follow the
>>logic for further disabling it. Is event log performance significantly
>>worse than a database insert or appending to the IIS log?
>
>
> I would say that the prior design (allowing toggle of ASP Errors to event
> log instead of the normal log file) was flawed from a security perspective,
> so IIS6 is merely fixing it the right way (see my suggestion below).
> Furthermore, the Event Log locked itself down from anonymous/unprivileged
> event logging on WS03, so that is another change.
>
>
>>Here's what I'm missing: when I get a support call from a user,
>>they will not have the detailed error (either we hide it, or they
>>don't record it), so I used to be able to audit the error because
>>all errors were stored persistantly. Now, I have no auditable
>>error log.
>
>
> How about using the web log file? You do log requests to your server(s),
> correct? All ASP errors are quite identifiable from the web log file, and
> it includes the offending URL as well as ASP error number (the same info you
> get with AspErrorsToNTLog). I'm sure with normal web logging plus Log
> Parser to query/search your log files, you can find your error information
> just as fast and and with less security implications. I realize that this
> method is "different" than what you have gotten used to, but it should be
> comparable so please give it a try.
>
> Log Parser 2.2
> http://www.microsoft.com/downloads/details.aspx?FamilyID=890cd06b-abf8-4c25-91b2-f8d975cf8c07&displaylang=en
>

Relevant Pages

  • Re: AspErrorsToNTLog no longer works in IIS6
    ... The security implication is that anonymous remote requests can be used to ... fill the event log and cause the server to stop responding (for very legal ... > logic for further disabling it. ... How about using the web log file? ...
    (microsoft.public.inetserver.iis)
  • Re: AspErrorsToNTLog no longer works in IIS6
    ... >>when the security log is full has any relevance. ... it seems kind of dumb to lock a server just because the ... Is event log performance significantly ... > log instead of the normal log file) was flawed from a security perspective, ...
    (microsoft.public.inetserver.iis)
  • Viewing Event Logs
    ... How to set event log security locally or by using Group Policy in Windows ... Descriptor Definition Language (SDDL) syntax. ...
    (microsoft.public.windows.server.active_directory)
  • RE: Event log file is corrupt
    ... "The Event Log file is corrupted". ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • Re: Writing to Windows Security Log
    ... UNIX syslog-the-network-protocol is that it's UDP - ... a Windows application or service ... equivalent source of bogus data into an Event Log stream ... to the>Security< Event Log are the LSA and the Event ...
    (Pen-Test)