What security events does health monitoring log by default?

From Guidance Share

Jump to: navigation, search

J.D. Meier, Prashant Bansode, Alex Mackman

Answer

By default, health monitoring audits critical security events which are those of types WebErrorEvent and WebFailureAuditEvent (including its descendants, WebAuthenticationFailureAuditEvent and WebViewStateFailureAuditEvent). These events and are logged to the Windows Event log. WebAuthenticationFailureAuditEvent is logged for Forms based authentication failures, Membership Authentication failures because of invalid user credentials, passing of expired authentication ticket and passing of invalid authentication ticket. This can be used for identifying dictionary attacks, brute force attacks etc. WebViewStateFailureAuditEvent is logged for invalid view state failures. This can be used for identifying ViewState tampering. WebFailureAuditEvent is logged for authorization failures for accessing files, folders, or any other resources to which users don’t have access. This can be used identifying attacks on the application. WebErrorEvent is logged for any error occurred during application compilation and execution including configuration errors. This can be used to identify any changes made by an attacker to the application.


More Information

For more information on security events that you should monitor from security perspective, see “How To: Instrument ASP.NET 2.0 Applications for Security” at http://msdn.microsoft.com/library/en-us/dnpag2/html/PAGHT000016.asp

Personal tools