 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / .NET Framework / Security / December 2006Permissions on Event Log?
Whats the deal here MS? Has Issues in Win2003, only way to allow is a Regedit hack or Installer class? What kind of BS is this? So what evey time I install to Win2003 I need to add X number of Application Sources to the Event log system? What if the Log is Full? So what we do our own file log? Then Admin can't check them as easily... How about a real solution... Schneider I did find some new info: http://msdn2.microsoft.com/en-us/library/5zbwd3s3.aspx Basicly allows you to register a source during runtime. Have not tried it yet myself. Schneider > Whats the deal here MS? > [quoted text clipped - 10 lines] > > Schneider You can only register event source when you have administrative privileges. Build a small app that pre-creates the event sources at deployment time (with admin privileges) - afterwards you can use them from normal-user processes. ----- Dominick Baier (http://www.leastprivilege.com) > I did find some new info: > http://msdn2.microsoft.com/en-us/library/5zbwd3s3.aspx [quoted text clipped - 18 lines] >> >> Schneider Yes. I don't agree with that requirement. So now I need two installs if I'm not admin, just so I can have an event log? I can create my own log file without admin privileges. Windows should be able to provide some basic log file needs. When a user installs an app. they are already trusting the application. The Event log can be viewed remotely from windows admins, by making it difficult to use they are making harder for IT to manage apps through a know/common interface. Schneider > You can only register event source when you have administrative > privileges. [quoted text clipped - 27 lines] >>> >>> Schneider When a non-admin user installs an application, there are plenty of things that the installer should not be allowed to do, regardless of how much that user might happen to trust the application. If your application requires creation of an event log, then it should be installed by an administrator. This is not an uncommon requirement, and I'm a little puzzled as to why it seems to pose a problem for you. > Yes. > I don't agree with that requirement. [quoted text clipped - 40 lines] >>>> >>>> Schneider I can deal with it. I can do alot worse things as non-admin app. I don't see why it's a problem to log events. What are the risks? I can create my own log file? Space usage? Can be addressed. You could have an admin install, but then the user may need to log off the machine. In a corp. enviroment this is a pain. If you give the users admin right they install everything from spyware to porn. > When a non-admin user installs an application, there are plenty of things > that the installer should not be allowed to do, regardless of how much [quoted text clipped - 47 lines] >>>>> >>>>> Schneider In a corp environment you would use a software distribution tool like SMS or AD group policies - no need to logoff... Adding an event source affects the whole system and not that single user - so you need admin privs. as always - and makes sense. ----- Dominick Baier (http://www.leastprivilege.com) > I can deal with it. I can do alot worse things as non-admin app. I > don't see why it's a problem to log events. [quoted text clipped - 59 lines] >>>>>> >>>>>> Schneider Yes that may work, but why would a developer bother with all this trouble? He can just create a custom log file, oops! now IT wants to check the log for errors, where was that file? and how do I view it? Thats my point... And why does the event source need to effect the whole system? If I create a custom log file and fill the entire hard drive that effects the whole system also... Schneider > In a corp environment you would use a software distribution tool like SMS > or AD group policies - no need to logoff... [quoted text clipped - 68 lines] >>>>>>> >>>>>>> Schneider > Yes that may work, but why would a developer bother with all this trouble? It's not the developer that should be setting up installation via SMS or an AD GPO, it's the enterprise's IT group. Most commercial software requires administrative installation, so most companies have usually found some fairly routine way to deal with these. > He can just create a custom log file, oops! now IT wants to check the log > for errors, where was that file? and how do I view it? [quoted text clipped - 4 lines] > If I create a custom log file and fill the entire hard drive that effects > the whole system also... It's not just a disk space issue. For example, if an event log that does not purge automatically fills up, it can cause important services to no longer run. Non-administrators should not be able to set up such an event log. > Schneider > [quoted text clipped - 70 lines] >>>>>>>> >>>>>>>> Schneider Again BS reason: It's not just a disk space issue. For example, if an event log that does not purge automatically fills up, it can cause important services to no longer run. Non-administrators should not be able to set up such an event log. Just make them AUTO PURGE! or better yet make the services better... This is plain and simple: It's easier for MS to add security layers than just fix the bad design! And you guys are full of it also... Schneider >> Yes that may work, but why would a developer bother with all this >> trouble? [quoted text clipped - 92 lines] >>>>>>>>> >>>>>>>>> Schneider Agree with everything you say. I have not found a good way to ensure apps can write to the event log and have often resorted to code that attempts to write to the event log and, if it fails, writes to a custom error log file. This is a complete pain for systems management. Rollout would be more complicated with an Admin installer and I can't see what the problem with non-admins writing event logs is anyway. > Again BS reason: > It's not just a disk space issue. For example, if an event log that does [quoted text clipped - 107 lines] >>>>>>>>>> >>>>>>>>>> Schneider Thanks, Andy Beginning to wonder if anyone is listening... It's not just an Admin Install but also some method to register the new source must be performed during the install. Also this is only enforced in Win2003 Server right now and maybe XP Pro. Either way seems no one at MS has a Clue and also many others. Schneider > Agree with everything you say. I have not found a good way to ensure apps > can write to the event log and have often resorted to code that attempts [quoted text clipped - 116 lines] >>>>>>>>>>> >>>>>>>>>>> Schneider Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.