如何:审核 Windows Communication Foundation 安全事件
Windows Communication Foundation (WCF) 允许你将安全事件记录到 Windows 事件日志中,可以使用 Windows 事件查看器来查看该事件日志。 本主题说明如何设置应用程序以使其记录安全事件。 有关 WCF 审核的详细信息,请参阅审核。
通过代码审核安全事件
指定审核日志位置。 为此,请将 AuditLogLocation 类的 ServiceSecurityAuditBehavior 属性设置为 AuditLogLocation 枚举值之一,如下面的代码中所示。
// Create a new auditing behavior and set the log location. ServiceSecurityAuditBehavior newAudit = new ServiceSecurityAuditBehavior(); newAudit.AuditLogLocation = AuditLogLocation.Application;' Create a new auditing behavior and set the log location. Dim newAudit As New ServiceSecurityAuditBehavior() newAudit.AuditLogLocation = AuditLogLocation.ApplicationAuditLogLocation 枚举具有三个值:
Application、Security或Default。 该值指定在事件查看器中可见的日志之一:安全日志或应用程序日志。 如果您使用Default值,则实际的日志将取决于运行应用程序的操作系统。 如果启用审核,但未指定日志位置,则对于支持写入安全日志的平台,默认值为Security日志;对于其他平台,则写入Application日志。 默认情况下,仅 Windows Server 2003 和 Windows Vista 支持写入安全日志。设置要审核的事件的类型。 您可以同时审核服务级事件或消息级授权事件。 为此,请将 ServiceAuthorizationAuditLevel 属性或 MessageAuthenticationAuditLevel 属性设置为 AuditLevel 枚举值之一,如下面的代码所示。
// Create a new auditing behavior and set the log location. ServiceSecurityAuditBehavior newAudit = new ServiceSecurityAuditBehavior(); newAudit.AuditLogLocation = AuditLogLocation.Application; newAudit.MessageAuthenticationAuditLevel = AuditLevel.SuccessOrFailure; newAudit.ServiceAuthorizationAuditLevel = AuditLevel.SuccessOrFailure;newAudit.MessageAuthenticationAuditLevel = _ AuditLevel.SuccessOrFailure newAudit.ServiceAuthorizationAuditLevel = _ AuditLevel.SuccessOrFailure指定是向应用程序隐匿还是公开日志审核失败事件。 将 SuppressAuditFailure 属性设置为
true或false,如下面的代码所示。// Create a new auditing behavior and set the log location. ServiceSecurityAuditBehavior newAudit = new ServiceSecurityAuditBehavior(); newAudit.AuditLogLocation = AuditLogLocation.Application; newAudit.MessageAuthenticationAuditLevel = AuditLevel.SuccessOrFailure; newAudit.ServiceAuthorizationAuditLevel = AuditLevel.SuccessOrFailure; newAudit.SuppressAuditFailure = false;newAudit.SuppressAuditFailure = False默认
SuppressAuditFailure属性为true,因此审核失败不会影响应用程序。 否则会引发异常。 对于任何成功的审核,都将写入详细跟踪。 对于任何失败的审核,都将在错误级别写入跟踪。从在 ServiceSecurityAuditBehavior 的说明中找到的行为集合中移除现有 ServiceHost。 该行为集合通过 Behaviors 属性来访问,而该属性又通过 Description 属性来访问。 然后,向同一集合中添加新的 ServiceSecurityAuditBehavior,如下面的代码所示。
// Remove the old behavior and add the new. serviceHost.Description. Behaviors.Remove<ServiceSecurityAuditBehavior>(); serviceHost.Description.Behaviors.Add(newAudit);' Remove the old behavior and add the new. serviceHost.Description.Behaviors.Remove(Of ServiceSecurityAuditBehavior) serviceHost.Description.Behaviors.Add(newAudit)
通过配置方式设置审核
要通过配置方式设置审核,请向 web.config 文件的 <behaviors> 部分添加 <behavior> 元素。 然后,添加一个 <serviceSecurityAudit> 元素,并设置各个属性,如下面的示例所示。
<behaviors> <behavior name="myAuditBehavior"> <serviceSecurityAudit auditLogLocation="Application" suppressAuditFailure="false" serviceAuthorizationAuditLevel="None" messageAuthenticationAuditLevel="SuccessOrFailure" /> </behavior> </behaviors>您必须为服务指定行为,如下面的示例所示。
<services> <service type="WCS.Samples.Service.Echo" behaviorConfiguration=" myAuditBehavior"> <endpoint address="" binding="wsHttpBinding" bindingConfiguration="CertificateDefault" contract="WCS.Samples.Service.IEcho" /> </service> </services>
示例
下面的代码创建 ServiceHost 类的一个实例,然后向其行为集合添加一个新的 ServiceSecurityAuditBehavior。
public static void Main()
{
// Get base address from appsettings in configuration.
Uri baseAddress = new Uri(ConfigurationManager.
AppSettings["baseAddress"]);
// Create a ServiceHost for the CalculatorService type
// and provide the base address.
using (ServiceHost serviceHost = new
ServiceHost(typeof(CalculatorService), baseAddress))
{
// Create a new auditing behavior and set the log location.
ServiceSecurityAuditBehavior newAudit =
new ServiceSecurityAuditBehavior();
newAudit.AuditLogLocation =
AuditLogLocation.Application;
newAudit.MessageAuthenticationAuditLevel =
AuditLevel.SuccessOrFailure;
newAudit.ServiceAuthorizationAuditLevel =
AuditLevel.SuccessOrFailure;
newAudit.SuppressAuditFailure = false;
// Remove the old behavior and add the new.
serviceHost.Description.
Behaviors.Remove<ServiceSecurityAuditBehavior>();
serviceHost.Description.Behaviors.Add(newAudit);
// Open the ServiceHostBase to create listeners
// and start listening for messages.
serviceHost.Open();
// The service can now be accessed.
Console.WriteLine("The service is ready.");
Console.WriteLine("Press <ENTER> to terminate service.");
Console.WriteLine();
Console.ReadLine();
// Close the ServiceHostBase to shutdown the service.
serviceHost.Close();
}
}
Public Shared Sub Main()
' Get base address from appsettings in configuration.
Dim baseAddress As New Uri(ConfigurationManager.AppSettings("baseAddress"))
' Create a ServiceHost for the CalculatorService type
' and provide the base address.
Dim serviceHost As New ServiceHost(GetType(CalculatorService), baseAddress)
Try
' Create a new auditing behavior and set the log location.
Dim newAudit As New ServiceSecurityAuditBehavior()
newAudit.AuditLogLocation = AuditLogLocation.Application
newAudit.MessageAuthenticationAuditLevel = _
AuditLevel.SuccessOrFailure
newAudit.ServiceAuthorizationAuditLevel = _
AuditLevel.SuccessOrFailure
newAudit.SuppressAuditFailure = False
' Remove the old behavior and add the new.
serviceHost.Description.Behaviors.Remove(Of ServiceSecurityAuditBehavior)
serviceHost.Description.Behaviors.Add(newAudit)
' Open the ServiceHostBase to create listeners
' and start listening for messages.
serviceHost.Open()
' The service can now be accessed.
Console.WriteLine("The service is ready.")
Console.WriteLine("Press <ENTER> to terminate service.")
Console.WriteLine()
Console.ReadLine()
' Close the ServiceHostBase to shutdown the service.
serviceHost.Close()
Finally
End Try
End Sub
.NET Framework 安全性
将 SuppressAuditFailure 属性设置为 true,就会隐匿任何生成安全审核失败(如果设置为 false,则会引发异常)。 不过,如果启用下列 Windows“本地安全设置”属性,则生成审核事件失败会导致 Windows 立即关闭:
审核:如果无法记录安全审核则立即关闭系统
要设置此属性,请打开“本地安全设置”对话框。 在“安全设置”下,单击“本地策略”。 然后,单击“安全选项”。
如果将 AuditLogLocation 属性设置为 Security,而“本地安全策略”中并没有设置“审核对象访问”,则不会将审核事件写入安全日志。 请注意,虽然不返回任何失败记录,但审核项不会写入安全日志。