This project is read-only.

If non-repudiation is Important, Consider Setting SuppressAuditFailure Property to False

- J.D. Meier, Carlos Farre, Jason Taylor, Prashant Bansode, Steve Gregersen, Madhu Sundararajan, Rob Boucher

If non-repudiation is important, consider setting the SuppressAuditFailure property to false. This setting will cause an exception to be thrown when there is any audit failure. By default your WCF will ignore audit failures and allow the service to continue running.By setting SuppressAuditFailure to false an exception can be thrown and handled by your WCF service. This should be fixed. What’s the DOS threat? Carlos agrees. He doesn’t know either.
// configuration snippet 
<configuration>
  <system.serviceModel>
    <behaviors>
      <behavior>
        <serviceSecurityAudit
            auditLogLocation="Application"
*            suppressAuditFailure="false"*
            serviceAuthorizationAuditLevel="Failure"
            messageAuthenticationAuditLevel=
                        "SuccessOrFailure" /> 
      </behavior>
    </behaviors>
  </system.serviceModel>
</configuration>

Last edited Jun 12, 2008 at 8:42 PM by prashantbansode, version 1

Comments

No comments yet.