This project is read-only.

How to Audit Security Events

- J.D. Meier, Carlos Farre, Jason Taylor, Prashant Bansode, Steve Gregersen, Madhu Sundararajan, Rob Boucher

You can use WCF Auditing to audit security events such as authentication and authorization failures. WCF service auditing can allow you to detect an attack that has occurred or is in progress. In addition, auditing can help you debug security-related problems. For example, if an error in the configuration of the authorization or checking policy accidentally denies access to an authorized user, you can discover and isolate the cause of this error by examining the auditing events in the event log.

Use the following steps to enable authentication and authorization auditing for your WCF service:
  1. Open the web.config file of the WCF service using the Configuration editor tool (SvcConfigEditor.exe).
  2. In the Configuration editor, navigate to the Advanced node.
  3. Select the Behavior: ServiceBehavior section and add a new service behaviour extension element.
  4. In the Adding Behavior Element Extension Sections dialog box select serviceSecurityAudit and click Add button.
  5. In the Configuration section, select serviceSecurityAudit option, under Service Behaviors.
  6. Set the MessageAuthenticationAuditLevel attribute to SuccessOrFailure choosing from the drop down.
  7. Set the ServiceAuthorizationAuditLevel attribute to SuccessOrFailure choosing from the drop down.
  8. On the configuration editor dialog, go to the File menu and select Save.
  9. In Visual Studio, verify your configuration. The configuration should look as follows.
    <behavior name="ServiceBehavior">
      <serviceMetadata httpGetEnabled="true" />
      <serviceDebug includeExceptionDetailInFaults="false" />
        <serviceSecurityAudit *messageAuthenticationAuditLevel*="*SuccessOrFailure*" />
        <serviceSecurityAudit *serviceAuthorizationAuditLevel*="*SuccessOrFailure*" />

Additional Resources

Last edited Jun 13, 2008 at 6:20 PM by prashantbansode, version 1


No comments yet.