Securing the logs should be one of the important aspects to be considered when using ELMAH. If the logs are not secured, it can open up the inner working of the application to unauthorized personal.
By default, ELMAH is configured to deny access to the error log it produces unless we are accessing it from the server the site is hosted on. To secure the logs, we would need to configure the below
- Enabling or disabling remote access to the logs
- Granting or denying permissions via ASP.Net authorization
Here is what can happen if the logs are not secured - ASP.NET session hijacking with Google and ELMAH
Enabling or disabling remote access to the logs
ELMAH provides a configuration section and a setting to enable or disable remote access to the error log display and feeds. Here is the snippet that needs to be added to the configuration file.
Remote access is enabled when the value of the allowRemoteAccess attribute is either 1, yes, true or on. Otherwise it is disabled. Local access is always available.
Granting or denying permissions via ASP.Net authorization
Using ASP.NET’s Membership Provider and in-built authorization system we can deny anonymous access by adding the following definition to our web.config file. It can go anywhere inside the root configuration element.This will allow any authenticated user to view the error log. If you only want a select group of people to be able to view the log, you could put those users into a ‘Support’ role and use something like:
Happy Coding!!!
No comments:
Post a Comment