Securing Monitoring
Like the persistence store, the monitoring store plays a key role in the Windows Server AppFabric architecture. The monitoring store contains .NET Framework data that you can use to diagnose application problems as well as to track the health of an application. AppFabric provides tooling to view tracked monitoring data. You must provide permissions to the monitoring store to administrators running AppFabric administrative tools, as well as to applications and system services at run time, to be able to read and write from this data store. This topic focuses on how to secure monitoring data and the administrative tools that are used to access it.
Use of the monitoring store falls within both application and management scopes, and must be secured differently within each area. Specific permissions are dictated by virtue of inclusion in various security groups. Application security scope affects the permissions that an application has at run time, and maps to the Application Server Users conceptual role. Management security scope affects the tools and related operations that an administrator and system services can execute. These permissions map to the Application Server Administrators and Application Server Operators conceptual roles.
Securing Monitoring Data
Monitoring collects tracking records, events, and other data emitted by WCF and WF services and stores it in a database. Applications often collect and transmit personally identifiable information or other confidential data. When that data is included in a tracking record, it is saved in the monitoring store. The contents of messages and variables may be saved to the store, depending on the tracking profile in use. Multiple servers, sites, and applications may share a single monitoring store. By design, monitoring data is aggregated across servers and sites that share a store, to make it easier to monitor the activity of potentially thousands of instances of a service in a large environment. After data is stored in the monitoring store, it is visible to members of the AS_Administrators groups, and all members of the SQL Server sysadmin and dbo roles. Members of the AS_Observers group belong to the ASMonitoringDBReader group and can read monitoring data through the public views on the monitoring database. Tracking data is vulnerable to inadvertent or targeted exposure, but you can take steps to mitigate the risk.
The Event Collection service assists with securing monitoring data. This service takes events from an Event Tracing for Windows (ETW) session and writes them to the monitoring database. Only applications that have “Write” permissions to the ETW session started by the Event Collection service can write events to that session for collection. By default, the Event Collection service runs as NT_AUTHORITY\LOCAL SERVICE. The SID specific to the Event Collection service (NT SERVICE\AppFabricEventCollectionService) is added to the AS_Administrators group. This gives it read and write access to the monitoring database because AS_Administrators is part of the ASMonitoringDBAdmin database role. When you use the AppFabric cmdlet scripts to create the monitoring database all these roles and groups are created and initialized correctly. If you want to run the Event Collection service as a different user, see Event Collection Security for information about this process.
Note
Because AppFabric runs under IIS, it can take advantage of some additional features. IIS produces standard Web server access logs to analyze usage. Integration with Windows Server also means that IIS can take advantage of system auditing for more secure monitoring of resource use. For example, failed attempts to access a secure file can be recorded in the Windows Server event log, and audited with the same tools used for managing existing servers.
You can secure the data in the monitoring store in the following ways:
Use different monitoring stores. You can create and configure an alternative monitoring store on the same or a different server by using AppFabric cmdlets to create the store and using the Monitoring Database Configuration page to configure it. You can then configure certain applications to use only that store. This gives the specified applications a private monitoring data store that no other applications can access.
Manipulate monitoring features. You can use the extensions added to IIS Manager by AppFabric to enable and disable monitoring features for all workflow services in an application, for all applications in a Web site, or for all Web sites on a server. You can define a monitoring policy at a higher level and have all the lower levels in the IIS and WAS hierarchy inherit the policy settings.
Event Tracing for Windows Session Security
The Event Collection service collects monitoring events from an Event Tracing for Windows (ETW) session and saves them to the monitoring store. You can control which applications write events to the Event Collection service ETW session by assigning security permissions to the IIS application pool identity. For example, you may want to allow an application pool running under a low-privileged identity such as MACHINE\MyUser to log events to a trace session. To do this, you would assign the TRACELOG_LOG_EVENT event permission to MACHINE\MyUser. You can assign these permissions in the following ways:
You can change the permissions for the identity to write to the ETW session by using the EventAccessControl (https://go.microsoft.com/fwlink/?LinkId=179742) Win32 API.
By using Performance Monitor (PERFMON.EXE), you can control which applications can write events to the ETW session by assigning security permissions to certain identities. For example, you may want to allow an application pool running under the MACHINE\MyUser identity to log events to a trace session if the session is running in SECURE mode. To do this, you would allow the TRACELOG_LOG_EVENT permission to MACHINE\MyUser in the Security Tab of the AppFabric Event Collector Session within Performance Monitor.
Make sure that whenever you are modifying groups or user permissions in the Security settings for the AppFabric Event Collector session that you first stop that session. Failure to do so results in the changed settings not being preserved.