Event Collection Security
The following security considerations should be used for the Event Collection service.
Summary of Event Collection Service Permissions
Ensure that the identity of the new Event Collection service instance has the following permissions:
Permission to create an ETW session, register a provider, and read events from an ETW session.
Read permission on the Event Collection service configuration stored in the root Web.config file.
Read permission on the IIS configuration files located at <Drive>\Windows\System32\inetserv\config.
Read permission on applicable application configuration files (Web.config) for applications being monitored.
Read and Write permissions to the monitoring database.
“Log on as a service” policy
Running as a Specific User
To isolate the events of a specific application being monitored by Windows Server AppFabric, run applications that include Windows Communication Foundation (WCF) and/or Windows Workflow Foundation (WF) services as a specific user. Ensure that the user has permissions to write to the Event Tracing for Windows (ETW) session upon which the Event Collection service is listening. Also run the actual Event Collection service as a specific user. This could be the same user as the application or a different user. The following steps allow the Event Collection service to run as a specific user:
Add the identity of the Event Collection service instance to the Performance Log Users Windows group. This provides the appropriate ACLs for the Event Collection service to create an ETW session, register a provider, and read events from an ETW session.
The Event Collection service identity requires Write and Read permissions to the monitoring data store. This requires the Event Collection service identity to be added to the ASMonitoringDbReader and ASMonitoringDbWriter database roles. You can explicitly add the identity to these database roles. Or you can add the Event Collection service identity to the AS_Administrators Windows group created byAppFabric.
Grant Read permission to the identity of the Event Collection service for the Web.config file of the applications being monitored. Adding the identity of the Event Collection service instance to the AS_Administrators Windows group provides the Event Collection service with Read access to the configuration files for the IIS applications located in the <Drive>\Windows\system32\inetserv\config directory.
For an application that includes Windows Communication Foundation (WCF) and/or Windows Workflow Foundation (WF) services to use Windows Server AppFabric monitoring, it must emit events to the ETW session from which the Event Collection service is collecting events. For the application to have permission to write to the ETW session, ensure that the identity of the application pool within which the application is running has Write permission to the ETW session. You can do this by adding the identity to the list of users that have access to the ETW session through the Windows Reliability and Performance Monitor tool. Alternatively, you can change the permissions for the user to write to the ETW session by using the EventAccessControl Win32 API (https://go.microsoft.com/fwlink/?LinkId=179742).
If the Event Collection service identity does not have Read permission to the Web.config file of the application that it is monitoring, it will generate Event ID 130. This event will be written to Event Log under the Microsoft-Windows-Application Server-System Services/Admin node.
You can assign Read permission to the Event Collection service identity for the Web.config file of an application in one of the following ways:
Using Windows Explorer, right-click your application’s Web.config file, select Properties, and then click the Security tab. Assign Read permission to the identity used for the Event Collection service.
Note
Because security settings are sometimes cached it may take a small amount of time for the permissions to be applied after Read permission is granted. Additionally, you may need to restart the Event Collection service so that it can read the application’s Web.config file with the updated permissions.
An alternative to explicitly setting the Web.config file Read permission is to move your application to the root Web folder. For example, for the default Web site this location would be <system drive>\inetpub\wwwroot. At development time, you can also do this from Visual Studio. Right-click your project and select Publish to publish the Web service to the local IIS server (use Localhost) by using MSDeploy.
“Log on as a service” Policy
In a domain environment, the service identities under which the Event Collection service and the Workflow Management service will run on the various servers in a Web farm should be in the AppFabric domain administrators group. Since this group is created manually by the domain administrator, the name of the group is arbitrary. This group typically includes the AppFabric domain administrator account. The “Log on as a service” privilege must be granted to the users in this group and enforced in the domain. This right allows a security principal to log on as a service. Any service that runs under a separate user account must be assigned the right. For information about how to add the “Log on as a service” right to an account, see https://go.microsoft.com/fwlink/?LinkId=192517.