如何：审核 Windows Communication Foundation 安全事件

Windows Communication Foundation (WCF) 允许您将安全事件记录到 Windows 事件日志中，可以使用 Windows 事件查看器来查看该事件日志。本主题说明如何设置应用程序以使其记录安全事件。有关 WCF 审核的更多信息，请参见审核安全事件。

通过代码审核安全事件

1. 指定审核日志位置。为此，请将 ServiceSecurityAuditBehavior 类的 AuditLogLocation 属性设置为 AuditLogLocation 枚举值之一，如下面的代码中所示。

   ' Create a new auditing behavior and set the log location.
   Dim newAudit As New ServiceSecurityAuditBehavior()
   newAudit.AuditLogLocation = AuditLogLocation.Application
   

   // Create a new auditing behavior and set the log location.
   ServiceSecurityAuditBehavior newAudit = 
       new ServiceSecurityAuditBehavior();
   newAudit.AuditLogLocation = 
       AuditLogLocation.Application;
   

   AuditLogLocation 枚举具有三个值：Application、Security 或 Default。该值指定在事件查看器中可见的日志之一：安全日志或应用程序日志。如果您使用 Default 值，则实际的日志将取决于运行应用程序的操作系统。如果启用审核，但未指定日志位置，则对于支持写入安全日志的平台，默认值为 Security 日志；对于其他平台，则写入 Application 日志。默认情况下，仅 Windows Server 2003 和 Windows Vista 支持写入安全日志。

2. 设置要审核的事件的类型。您可以同时审核服务级事件或消息级授权事件。为此，请将 ServiceAuthorizationAuditLevel 属性或 MessageAuthenticationAuditLevel 属性设置为 AuditLevel 枚举值之一，如下面的代码所示。

   newAudit.MessageAuthenticationAuditLevel = _
       AuditLevel.SuccessOrFailure
   newAudit.ServiceAuthorizationAuditLevel = _
       AuditLevel.SuccessOrFailure
   

   // Create a new auditing behavior and set the log location.
   ServiceSecurityAuditBehavior newAudit = 
       new ServiceSecurityAuditBehavior();
   newAudit.AuditLogLocation = 
       AuditLogLocation.Application;
   newAudit.MessageAuthenticationAuditLevel = 
       AuditLevel.SuccessOrFailure;
   newAudit.ServiceAuthorizationAuditLevel = 
       AuditLevel.SuccessOrFailure;
   

3. 指定是向应用程序隐匿还是公开日志审核失败事件。将 SuppressAuditFailure 属性设置为 true 或 false，如下面的代码所示。

   newAudit.SuppressAuditFailure = False
   

   // Create a new auditing behavior and set the log location.
   ServiceSecurityAuditBehavior newAudit = 
       new ServiceSecurityAuditBehavior();
   newAudit.AuditLogLocation = 
       AuditLogLocation.Application;
   newAudit.MessageAuthenticationAuditLevel = 
       AuditLevel.SuccessOrFailure;
   newAudit.ServiceAuthorizationAuditLevel = 
       AuditLevel.SuccessOrFailure;
   newAudit.SuppressAuditFailure = false;
   

   默认 SuppressAuditFailure 属性为 true，因此审核失败不会影响应用程序。否则会引发异常。对于任何成功的审核，都将写入详细跟踪。对于任何失败的审核，都将在错误级别写入跟踪。

4. 从在 ServiceHost 的说明中找到的行为集合中移除现有 ServiceSecurityAuditBehavior。该行为集合通过 Behaviors 属性来访问，而该属性又通过 Description 属性来访问。然后，向同一集合中添加新的 ServiceSecurityAuditBehavior，如下面的代码所示。

   ' Remove the old behavior and add the new.
   serviceHost.Description.Behaviors.Remove(Of ServiceSecurityAuditBehavior)
   serviceHost.Description.Behaviors.Add(newAudit)
   

   // Remove the old behavior and add the new.
   serviceHost.Description.
       Behaviors.Remove<ServiceSecurityAuditBehavior>();
   serviceHost.Description.Behaviors.Add(newAudit);
   

通过配置方式设置审核

1. 要通过配置方式设置审核，请向 web.config 文件的 Behaviors element部分添加 <behavior> 元素。然后，添加一个 serviceSecurityAudit 元素，并设置各个属性，如下面的示例所示。

   <behaviors>
      <behavior name="myAuditBehavior">
         <serviceSecurityAudit auditLogLocation="Application"
               suppressAuditFailure="false" 
               serviceAuthorizationAuditLevel="None" 
               messageAuthenticationAuditLevel="SuccessOrFailure" />
         </behavior>
   </behaviors>
   

2. 您必须为服务指定行为，如下面的示例所示。

   <services>
       <service type="WCS.Samples.Service.Echo" 
       behaviorConfiguration=" myAuditBehavior">
          <endpoint address=""
                   binding="wsHttpBinding"
                   bindingConfiguration="CertificateDefault" 
                   contract="WCS.Samples.Service.IEcho" />
       </service>
   </services>
   

示例

下面的代码创建 ServiceHost 类的一个实例，然后向其行为集合添加一个新的 ServiceSecurityAuditBehavior。

Public Shared Sub Main() 
    ' Get base address from appsettings in configuration.
    Dim baseAddress As New Uri(ConfigurationManager.AppSettings("baseAddress"))
    
    ' Create a ServiceHost for the CalculatorService type 
    ' and provide the base address.
    Dim serviceHost As New ServiceHost(GetType(CalculatorService), baseAddress)
    Try
        ' Create a new auditing behavior and set the log location.
        Dim newAudit As New ServiceSecurityAuditBehavior()
        newAudit.AuditLogLocation = AuditLogLocation.Application
        newAudit.MessageAuthenticationAuditLevel = _
            AuditLevel.SuccessOrFailure
        newAudit.ServiceAuthorizationAuditLevel = _
            AuditLevel.SuccessOrFailure
        newAudit.SuppressAuditFailure = False
        ' Remove the old behavior and add the new.
        serviceHost.Description.Behaviors.Remove(Of ServiceSecurityAuditBehavior)
        serviceHost.Description.Behaviors.Add(newAudit)
        ' Open the ServiceHostBase to create listeners 
        ' and start listening for messages.
        serviceHost.Open()
        
        ' The service can now be accessed.
        Console.WriteLine("The service is ready.")
        Console.WriteLine("Press <ENTER> to terminate service.")
        Console.WriteLine()
        Console.ReadLine()
        
        ' Close the ServiceHostBase to shutdown the service.
        serviceHost.Close()
    Finally
    End Try

End Sub 

public static void Main()
{
    // Get base address from appsettings in configuration.
    Uri baseAddress = new Uri(ConfigurationManager.
        AppSettings["baseAddress"]);

    // Create a ServiceHost for the CalculatorService type 
    // and provide the base address.
    using (ServiceHost serviceHost = new 
        ServiceHost(typeof(CalculatorService), baseAddress))
    {
        // Create a new auditing behavior and set the log location.
        ServiceSecurityAuditBehavior newAudit = 
            new ServiceSecurityAuditBehavior();
        newAudit.AuditLogLocation = 
            AuditLogLocation.Application;
        newAudit.MessageAuthenticationAuditLevel = 
            AuditLevel.SuccessOrFailure;
        newAudit.ServiceAuthorizationAuditLevel = 
            AuditLevel.SuccessOrFailure;
        newAudit.SuppressAuditFailure = false;
        // Remove the old behavior and add the new.
        serviceHost.Description.
            Behaviors.Remove<ServiceSecurityAuditBehavior>();
        serviceHost.Description.Behaviors.Add(newAudit);
        // Open the ServiceHostBase to create listeners 
        // and start listening for messages.
        serviceHost.Open();

        // The service can now be accessed.
        Console.WriteLine("The service is ready.");
        Console.WriteLine("Press <ENTER> to terminate service.");
        Console.WriteLine();
        Console.ReadLine();

        // Close the ServiceHostBase to shutdown the service.
        serviceHost.Close();
    }
}

安全性

将 SuppressAuditFailure 属性设置为 true，就会隐匿任何生成安全审核失败（如果设置为 false，则会引发异常）。不过，如果启用下列 Windows**“本地安全设置”**属性，则生成审核事件失败会导致 Windows 立即关闭：

审计: 如果无法记录安全审计则立即关闭系统

要设置此属性，请打开**“本地安全设置”对话框。在“安全设置”下，单击“本地策略”。然后，单击“安全选项”**。

如果将 AuditLogLocation 属性设置为 Security，而**“本地安全策略”中并没有设置“审核对象访问”**，则不会将审核事件写入安全日志。请注意，虽然不返回任何失败记录，但审核项不会写入安全日志。

另请参见

参考

AuditLogLocation
ServiceSecurityAuditBehavior
AuditLogLocation

概念

审核安全事件