Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Passwords in Event Log

Reply
Thread Tools

Passwords in Event Log

 
 
Steve Seier
Guest
Posts: n/a
 
      10-22-2009
We have an asp.net 2.x application that's been operational for several years.
This app is forms-based so we handle user authentication in the app.

Recently looking at the server event log I see several error/events that
point to ASP.NET when there is a failure, such as a user entered the wrong
password, which we handle, and other errors coming from the application.
However, when there is an error written to the event log all the gory
information about the event and user's credentials is written to the log file
(event) as well including the PASSWORD in clear text!

Password in CLEAR text! What! Why is Microsoft doing / allowing this? This
is a breach of security in that any administrator or user that can look at
the events can find this sensitive data.

Is there any way to turn this option off or change the behavior of .NET to
not write such data to the event logs?

I'm totally baffled by this! In this age of security sensitive data like
user ID and passwords are written to a common log file for all to see.

 
Reply With Quote
 
 
 
 
Joe Kaplan
Guest
Posts: n/a
 
      10-26-2009
Can you show the full details of the error without the password details?

Typically, ASP.NET just logs exceptions. If somehow the passwords are
showing up in the exception data, that would be bad but would tend to
indicate an issue with the code as it is not typical of the default
authentication mechanisms I'm familiar with that the password data would be
in the exception.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"Steve Seier" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> We have an asp.net 2.x application that's been operational for several
> years.
> This app is forms-based so we handle user authentication in the app.
>
> Recently looking at the server event log I see several error/events that
> point to ASP.NET when there is a failure, such as a user entered the wrong
> password, which we handle, and other errors coming from the application.
> However, when there is an error written to the event log all the gory
> information about the event and user's credentials is written to the log
> file
> (event) as well including the PASSWORD in clear text!
>
> Password in CLEAR text! What! Why is Microsoft doing / allowing this? This
> is a breach of security in that any administrator or user that can look at
> the events can find this sensitive data.
>
> Is there any way to turn this option off or change the behavior of .NET to
> not write such data to the event logs?
>
> I'm totally baffled by this! In this age of security sensitive data like
> user ID and passwords are written to a common log file for all to see.
>


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ASP Problem: "IIS log failed to write entry" in Event Log cherryparadise001@gmail.com ASP General 0 05-26-2006 01:52 AM
My.Log.Writeexception not writing to Application Event Log. =?Utf-8?B?VG9tIFdpbmdlcnQ=?= ASP .Net 0 01-20-2006 06:41 PM
My.Log.WriteException not writing to Event Log with ASP.Net 2.0 Tom Wingert ASP .Net Web Services 0 01-12-2006 06:46 PM
ACS failed attempts log shows passwords William R Cisco 0 08-22-2005 05:40 PM
Need help on the Permissions needed to log to Event Log from ASP.NET? Henrik_the_boss ASP .Net 0 11-05-2003 10:14 AM



Advertisments