I have an ASP.NET application running on a Windows Server 2008 box with IIS 7. The application started on Windows Server 2003 with IIS 6.
When I changed servers I learned about how Microsoft changed the default settings for IIS 7 to be more secure. One of the changes was, the user account set as the identity for the Application Pool had to explicitly be given permission to read/write the Event Log.
My question is, if I give the local account (in this case NETWORK SERVICE) read/write ability on just the Application log inside of the event log, am I creating a security liability?
I can look at other methods for reporting on site conditions, but the Event Log was a nice way to do it back in the Windows Server 2003 days.
I personally don’t see the problem with it. The Event Log is a perfect place to … well.. log things.
Given the option to either grant write access on the Application log for NETWORK SERVICE, or change the local account your IIS site runs as to a more powerful user which as inherent rights to the event log, I would think granting access to NETWORK SERVICE would be a better approach.
We use the Event Log extensively in our web apps, but create a separate Log name for each application. This allows you to keep things tidy and grant very specific access.