HOW TO：稽核 Windows Communication Foundation 安全性事件

Windows Communication Foundation (WCF) 可讓您將安全性事件記錄至 Windows 事件記錄檔，而您可以使用 Windows 事件檢視器來檢視事件記錄檔。這個主題會說明如何將應用程式設定為會記錄安全性事件。如需詳細資訊 WCF 稽核的詳細資訊，請參閱稽核安全性事件。

若要在程式碼中稽核安全性事件

1. 指定稽核記錄檔位置。若要這樣做，請將 ServiceSecurityAuditBehavior 類別的 AuditLogLocation 屬性設定為其中一個 AuditLogLocation 列舉值，如下列程式碼所示。

   ' Create a new auditing behavior and set the log location.
   Dim newAudit As New ServiceSecurityAuditBehavior()
   newAudit.AuditLogLocation = AuditLogLocation.Application
   

   // Create a new auditing behavior and set the log location.
   ServiceSecurityAuditBehavior newAudit = 
       new ServiceSecurityAuditBehavior();
   newAudit.AuditLogLocation = 
       AuditLogLocation.Application;
   

   AuditLogLocation 列舉中有三個值： Application、 Security 或 Default。該值會指定可在事件檢視器中看見安全性記錄檔或應用程式記錄檔。如果使用 Default 值，實際的記錄檔將會取決於正在執行應用程式的作業系統。如果已啟用稽核，但未指定記錄檔位置，則支援寫入至安全性記錄檔的平台會預設使用 Security 記錄檔，不支援這個動作的平台則會寫入至 Application 記錄檔。只有 Windows Server 2003 和 Windows Vista 支援預設寫入至安全性記錄檔。

2. 設定要稽核的事件類型。您可以同時稽核服務層級事件或訊息層級的授權事件。若要這樣做，請將 ServiceAuthorizationAuditLevel 屬性或 MessageAuthenticationAuditLevel 屬性設定為其中一個 AuditLevel 列舉值，如下列程式碼所示。

   newAudit.MessageAuthenticationAuditLevel = _
       AuditLevel.SuccessOrFailure
   newAudit.ServiceAuthorizationAuditLevel = _
       AuditLevel.SuccessOrFailure
   

   // Create a new auditing behavior and set the log location.
   ServiceSecurityAuditBehavior newAudit = 
       new ServiceSecurityAuditBehavior();
   newAudit.AuditLogLocation = 
       AuditLogLocation.Application;
   newAudit.MessageAuthenticationAuditLevel = 
       AuditLevel.SuccessOrFailure;
   newAudit.ServiceAuthorizationAuditLevel = 
       AuditLevel.SuccessOrFailure;
   

3. 指定是否要對與記錄稽核事件相關的應用程式隱藏或公開錯誤。將 SuppressAuditFailure 屬性設定為 true 或 false，如下列程式碼所示。

   newAudit.SuppressAuditFailure = False
   

   // Create a new auditing behavior and set the log location.
   ServiceSecurityAuditBehavior newAudit = 
       new ServiceSecurityAuditBehavior();
   newAudit.AuditLogLocation = 
       AuditLogLocation.Application;
   newAudit.MessageAuthenticationAuditLevel = 
       AuditLevel.SuccessOrFailure;
   newAudit.ServiceAuthorizationAuditLevel = 
       AuditLevel.SuccessOrFailure;
   newAudit.SuppressAuditFailure = false;
   

   預設 SuppressAuditFailure 屬性為 true，因此稽核錯誤不至於影響應用程式。否則，會擲回例外狀況。任何成功稽核的詳細資訊追蹤都會予以寫入，而任何稽核失敗的追蹤則會在「錯誤」層級寫入。

4. 從 ServiceHost 的描述中出現的行為集合，刪除現有的 ServiceSecurityAuditBehavior。該行為集合是由 Behaviors 屬性存取，接下來則是從 Description 屬性存取。接著將 ServiceSecurityAuditBehavior 新增至相同的集合，如下列程式碼所示。

   ' Remove the old behavior and add the new.
   serviceHost.Description.Behaviors.Remove(Of ServiceSecurityAuditBehavior)
   serviceHost.Description.Behaviors.Add(newAudit)
   

   // Remove the old behavior and add the new.
   serviceHost.Description.
       Behaviors.Remove<ServiceSecurityAuditBehavior>();
   serviceHost.Description.Behaviors.Add(newAudit);
   

若要使用組態設定稽核

1. 若要使用組態設定稽核，請將 <behavior> 項目新增至 web.config 檔的 Behaviors element區段。然後新增 serviceSecurityAudit 項目並設定各種屬性，如下列範例所示。

   <behaviors>
      <behavior name="myAuditBehavior">
         <serviceSecurityAudit auditLogLocation="Application"
               suppressAuditFailure="false" 
               serviceAuthorizationAuditLevel="None" 
               messageAuthenticationAuditLevel="SuccessOrFailure" />
         </behavior>
   </behaviors>
   

2. 您必須指定服務的行為，如下列範例所示。

   <services>
       <service type="WCS.Samples.Service.Echo" 
       behaviorConfiguration=" myAuditBehavior">
          <endpoint address=""
                   binding="wsHttpBinding"
                   bindingConfiguration="CertificateDefault" 
                   contract="WCS.Samples.Service.IEcho" />
       </service>
   </services>
   

範例

下列程式碼會建立 ServiceHost 類別的執行個體，並且將 ServiceSecurityAuditBehavior 新增至其行為集合。

Public Shared Sub Main() 
    ' Get base address from appsettings in configuration.
    Dim baseAddress As New Uri(ConfigurationManager.AppSettings("baseAddress"))
    
    ' Create a ServiceHost for the CalculatorService type 
    ' and provide the base address.
    Dim serviceHost As New ServiceHost(GetType(CalculatorService), baseAddress)
    Try
        ' Create a new auditing behavior and set the log location.
        Dim newAudit As New ServiceSecurityAuditBehavior()
        newAudit.AuditLogLocation = AuditLogLocation.Application
        newAudit.MessageAuthenticationAuditLevel = _
            AuditLevel.SuccessOrFailure
        newAudit.ServiceAuthorizationAuditLevel = _
            AuditLevel.SuccessOrFailure
        newAudit.SuppressAuditFailure = False
        ' Remove the old behavior and add the new.
        serviceHost.Description.Behaviors.Remove(Of ServiceSecurityAuditBehavior)
        serviceHost.Description.Behaviors.Add(newAudit)
        ' Open the ServiceHostBase to create listeners 
        ' and start listening for messages.
        serviceHost.Open()
        
        ' The service can now be accessed.
        Console.WriteLine("The service is ready.")
        Console.WriteLine("Press <ENTER> to terminate service.")
        Console.WriteLine()
        Console.ReadLine()
        
        ' Close the ServiceHostBase to shutdown the service.
        serviceHost.Close()
    Finally
    End Try

End Sub 

public static void Main()
{
    // Get base address from appsettings in configuration.
    Uri baseAddress = new Uri(ConfigurationManager.
        AppSettings["baseAddress"]);

    // Create a ServiceHost for the CalculatorService type 
    // and provide the base address.
    using (ServiceHost serviceHost = new 
        ServiceHost(typeof(CalculatorService), baseAddress))
    {
        // Create a new auditing behavior and set the log location.
        ServiceSecurityAuditBehavior newAudit = 
            new ServiceSecurityAuditBehavior();
        newAudit.AuditLogLocation = 
            AuditLogLocation.Application;
        newAudit.MessageAuthenticationAuditLevel = 
            AuditLevel.SuccessOrFailure;
        newAudit.ServiceAuthorizationAuditLevel = 
            AuditLevel.SuccessOrFailure;
        newAudit.SuppressAuditFailure = false;
        // Remove the old behavior and add the new.
        serviceHost.Description.
            Behaviors.Remove<ServiceSecurityAuditBehavior>();
        serviceHost.Description.Behaviors.Add(newAudit);
        // Open the ServiceHostBase to create listeners 
        // and start listening for messages.
        serviceHost.Open();

        // The service can now be accessed.
        Console.WriteLine("The service is ready.");
        Console.WriteLine("Press <ENTER> to terminate service.");
        Console.WriteLine();
        Console.ReadLine();

        // Close the ServiceHostBase to shutdown the service.
        serviceHost.Close();
    }
}

安全性

如果將 SuppressAuditFailure 屬性設定為 true，就會隱藏產生安全性稽核時的失敗 (如果設定為 false，就會擲回例外狀況)。不過，如果啟用下列 Windows [本機安全性設定] 屬性，無法產生稽核事件就會導致 Windows 立即關機：

稽核: 當無法記錄安全性稽核時，系統立即關機

若要設定屬性，請開啟 [本機安全性設定] 對話方塊。按一下 [安全性設定] 下的 [本機原則]，然後按一下 [安全性選項]。

如果 AuditLogLocation 屬性設為 Security，而且 [本機安全性原則] 中的 [稽核物件存取] 未設定，則稽核事件不會寫入安全性記錄檔。請注意，這時不會傳回任何失敗，但是稽核項目也不會寫入安全性記錄檔中。

另請參閱

參考

AuditLogLocation
ServiceSecurityAuditBehavior
AuditLogLocation

概念

稽核安全性事件