Security Frame: Auditing and Logging | Mitigations
Product/Service | Article |
---|---|
Dynamics CRM | |
Web Application |
|
Database | |
Azure Storage | |
WCF | |
Web API | |
IoT Field Gateway | |
IoT Cloud Gateway |
Identify sensitive entities in your solution and implement change auditing
Title | Details |
---|---|
Component | Dynamics CRM |
SDL Phase | Build |
Applicable Technologies | Generic |
Attributes | N/A |
References | N/A |
Steps | Identify entities in your solution containing sensitive data and implement change auditing on those entities and fields |
Ensure that auditing and logging is enforced on the application
Title | Details |
---|---|
Component | Web Application |
SDL Phase | Build |
Applicable Technologies | Generic |
Attributes | N/A |
References | N/A |
Steps | Enable auditing and logging on all components. Audit logs should capture user context. Identify all important events and log those events. Implement centralized logging |
Ensure that log rotation and separation are in place
Title | Details |
---|---|
Component | Web Application |
SDL Phase | Build |
Applicable Technologies | Generic |
Attributes | N/A |
References | N/A |
Steps | Log rotation is an automated process used in system administration in which dated log files are archived. Servers which run large applications often log every request: in the face of bulky logs, log rotation is a way to limit the total size of the logs while still allowing analysis of recent events. Log separation basically means that you have to store your log files on a different partition as where your OS/application is running on in order to avert a Denial of service attack or the downgrading of your application its performance |
Ensure that the application does not log sensitive user data
Title | Details |
---|---|
Component | Web Application |
SDL Phase | Build |
Applicable Technologies | Generic |
Attributes | N/A |
References | N/A |
Steps | Check that you do not log any sensitive data that a user submits to your site. Check for intentional logging as well as side effects caused by design issues. Examples of sensitive data include:
|
Ensure that Audit and Log Files have Restricted Access
Title | Details |
---|---|
Component | Web Application |
SDL Phase | Build |
Applicable Technologies | Generic |
Attributes | N/A |
References | N/A |
Steps | Check to ensure access rights to log files are appropriately set. Application accounts should have write-only access and operators and support personnel should have read-only access as needed. Administrators accounts are the only accounts which should have full access. Check Windows ACL on log files to ensure they are properly restricted:
|
Ensure that User Management Events are Logged
Title | Details |
---|---|
Component | Web Application |
SDL Phase | Build |
Applicable Technologies | Generic |
Attributes | N/A |
References | N/A |
Steps | Ensure that the application monitors user management events such as successful and failed user logins, password resets, password changes, account lockout, user registration. Doing this helps to detect and react to potentially suspicious behavior. It also enables to gather operations data; for example, to track who is accessing the application |
Ensure that the system has inbuilt defenses against misuse
Title | Details |
---|---|
Component | Web Application |
SDL Phase | Build |
Applicable Technologies | Generic |
Attributes | N/A |
References | N/A |
Steps | Controls should be in place which throw security exception in case of application misuse. E.g., If input validation is in place and an attacker attempts to inject malicious code that does not match the regex, a security exception can be thrown which can be an indicative of system misuse For example, it is recommended to have security exceptions logged and actions taken for the following issues:
|
Enable diagnostics logging for web apps in Azure App Service
Title | Details |
---|---|
Component | Web Application |
SDL Phase | Build |
Applicable Technologies | Generic |
Attributes | EnvironmentType - Azure |
References | N/A |
Steps | Azure provides built-in diagnostics to assist with debugging an App Service web app. It also applies to API apps and mobile apps. App Service web apps provide diagnostic functionality for logging information from both the web server and the web application. These are logically separated into web server diagnostics and application diagnostics |
Ensure that login auditing is enabled on SQL Server
Title | Details |
---|---|
Component | Database |
SDL Phase | Build |
Applicable Technologies | Generic |
Attributes | N/A |
References | Configure Login Auditing |
Steps | Database Server login auditing must be enabled to detect/confirm password guessing attacks. It is important to capture failed login attempts. Capturing both successful and failed login attempts provides additional benefit during forensic investigations |
Enable Threat detection on Azure SQL
Title | Details |
---|---|
Component | Database |
SDL Phase | Build |
Applicable Technologies | SQL Azure |
Attributes | SQL Version - V12 |
References | Get Started with SQL Database Threat Detection |
Steps | Threat Detection detects anomalous database activities indicating potential security threats to the database. It provides a new layer of security, which enables customers to detect and respond to potential threats as they occur by providing security alerts on anomalous activities. Users can explore the suspicious events using Azure SQL Database Auditing to determine if they result from an attempt to access, breach or exploit data in the database. Threat Detection makes it simple to address potential threats to the database without the need to be a security expert or manage advanced security monitoring systems |
Use Azure Storage Analytics to audit access of Azure Storage
Title | Details |
---|---|
Component | Azure Storage |
SDL Phase | Deployment |
Applicable Technologies | Generic |
Attributes | N/A |
References | Using Storage Analytics to monitor authorization type |
Steps | For each storage account, one can enable Azure Storage Analytics to perform logging and store metrics data. The storage analytics logs provide important information such as authentication method used by someone when they access storage. This can be really helpful if you are tightly guarding access to storage. For example, in Blob Storage you can set all of the containers to private and implement the use of an SAS service throughout your applications. Then you can check the logs regularly to see if your blobs are accessed using the storage account keys, which may indicate a breach of security, or if the blobs are public but they shouldn’t be. |
Implement sufficient Logging
Title | Details |
---|---|
Component | WCF |
SDL Phase | Build |
Applicable Technologies | .NET Framework |
Attributes | N/A |
References | MSDN, Fortify Kingdom |
Steps | The lack of a proper audit trail after a security incident can hamper forensic efforts. Windows Communication Foundation (WCF) offers the ability to log successful and/or failed authentication attempts. Logging failed authentication attempts can warn administrators of potential brute-force attacks. Similarly, logging successful authentication events can provide a useful audit trail when a legitimate account is compromised. Enable WCF's service security audit feature |
Example
The following is an example configuration with auditing enabled
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name=""NewBehavior"">
<serviceSecurityAudit auditLogLocation=""Default""
suppressAuditFailure=""false""
serviceAuthorizationAuditLevel=""SuccessAndFailure""
messageAuthenticationAuditLevel=""SuccessAndFailure"" />
...
</behavior>
</servicebehaviors>
</behaviors>
</system.serviceModel>
Implement sufficient Audit Failure Handling
Title | Details |
---|---|
Component | WCF |
SDL Phase | Build |
Applicable Technologies | .NET Framework |
Attributes | N/A |
References | MSDN, Fortify Kingdom |
Steps | Developed solution is configured not to generate an exception when it fails to write to an audit log. If WCF is configured not to throw an exception when it is unable to write to an audit log, the program will not be notified of the failure and auditing of critical security events may not occur. |
Example
The <behavior/>
element of the WCF configuration file below instructs WCF to not notify the application when WCF fails to write to an audit log.
<behaviors>
<serviceBehaviors>
<behavior name="NewBehavior">
<serviceSecurityAudit auditLogLocation="Application"
suppressAuditFailure="true"
serviceAuthorizationAuditLevel="Success"
messageAuthenticationAuditLevel="Success" />
</behavior>
</serviceBehaviors>
</behaviors>
Configure WCF to notify the program whenever it is unable to write to an audit log. The program should have an alternative notification scheme in place to alert the organization that audit trails are not being maintained.
Ensure that auditing and logging is enforced on Web API
Title | Details |
---|---|
Component | Web API |
SDL Phase | Build |
Applicable Technologies | Generic |
Attributes | N/A |
References | N/A |
Steps | Enable auditing and logging on Web APIs. Audit logs should capture user context. Identify all important events and log those events. Implement centralized logging |
Ensure that appropriate auditing and logging is enforced on Field Gateway
Title | Details |
---|---|
Component | IoT Field Gateway |
SDL Phase | Build |
Applicable Technologies | Generic |
Attributes | N/A |
References | N/A |
Steps | When multiple devices connect to a Field Gateway, ensure that connection attempts and authentication status (success or failure) for individual devices are logged and maintained on the Field Gateway. Also, in cases where Field Gateway is maintaining the IoT Hub credentials for individual devices, ensure that auditing is performed when these credentials are retrieved.Develop a process to periodically upload the logs to Azure IoT Hub/storage for long term retention. |
Ensure that appropriate auditing and logging is enforced on Cloud Gateway
Title | Details |
---|---|
Component | IoT Cloud Gateway |
SDL Phase | Build |
Applicable Technologies | Generic |
Attributes | N/A |
References | N/A |
Steps | Design for collecting and storing audit data gathered through IoT Hub Operations Monitoring. Enable the following monitoring categories:
|