Hi Troy,
While the web application instrumented with EIF will produce a warning in
the Windows Event Log if it cant back up the EI.config file - EIF will
happy run if it cant back up the file. I would suggest that you ignore this
warning message and keep the security permissions as they are.
A second suggestion would be to place the EI.config file in a different
directory and then redirect the web application to look in this other
directory. To specify the redirection, you'd add into the web.config an
entry in the appSettings section.
It would look something like:
</configuration>
<appSettings>
<add key="instrumentationConfigFile"
value="C:\ConfigFiles\EnterpriseInstrumentation.config" />
</appSettings>
</configuration>
I hope one of the above suggestions is a workable solution for you.
Mike
--------------------
| I work for a ASP-model software product company. We are just about to
| launch our product and are setting it up in our datacenter (Windows
| 2003 servers).
|
| Our infrastructure manager is jumping up and down about our use of EIF
| in the web app posing a significant security risk. He says modify
| permissions must be granted to the web root because EIF must be able
| to create a backup copy of the EnterpriseInstrumentation.config file.
| He says modify permissions should NEVER be granted to the root of a
| web app because it could enable a hacker to create and then execute a
| file on the server.
|
| We have made significant use of EIF in our code, so I don't want to be
| forced to back that out. I couldn't answer his questions as to what
| security context the framework runs under, how the backup file is used
| or if it can be configured to reside somewhere outside the web root.
|
| If anyone has tackled this problem before, or has any insight, I would
| greatly appreciate your help.
|
| Thanks,
|
| Troy
|
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
