1 / 17

.NET Health Monitoring

Explore how ASP.NET Health Monitoring safeguards running applications, learn Best Practices, Email Layout, Custom Configuration, and more for a secure web environment.

dbarry
Download Presentation

.NET Health Monitoring

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. .NET Health Monitoring Jonathan Franco ITD Application Services

  2. What is .NET? • ASP.NET is a web application framework developed by Microsoft to allow programmers to build dynamic web sites, web application and web services. • It was first released in January 2002 with version 1.0 of the .NET Framework, and is the successor to Microsoft’s Active Server Pages (ASP) technology. • ASP.NET is built on the Common Language Runtime (CLR), allowing programmers to write ASP.NET code using any supported .NET language.

  3. What is .NET Health Monitoring? • The ASP.NET Health Monitoring system is designed to monitor the health of a running ASP.NET application in a production environment. • The Health Monitoring system works by recording event information to a specified log source. • Log Sources • Email • Event Log • SQL • WMI • Trace

  4. Event Occurrence • The chart below shows Event occurrences for an outside facing server.

  5. Sample Application

  6. Error Handling • When an error occurs for the web application the error page should not give away any details. • An error handler redirects to this error page.

  7. Improper Error Handling • Lack of error handling can lead to an attacker gaining additional information about the web server or application. • There are ways to force the web application to reveal information without proper error handling.

  8. Best Practices • Error Page • Add an error page to avoid giving information away to attackers. • Publish web sites to server • Don’t copy code to the servers. Copying code to the servers will cause a fair amount of Health Monitoring Events to occur and is insecure. • Don’t debug on the server • Debugging on the server will cause various Health Monitoring Events. Generating the wrong kinds of events can cause your IP to be blocked if done on the server.

  9. Email Layout • Provider that sent the Event. • Application Name, Event Code and Event Detail Code for the Event. • Stack trace for the Event.

  10. Email Layout • Event Message, time and ID. Event ID can be traced back to the Event Log if additional information is desired. • IP Address, regardless of proxy, that caused the Event.

  11. Custom Configuration • Developer Override for Email • Subject Prefix • Email List • Header and Footer for Body • Reply To • AppendEmail • Sample Subject line • HM [servername] Event Code: 3003 Event Message: A validation error has occurred. Event type: WebRequestErrorEvent

  12. Settings • Buffer modes configured whether events are buffered or not. • Providers lists the providers that are configured along with information of where to send the event. • Profiles state any limits on sending the events. • Rules link the Event Mapping to the Provider. • Event Mappings tell what events to report.

  13. Migration/Deployment Notes • Review settings of any existing web applications that use Health Monitoring. Make sure there are no conflicts. • Deploy during working hours where everyone is available. • Periodically check occurrence of events and determine which providers should report these events.

  14. Non-ITD Provider Use • The Health Monitoring assemblies can be configured/used on your server. • Develop Provider • Develop HTTP Handler to get the Request information. • Sum up the compilation Events when web sites are Published. • Obfuscate the offending content from a Validation Error, shown in the Custom Event Details section.

  15. Future Enhancements • Heartbeat, make a web service to receive heartbeats from various applications and only send an email if there is trouble. • Detect and report HTTP POST with SQL Injection. • Send an email for multiple start and stops of an application based on a configured threshold.

  16. Any Questions/Comments?

More Related