How to enable access auditing of critical files or directories that cause a restart of the TIBCO Spotfire Web Player application, using Windows Audit Policy.
Article ID: KB0080225
Updated On:
| Products | Versions |
|---|---|
| Spotfire Web Player | 7.0 and lower |
Description
The Web Player application will restart automatically if the critical files or directories monitored by IIS and ASP.NET are modified or accessed. For example, this will be due to an anti-virus scan on the Web Player's webroot folder. A shutdown and restart which includes "HostingEnvironment initiated shutdown", such as the following will be seen in the Web Player Spotfire.Dxp.Web.logs:
INFO 2014-05-30 07:10:53,556 [17, (null)] Spotfire.Dxp.Web.Forms.Global - Application shutdown reason:Change Notification for critical directories. bin dir change or directory rename HostingEnvironment initiated shutdown Change Notification for critical directories. bin dir change or directory rename HostingEnvironment caused shutdown DEBUG 2014-05-30 07:10:53,556 [17, (null)] Spotfire.Dxp.Web.Forms.Global - Application shutdown callstack: at System.Environment.GetStackTrace(Exception e, Boolean needFileInfo) at System.Environment.get_StackTrace() at System.Web.Hosting.HostingEnvironment.InitiateShutdownInternal() at System.Web.HttpRuntime.ShutdownAppDomain(String stackTrace) at System.Web.HttpRuntime.OnCriticalDirectoryChange(Object sender, FileChangeEvent e) at System.Web.FileChangesMonitor.OnCriticaldirChange(Object sender, FileChangeEvent e) at System.Web.DirectoryMonitor.FireNotifications() at System.Web.Util.WorkItem.CallCallbackWithAssert(WorkItemCallback callback) at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean ignoreSyncCtx) at System.Threading.QueueUserWorkItemCallback.System.Threading.IThreadPoolWorkItem.ExecuteWorkItem() at System.Threading.ThreadPoolWorkQueue.Dispatch() at System.Threading._ThreadPoolWaitCallback.PerformWaitCallback() DEBUG 2014-05-30 07:10:53,587 [17, (null)] Spotfire.Dxp.Web.SiteManager - Web Player server shutting down on host 'MY-SERVER'.
Or:
INFO ;2014-07-17 09:29:13,306;21;(null);Spotfire.Dxp.Web.Forms.Global;Application shutdown reason:CONFIG change HostingEnvironment initiated shutdown HostingEnvironment caused shutdown^~ INFO ;2014-07-17 09:29:13,322;21;(null);Spotfire.Dxp.Web.SiteManager;Web Player server shut down on host 'MY-SERVER'.^~
This Web Player application restart can be prevented by determining which external application is accessing the Web Player files. The external application can be configured to avoid this.
Issue/Introduction
How to enable access auditing of critical files or directories that cause a restart of the TIBCO Spotfire Web Player application, using Windows Audit Policy.
Resolution
To turn on object access auditing, you need to alter the local security policy of your server. This can be done centrally via a group policy object or it can be done on the local machine. To turn on object access audit using the local security policy, use the following process.
You need to enable auditing for each critical folder (and all its sub-folders and files) which is monitored by IIS and ASP.NET. These critical folders that must be audited for the TIBCO Spotfire Web Player follow.
For each folder, use the following process.
The events will be captured in the Windows Security events found here.
Audit Success,27-Jan-16 5:00:24 PM,Microsoft-Windows-Security-Auditing,4663,File System,"An attempt was made to access an object."
Subject:
Security ID: MYSERVER\Administrator
Account Name: Administrator
Account Domain: MYSERVER
Logon ID: 0x3fc8a
Object:
Object Server: Security
Object Type: File
Object Name: C:\Program Files\TIBCO\Spotfire Web Player\7.0.0\webroot\web.config
Handle ID: 0xcc
Process Information:
Process ID: 0xf14
Process Name: C:\Windows\System32\notepad.exe
- Open up Administrative Tools -> Local Security Policy, or run secpol.msc
- Open Local Policies -> Audit Policy
- Right-click on “Object Access Audit” and select Properties.
- Ensure “Success” and “Failure” are both checked.
- Click on OK, then close the Local Security Policy window.
You need to enable auditing for each critical folder (and all its sub-folders and files) which is monitored by IIS and ASP.NET. These critical folders that must be audited for the TIBCO Spotfire Web Player follow.
- <INSTALLATION_DIR>\TIBCO\Spotfire Web Player\X.X.X\webroot
- <INSTALLATION_DIR>\TIBCO\Spotfire Web Player\X.X.X\Temp
- Where this path is updated with the path as defined the SettingsRootFolder and TempFolder settings in your web.config:
...
<applicationSettings>
<!-- You normally shouldn't edit these settings. -->
<Spotfire.Dxp.Internal.Properties.Settings>
...
<setting name="SettingsRootFolder" serializeAs="String">
<value>C:\Program Files\TIBCO\Spotfire Web Player\X.X.X\Temp</value>
</setting>
<setting name="TempFolder" serializeAs="String">
<value>C:\Program Files\TIBCO\Spotfire Web Player\X.X.X\Temp</value>
</setting>
...
- Where this path is updated with the path as defined the SettingsRootFolder and TempFolder settings in your web.config:
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files
- C:\Windows\System32\inetsrv\config
For each folder, use the following process.
- Open up the File Explorer by right-clicking and selecting Run As Administrator.
- Browse to the folder you want to turn auditing on.
- Right-click on the folder and select Properties.
- Select the Security Tab.
- Click on Advanced, then Auditing tab, and click Edit.
- Click on Add.
- Enter "Everyone", click on Find Now to ensure it is registered, then click on OK.
- Check all of the Successful and Failed boxes, then click on OK.
- Close the windows by clicking OK.
The events will be captured in the Windows Security events found here.
- Event Viewer > Windows > Security
For example:
= = =Audit Success,27-Jan-16 5:00:24 PM,Microsoft-Windows-Security-Auditing,4663,File System,"An attempt was made to access an object."
Subject:
Security ID: MYSERVER\Administrator
Account Name: Administrator
Account Domain: MYSERVER
Logon ID: 0x3fc8a
Object:
Object Server: Security
Object Type: File
Object Name: C:\Program Files\TIBCO\Spotfire Web Player\7.0.0\webroot\web.config
Handle ID: 0xcc
Process Information:
Process ID: 0xf14
Process Name: C:\Windows\System32\notepad.exe
= = =
Note: The audit log can be very verbose if there is a log of activity. Because the security log is limited in size, select the files and folders to be audited carefully. Also consider the amount of disk space that you want to devote to the security log. The maximum size for the security log is defined in Event Viewer.
Alternate solution:
Additional Information
External: Apply or Modify Auditing Policy Settings for a Local File or Folder
KB: 40735 How to enable access auditing of critical files or directories that cause a restart of the TIBCO Spotfire Web Player application, using Process Monitor.
Feedback
Yes
No
Powered by
