The typical scenario for securing elmah.axd is allowing only some authenticated user to be able to access it. But if your site doesn’t use any authentication at all this might not be applicable.
Here’s what I would recommend you:
- Disable completely the
elmah.axdhandler on your main site - Configure
elmahto write the logs to some shared data source (like a shared file, SQLite database or even SQL Server) - Configure a second site in IIS, probably on another network or server, which has only elmah installed and which points to this same shared data source. Now you would always use the second site to read the logs. Obviously the second site would only be accessible to you.
If you decide to use SQL Server you could even read the logs of multiple applications running on multiple web servers in a farm from within a single internal application accessible only to you.