audit records

Posted on 2011-04-21
Last Modified: 2012-05-11
As we know in SharePoint, there's an audit log of everything that happens.  

When I was describing this capability to someone, they asked me if an administrator can turn the log off, sneak in and snoop in user files, then turn it back on, and subsequently have no record of the fact that the administrator snooped. Is this true?  

The reason I ask is that we're having the inevitible situation where some user is realizing that an IT user can get to people's files.  I was describing to them that this is not an uncommon situation in IT, and explaining that this is why we a framework and procedures in place to counterbalance this risk.  Things like:

-Background Investigations on new hires, and 5 year check-ins on existing employees
-SharePoint Audit logs, server logs, network logs, etc
-and not letting any one person be a single point of failure for any given system

So they challeneged the notion of Audit Logs speculating that an admin could go in turn logging off, do something michevious, and then turn logging back on.  

1) Is this a weakness?
2) Are there any other ways that you mitigate this inevitible "risk"

Question by:crmsharepoint
    LVL 14

    Accepted Solution

    That is correct , but I don't consider it a weakness , all systems have the same type of functionality.

    It could be a problem if a single person is doing all the work .

    best practice to have multiple administrators and have different admins have different roles.

    Audit in sharepoint can be a bit heavy on SQL , so you can enable / disable it at the site collection level with the proper level of detail [that is done at setup time].

    You can actually audit the audit settings changes themselves and that can be done by a higher non SharePoint entity.

    hope that helps.

    LVL 14

    Expert Comment

    Also , there are 3rd party products that monitors the audit log changes , that are external to sharepoint .


    That can be managed by your Security officer and not your SharePoint admin

    Best of luck.

    LVL 42

    Assisted Solution

    an IT person could "snoop" without turning off the Audit Logs.  sharepoint Audit Logs are based on IIS activity...

    a smart IT person would just query the SQL backend... where all sharepoint data is stored.
    LVL 42

    Expert Comment

    tracking changes to audit log settings seems like a backwards method, too.  i mean, the IT snoop can always edit the audit log file directly and delete the "offending" lines.  monitoring changes to the audit log settings won't track that...

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Join & Write a Comment

    The Scenario: Let’s say you have a quote worksheet in Excel that you use to work up sales figures and such for your clients. You utilize SharePoint to manage and keep track of these documents. You would like values from your worksheet to populate Sh…
    If you create your solutions on SharePoint sooner or later you will come upon a request to set  permissions of the item depending on some of the item's meta-data - the author, people assigned as approvers, divisions, categories etc. The most natu…
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now