audit records

Posted on 2011-04-21
Medium Priority
Last Modified: 2012-05-11
As we know in SharePoint, there's an audit log of everything that happens.  

When I was describing this capability to someone, they asked me if an administrator can turn the log off, sneak in and snoop in user files, then turn it back on, and subsequently have no record of the fact that the administrator snooped. Is this true?  

The reason I ask is that we're having the inevitible situation where some user is realizing that an IT user can get to people's files.  I was describing to them that this is not an uncommon situation in IT, and explaining that this is why we a framework and procedures in place to counterbalance this risk.  Things like:

-Background Investigations on new hires, and 5 year check-ins on existing employees
-SharePoint Audit logs, server logs, network logs, etc
-and not letting any one person be a single point of failure for any given system

So they challeneged the notion of Audit Logs speculating that an admin could go in turn logging off, do something michevious, and then turn logging back on.  

1) Is this a weakness?
2) Are there any other ways that you mitigate this inevitible "risk"

Question by:crmsharepoint
  • 2
  • 2
LVL 14

Accepted Solution

GeorgeGergues earned 1200 total points
ID: 35440443
That is correct , but I don't consider it a weakness , all systems have the same type of functionality.

It could be a problem if a single person is doing all the work .

best practice to have multiple administrators and have different admins have different roles.

Audit in sharepoint can be a bit heavy on SQL , so you can enable / disable it at the site collection level with the proper level of detail [that is done at setup time].

You can actually audit the audit settings changes themselves and that can be done by a higher non SharePoint entity.

hope that helps.

LVL 14

Expert Comment

ID: 35440459
Also , there are 3rd party products that monitors the audit log changes , that are external to sharepoint .




That can be managed by your Security officer and not your SharePoint admin

Best of luck.

LVL 44

Assisted Solution

by:zephyr_hex (Megan)
zephyr_hex (Megan) earned 800 total points
ID: 35441771
an IT person could "snoop" without turning off the Audit Logs.  sharepoint Audit Logs are based on IIS activity...

a smart IT person would just query the SQL backend... where all sharepoint data is stored.
LVL 44

Expert Comment

by:zephyr_hex (Megan)
ID: 35442814
tracking changes to audit log settings seems like a backwards method, too.  i mean, the IT snoop can always edit the audit log file directly and delete the "offending" lines.  monitoring changes to the audit log settings won't track that...

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft SharePoint Foundation 2010 and Microsoft SharePoint Server 2010 do not offer the option to configure the location of the SharePoint diagnostic trace log files during installation.  This can, however, be configured through Central Administr…
Summary In SharePoint 2010 it is easy to create custom color themes to jazz up a site. Theme colors can also be created in PowerPoint 2010 with a few clicks. But how do the chosen colors actually look in the SharePoint site? The attached PowerPoint…
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question