Security, et al

As more and more information and processes move to SharePoint, it becomes critical for compliance and security requirements to monitor and audit SharePoint activity.

I was very excited when I first learned about the SharePoint audit log but I quickly determined that in its unimproved state the SharePoint audit log is essentially unusable due to 4 key issues:

1. SharePoint's audit log does not provide the names of users or objects.
   The SharePoint audit log fails to translate record IDs, meaning you have no idea what object or user to which a given event refers! Click here for an example of an audit event from SharePoint and then what LOGbinder does with it.
2. SharePoint's audit log is buried in SharePoint's SQL server content database.
   To ensure the integrity of audit trails, logs must be moved from the system where they are generated to separate and security log archive. However in SharePoint, the audit log isn't really a log - it's a table in the SharePoint database. This makes it inaccessible for most log management solutions. Without the ability to collect the SharePoint audit log into a separate, secure log archive its value as a high integrity audit trail is compromised.
3. SharePoint's audit log has no reporting.
   In Windows Sharepoint Services the log is totally inaccessible and in Office Sharepoint Services it's exposed through through a few rudimentary, impractical reports in Excel.
4. Windows SharePoint Services provides no interface for enabling auditing at all.
   The audit log is there but without custom programming there's no way to turn it on; much less access the logs.

I'm still a software developer at heart and the problems with the SharePoint audit log finally pushed me over the edge. The result is LOGbinder SP.

LOGbinder SP is a small, efficient Windows service that monitors the internal SharePoint audit log without making any changes to your SharePoint installation.

For each event LOGbinder SP resolves the user and object IDs and other cryptic codes, producing an easy to understand, plain-English translation of the SharePoint audit event. LOGbinder SP then sends these events to the Windows event log (either the Security log or a custom log) which in turn allows you to leverage any log management solution to collect, monitor, alert, analyze, report and archive SharePoint audit logs.

Here's an example event from the SharePoint audit log pictured as delivered via Excel compared to what the event looks like after LOGbinder SP translates it.

LOGbinder SP turns this: 

LOGbinder SP is now out of beta and ready for prime-time. You can download an evaluation copy, watch a webinar on the SharePoint audit log, get your questions answered and more at: www.logbinder.com

Please try it out and tell me what you think!

With 2008, SQL Server finally has a real audit log capability.  It’s flexible, high performance and can report its events directly to the Windows Security Event Log which means you can leverage the security and integrity of the security log AND take advantage of whatever log management solution you currently use to collect, monitor and report server logs.

Now you can audit changes to SQL server configuration and objects as well as commands executed against tables such as Select, Update, Delete and Insert.  SQL Server 2008 auditing produces an audit log not a transaction log.  That means you can audit any command and or other action in SQL Server but the audit log does not record before and after images of the actual data table rows.  Again, it’s an audit log – not a transaction log. 

Similar to Windows auditing, SQL Server 2008 auditing allows you to define which SQL server objects and actions you which to audit and you can limit audited activity to specific users or roles.  When you enable auditing you can choose to send audit events to either binary SQL audit log files in a specified folder or to the Application or Security event logs.  For obvious security and log management reasons I recommend the security log.  I wish Microsoft had used different event IDs for each audit event but all SQL Server audit events show up as event ID 33205 so that means you have to look in the event details for any and all particulars about the event. 

The new SQL commands for auditing include:

·        CREATE SERVER AUDIT

·        CREATE SERVER AUDIT SPECIFICATION

·        CREATE DATABASE AUDIT SPECIFICATION

In this real training webinar I will explain those commands and show you how to setup SQL Server auditing to report events to the Security log.  Then I will demonstrate a number of audit scenarios for tracking things like:

·        Permission changes

·        Login and role changes

·        Login failures

·        Commands against specific tables like SELECT and UPDATE

This real training webinar is not free.  For specialized topics where finding a sponsor is not practical I’m trying out a new paid model.  The fee is low and there is no sponsor presentation; your information will not be shared with anyone.  It’s all deep, technical training.  To register please click here.

The venue has been announced for my upcoming SLS class in LA.  Please click here for more details on the event http://www.ultimatewindowssecurity.com/blog/default.aspx?p=137e4ecb-adb6-4c5e-806a-f87e99ad2944.

I can't believe this.  Well, it's Microsoft, so yes I can believe it.  Where did the the "Replace auditing entries on all child objects" go in Active Directory Users and Computers?  While doing some consulting for a company I just noticed that in my this check box is not present on the Auditing tab of the security settings dialog for objects in Active Directory Users and Computers.

That makes it impossible to manage auditing of AD objects using the Directory Service category of the security log.

Has anyone else noticed this?  Any solutions?  I'm looking at writing a script to do it but for crying out loud, you shouldn't have to. 

I am very excited today to announce the beta release of LOGbinder SP - my first software solution aimed at expanding the reach of log management.

LOGbinder SP allows you to audit security events in SharePoint with the Windows Security Log.

Why do I need LOGbinder SP? Doesn't SharePoint already have an audit log?

LOGBinder SP is a small, efficient .NET service that monitors the internal SharePoint audit log.  For each event LOGbinder SP resolves the user and object IDs and other cryptic codes, producing an easy to understand, plain-English translation of the SharePoint security event.  (Click here for a list of events.)  Then LOGbinder SP forwards the event to one or more output formats:

• local Windows security event log
• custom Windows event log
• syslog server*
• text file*
• XML file*
• SQL server reporting database*

This variety of output formats allows you to extend any log management solution to now support SharePoint audit trails and security events.

Alternatively, or in addition to integrating with your log management solution, you configure LOGbinder SP to send events to a SQL Server reporting databse and use our pre-built reports (implemented in SQL Reporting Services) to review and analyze the security activity of your SharePoint sites. 

LOGbinder SP is currently in beta and available as a free download. Please help us build LOGbinder SP into a great solution!

Please visit http://www.logbinder.com/sp/default.aspx to learn more about the SharePoint audit log and it's woeful limitations and how we fix them with LOGbinder SP. 

Please download and put LOGBinderSP to work for you, securing SharePoint data.

* not yet implemented in the current beta

I’m very impressed with the Active Directory integration found in LogRhythm 5.0.  This represents a new frontier in log management maturity.  The new AD integration in LogRhythm 5.0 allows you to combine information from Active Directory with key security log events to take your monitoring and response procedures to the next level of intelligent filtering and automated incident response.

This kind of capability is important because you need to constantly look for ways to reduce the number of alerts and report pages that you have to review and respond to by either automating the response itself or doing a better job of qualifying events that are actually inconsequential – that is – expected activity. At the same time you need to constantly improve your monitoring procedures to quickly identity and respond to those events that truly are relevant.

With LogRhythm 5.0 you can add monitoring criteria, for instance, that take the user who triggered a given event and then look up that user in AD and check to see if he/she belongs to a specified group.  Based on their membership, you can discard the event or trigger an alarm. 

LogRhythm 5.0 also allows you to enrich reports with information from Active Directory.  Usually the only information about a user or group in a given log record is the object’s name which makes it difficult to contextualize the event.  But being able to pull additional properties for that user or group from AD saves you lots of time and greatly improves your analytical capabilities.

If you’d like to get more ideas for how you can integrate log data with Active Directory information for more sophisticated and automated monitoring and forensic analysis and if you’d like to see LogRhythm 5.0’s AD integration features demonstrated check out my on demand webinar: 5 Cutting Edge Response Techniques that Integrate Security Events with Active Directory.

Just a quick note about the new audit/security log features in Windows 7 and Windows Server 2008 R2:

1. You can finally configure audit subcategories via group policy!  No more need for running auditpol scripts on thousands of computers.
2. Global audit policies for files and other objects.  This allows you to configure system wide audit policies for different file types.  The global policies are supposed to help you ensure all desired objects are audited without having to find and configure auditing at each location where such objects exist.
3. Object access events now provide more information as to why access was allowed or denied by reporting the particular access control entries that played a part.

More to come on these new features in an upcoming webinar.  Subscribe to my newsletter in order to be notified.