Security, et al

This whitepaper by Randy Franklin Smith, provides an overview of the 4 different logs in SharePoint and discusses their relative merits in terms of security value and how to integrate with your SIEM.

Click here to download it now.

Over at LOGbinder we've released a new whitepaper explaining how LOGbinder SP is the only recognized solution for providing reliable audit information about the security events of SharePoint via HP ArcSight and how it works with many other SIEMs.

Did you know that SharePoint generates several different logs ranging from true audit logs to diagnostic trace logs and usage analysis? This brief will identify what (if any) security intelligence can be learned from each log. It will then explain which logs are readily available to SIEMs, and which logs are not readily available.

I know from the emails I receive and site stats that hundreds of thousands of people over the years have made use of the information at UltimateWindowsSecurity.com.  I’m excited to announce that we have made some major updates.

1.    I’ve added all of the event ID’s for both SharePoint audit logging and SQL Server 2008’s totally new audit log in to my Security Log Encyclopedia. 

2.    I’ve added two new sections to the site itself: SharePoint and SQL Server audit logging.

SharePoint Audit Logging

With SharePoint being used these days to store more and more sensitive data, it’s imperative that you control and know who is accessing what.  In this new area, I explain:

·        How to enable and control SharePoint Audit Logging for end-users and admins

·        How the SharePoint audit log is stored

·        Explain the SharePoint audit policy

·        How to get reporting and alerting from the SharePoint audit log

·        How to get your SharePoint audit log in to a SIEM solution

·        Introduce you to LOGbinder SP and how it fills the gaps in SharePoint audit logging

SQL Server Audit Logging

SQL Server 2008 introduced a totally new audit logging facility which is critical to enterprises storing sensitive information and/or processing important transactions in today’s demanding compliance environment.

In my new SQL Server section at UltimateWindowsSecurity.com I explore:

·        The SQL Server audit policy

·        Sift through the granules of SQL Server auditing and break down Server and Database audit specifications

·        Deep dive in to each audit action group, what it does, and each event ID it contains

·         Provide you with access to my free “Audit Policy Wizard”

Click any of the links above or visit UltimateWindowsSecurity.com for more information.

I'm happy to let you know that with the recent release of LOGbinder SP 3.0 I've updated our Recommended Alerts and Reports for SharePoint (LOGbinder SP) which you can find at http://www.logbinder.com/products/logbindersp/resources/reports.aspx.

Updates include

• coverage of new events and features in LOGbinder SP 3.0.
• new recommended alert rules
• important notes and explanations regarding "insertion strings", how date/time works in LOGbinder SP and information about the 2 possible "event log sources" that LOGbinder SP events can bear.

This free resource is valuable for anyone looking for tips and recommendations on creating reports or alert rules for SharePoint audit events.

SharePoint audit policy is widely regarded as a site collection level setting leading many to believe you must apply one audit policy to all objects in the entire site collection.  If that were the case you would run into some real granularity problems leading to either not being able to get the events you need for important lists or libraries or else enabling too much auditing and getting way to many events.

Thankfully though you can enable auditing on specific document libraries or lists but you have to know where to look which I will explain in a moment.

First though what audit policies would you likely want to enable for an entire site collection and what would you want to activate only on specific lists and libraries?  The one audit policy I always suggest enabling "Editing users and permissions" (aka Security Change in LOGbinder SP) which will provide an audit trail of all auditable security related changes for the site collection including permission changes, changes to users and groups and change to audit policy itself.

At the list and library level you have a variety of activities you that you can audit including:

• Viewing
• Editing
• Deletion
• Check in /Check out

List/library level audit policy is extremely important when it comes to auditing who is viewing confidential information.  If you enable View auditing at the site collection level you end up generating events for every page click by every user througout the entire site collection which will create a load on resources and storage. 

To enable auditing for a certain library access the library’s (or list’s) settings page and click the “Information management policy settings” link under Permissions and Management.

In the next page you’ll see entries for the content types allowed for that list or library. For instance a normal document library will have 2 content types: Document and Folder. Click on a content type and configure auditing. In the example below I’ve enabled auditing of any type of view and download access since this is a library contains confidential information.

Now SharePoint will obediently begin auditing those actions on that particular list or library and if you have my LOGbinder SP software you'll be able to report or alert on those events with LOGbinder SP SIEM Edition or if you have your own log management / SIEM solution you can use LOGbinder SP Agent Edition to get SharePoint audit events out of the content database where they don't belong and into your log management solution where they do!  Click here for more information on LOGbinder SP.

As more and more information and processes move to SharePoint, it becomes critical for compliance and security requirements to monitor and audit SharePoint activity.

I was very excited when I first learned about the SharePoint audit log but I quickly determined that in its unimproved state the SharePoint audit log is essentially unusable due to 4 key issues:

1. SharePoint's audit log does not provide the names of users or objects.
   The SharePoint audit log fails to translate record IDs, meaning you have no idea what object or user to which a given event refers! Click here for an example of an audit event from SharePoint and then what LOGbinder does with it.
2. SharePoint's audit log is buried in SharePoint's SQL server content database.
   To ensure the integrity of audit trails, logs must be moved from the system where they are generated to separate and security log archive. However in SharePoint, the audit log isn't really a log - it's a table in the SharePoint database. This makes it inaccessible for most log management solutions. Without the ability to collect the SharePoint audit log into a separate, secure log archive its value as a high integrity audit trail is compromised.
3. SharePoint's audit log has no reporting.
   In Windows Sharepoint Services the log is totally inaccessible and in Office Sharepoint Services it's exposed through through a few rudimentary, impractical reports in Excel.
4. Windows SharePoint Services provides no interface for enabling auditing at all.
   The audit log is there but without custom programming there's no way to turn it on; much less access the logs.

I'm still a software developer at heart and the problems with the SharePoint audit log finally pushed me over the edge. The result is LOGbinder SP.

LOGbinder SP is a small, efficient Windows service that monitors the internal SharePoint audit log without making any changes to your SharePoint installation.

For each event LOGbinder SP resolves the user and object IDs and other cryptic codes, producing an easy to understand, plain-English translation of the SharePoint audit event. LOGbinder SP then sends these events to the Windows event log (either the Security log or a custom log) which in turn allows you to leverage any log management solution to collect, monitor, alert, analyze, report and archive SharePoint audit logs.

Here's an example event from the SharePoint audit log pictured as delivered via Excel compared to what the event looks like after LOGbinder SP translates it.

LOGbinder SP turns this: 

LOGbinder SP is now out of beta and ready for prime-time. You can download an evaluation copy, watch a webinar on the SharePoint audit log, get your questions answered and more at: www.logbinder.com

Please try it out and tell me what you think!

I am very excited today to announce the beta release of LOGbinder SP - my first software solution aimed at expanding the reach of log management.

LOGbinder SP allows you to audit security events in SharePoint with the Windows Security Log.

Why do I need LOGbinder SP? Doesn't SharePoint already have an audit log?

LOGBinder SP is a small, efficient .NET service that monitors the internal SharePoint audit log.  For each event LOGbinder SP resolves the user and object IDs and other cryptic codes, producing an easy to understand, plain-English translation of the SharePoint security event.  (Click here for a list of events.)  Then LOGbinder SP forwards the event to one or more output formats:

• local Windows security event log
• custom Windows event log
• syslog server*
• text file*
• XML file*
• SQL server reporting database*

This variety of output formats allows you to extend any log management solution to now support SharePoint audit trails and security events.

Alternatively, or in addition to integrating with your log management solution, you configure LOGbinder SP to send events to a SQL Server reporting databse and use our pre-built reports (implemented in SQL Reporting Services) to review and analyze the security activity of your SharePoint sites. 

LOGbinder SP is currently in beta and available as a free download. Please help us build LOGbinder SP into a great solution!

Please visit http://www.logbinder.com/sp/default.aspx to learn more about the SharePoint audit log and it's woeful limitations and how we fix them with LOGbinder SP. 

Please download and put LOGBinderSP to work for you, securing SharePoint data.

* not yet implemented in the current beta