SharePoint must protect audit tools from unauthorized access.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-28097	SHPT-00-000445	SV-36599r2_rule		Medium

Description
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application and system log data. SharePoint is an integrated product with comprehensive built-in auditing capabilities working with the Windows system event log. Additional trace logs and usage logs are created by the application and are placed in a designated folder. Logs of actions taken by users of site content (editing, modifying, viewing, deleting, etc.), are stored in a SQL database.

Description

Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application and system log data. SharePoint is an integrated product with comprehensive built-in auditing capabilities working with the Windows system event log. Additional trace logs and usage logs are created by the application and are placed in a designated folder. Logs of actions taken by users of site content (editing, modifying, viewing, deleting, etc.), are stored in a SQL database.

STIG	Date
MS SharePoint 2010 Security Technical Implementation Guide	2019-01-02

Details

Check Text ( C-37383r2_chk )
Obtain local site documentation noting authorized administrators. 1. On the site home page, click “Site Actions” and then click Site Settings. 2. On the Site Settings page, in the Users and Permissions list, click Site collection administrators. 3. Verify all users or groups listed in the site collection administrators group are authorized. 4. Mark as a finding if there are users or groups listed as site administrators that should not be listed as administrators. Check users and groups with full control permission as they can access audit reporting. 1. On the site home page, click Site Actions and then click Site Permissions. 2. Examine all the owners and groups that have full control of the site. 3. Ask the SA or Application Administrators if all the users or groups listed as having full control of the site need full control over the site. 4. It is a finding if there are users or groups listed as having full control over the site which do not need to have full control.

Check Text ( C-37383r2_chk )

Obtain local site documentation noting authorized administrators.
1. On the site home page, click “Site Actions” and then click Site Settings.
2. On the Site Settings page, in the Users and Permissions list, click Site collection administrators.
3. Verify all users or groups listed in the site collection administrators group are authorized.
4. Mark as a finding if there are users or groups listed as site administrators that should not be listed as administrators.

Check users and groups with full control permission as they can access audit reporting.
1. On the site home page, click Site Actions and then click Site Permissions.
2. Examine all the owners and groups that have full control of the site.
3. Ask the SA or Application Administrators if all the users or groups listed as having full control of the site need full control over the site.
4. It is a finding if there are users or groups listed as having full control over the site which do not need to have full control.

Fix Text (F-32620r3_fix)
Remove users and groups from the site administrator / site owner groups. Remove unneeded identifiers from site collection administrators. 1. On the site home page, click Site Actions, and then click Site Settings. 2. On the Site Settings page, in the Users and Permissions list, click “Site collection administrators”. 3. Remove any non-site owner users or groups. 4. Click OK. Change permissions on users and groups not requiring full site control. 1. On the site home page, click Site Actions, and then click Site Permissions. 2. Put users not requiring full control in groups with less privilege (i.e., Site contributor, site user).

Fix Text (F-32620r3_fix)

Remove users and groups from the site administrator / site owner groups.
Remove unneeded identifiers from site collection administrators.

1. On the site home page, click Site Actions, and then click Site Settings.
2. On the Site Settings page, in the Users and Permissions list, click “Site collection administrators”.
3. Remove any non-site owner users or groups.
4. Click OK.

Change permissions on users and groups not requiring full site control.
1. On the site home page, click Site Actions, and then click Site Permissions.
2. Put users not requiring full control in groups with less privilege (i.e., Site contributor, site user).