5.2 Ensure that remote sessions for accessing security functions and security-relevant information are audited

Information

Remote access to SharePoint security functions (e.g., user management, audit log
management, etc.) and security relevant information requires the activity be audited by the
organization.

Rationale:

Any remote administrative or security related access to the SharePoint farm must be
audited in order to track system activity, assist in diagnosing system issues and provide
evidence needed for forensic investigations post security incident. It is also important to
verify and validate the security controls that are in place on the platform.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To configure audit settings at the site collection level for each site collection level subject to
auditing per organizational requirements:
Navigate to Site Collection Administration:

1. Click on Settings.
2. Click on Site Settings.
3. Click Site collection audit settings.
4. Select the events that are required to be audited.
5. Click OK.

See Also

https://workbench.cisecurity.org/files/2395