Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

Audit on the search history

Created: 28 Feb 2013 • Updated: 04 Mar 2013 | 7 comments
This issue has been solved. See solution.

Hi,

As part of the Environment Security Initiative by the security team, is there any way to audit who has been doing what on the EV server ?

this is to know if someone got access to the Vault has been doing sensitive data snooping / searching.

Especially from the http://EV-Server-VM/EnterpriseVault/search.asp page.

Operating Systems:

Comments 7 CommentsJump to latest comment

TonySterling's picture

Do you have Auditing enabled?

Configuring auditing

Article:HOWTO56897  |  Created: 2011-08-01  |  Updated: 2013-01-18  |  Article URL http://www.symantec.com/docs/HOWTO56897

Particularly Advanced Search:

Advanced Search

Records details of searches performed using Outlook or the Web Access application, including the terms used and the number of items found.

John Santana's picture

well at the site level it seems that the audit is off.

what is the implication if it is ON ?

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

Rob.Wilcox's picture

If it's on then you can enable at the server level various auditing options.

You can also 'mine' the IIS logs.

TonySterling's picture

If you turn Auditing on it will create a SQL database.  You will then enable the categories you wish to audit.  Just be sure to keep an eye on the Audit db size and trim it every once in awhile.

This will allow you to capture the information you are looking for in one place and not have to go though IIS logs.

SOLUTION
John Santana's picture

Many thanks for the advice Tony, so in this case the audit isn't turned on by default.

plus by logon to the EV server as the EV service account, anyone can browse through anyone's the email.

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

TonySterling's picture

The EV service account does not have access by default.  Someone would have to grant permission for themselves on an archive to be able to search it.

John Santana's picture

Tony, yes you are right, many thanks for the advice.

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.