Automated Enterprise-wide SQL Server Auditing Nem W. Schlecht (@[nemws1)@gmail.com] Automated Enterprise-wide SQL Server Auditing

October 30th Through November 3rd Join the brightest data professionals focused on the Microsoft Data Platform! October 30th Through November 3rd Pre-Conference Sessions – Monday/Tuesday Conference – Wednesday through Friday

SQLSatuday #682 – After Party 4th Floor of Mall of America at 6:30 PM Sponsored By:

Thank you Sponsors! Platinum Sponsor: Gold Sponsors:

PASSMN – News/Info Sponsors: Board Member Elections: Thanks to all our sponsors of 2017! We need Sponsors for 2018! Special thanks to our annual sponsor: Board Member Elections: 3 spots available for 2018-2019 term. Your chance to help out the MN SQL community!

About Me Fargo PASS Chapter Leader Twitter: @nemws1 E-mail: nemws1@gmail.com

About Me

IT Philosophy Modify your solutions for your needs. Stop modifying (constraining) yourself! Don't just fix the current problem… Fix it so it doesn't happen again

Introduction

Problem Lots of MSSQL Instances Need to set up new servers quickly and accurately Inconsistencies/Enterprise changes/Learning! Best Practices/Compliance (SOX, et. al.) 3rd Party software Jr. DBA / Domain Admins

Solution Collect data Compare data Check data Fix issues (yup, that simple)

Solution (Details) As close to all-SQL as possible (some PowerShell) Automated By default, uses servers from an SSMS Central Management Server List Run daily via a Windows Task Daily reports on changes and needed fixes

Collect Data If you need it, query it and record it All data collect queries stored in a table (of course) Simple key/value pairs Queries can be de-activated and sorted

Collect Data Working on community involvement and presets Minimum collection points Recommended Glenn Berry VM environments

Currently ~200 data points

Common Data Points All Agent Jobs (and Categories) All Database compatibility levels Free space on all drives Instant File Initialization?? Without Trace 3004 & 3605 Don't think we can check this yet…

Common Data Points Config:backup compression default Config:max server memory (MB) Config:max worker threads Default DATA Directory Default LOG Directory Login Audit Level SA has EMPTY password SA Last Modified

Compare Data If you record it, compare it. Compare today to the previous day Compare any 2 days

Daily Change E-mail Displays values between today and yesterday that have been: Changed Added Deleted

-- Changed Variables -- Instance: MB-MN01-VMG-003 Variable: SQL Server Start Time Old value: 2015-01-11 07:40:16 New value: 2015-01-13 00:43:06 -- New Variables -- Instance: MB-ND01-VMD-069\SPIDEV Variable: Database:SalesLead New value: 100 -- Old Variables -- -- *** No old values ***

Rule Checking If you record it, check it. Run sanity checks on your servers. Make sure: Backup compression is turned on 'sa' has a password set max memory is set

INSERT INTO auditRules ( ruleName , runOrder , action , configKey , target ) VALUES ( 'sa-a.bob.smith' -- name , 1100 -- order , 'notcontains' -- check/action , 'ServerRole:sysadmin' -- key to check , 'MBND\a.bob.smith' -- value to check ;

-- Rule Checks -- Rule: sa-a.bob.smith Result: notcontains:match Instance: MB-ND01-SC-005 Variable: ServerRole:sysadmin Value: BUILTIN\administrators,MBND\a.bob.smith,MBND\a.nem.schlecht,MBND\DomainAdmins,MBND\s.CCM,MBND\s.sccm,MBND\s.SQLSentry,NT AUTHORITY\SYSTEM,NT SERVICE\MSSQLSERVER,NT SERVICE\SQLSERVERAGENT,sa

Fixing Rule Violations If you check it, and it's wrong, fix it.

-- Fix sa-a.bob.smith--notcontains--ServerRole:sysadmin :connect SERVER1 IF (@@SERVERNAME <> 'SERVER1') BEGIN PRINT ' *** Wrong Server! ' + @@SERVERNAME + ' <> SERVER1'; SET NOEXEC ON; END USE [master] GO EXEC master..sp_dropsrvrolemember @loginame = N'MBND\a.bob.smith' , @rolename = N'sysadmin' -- End fix sa-a.bob.smith--notcontains--ServerRole:sysadmin

Fixing Rule Violations Make sure you make rules for everything Make sure they're in the right order! Create a rule to check for/create a user before you run the rule to assign them a role

ToDo Rules should be more flexible Many rules need SQL snippet fixes to be written for them yet New/old (or down) servers mess up the change report Use Server Groups from the Centralized Server Management list in rules Ex: Apply rule only if in the 'dev' group, etc.

Want to try it our yourself? http://ndgeek.com/sqlaudit/

About Me Fargo PASS Chapter Leader Twitter: @nemws1 E-mail: nemws1@gmail.com

Wake Up!!! I'm done! Any questions?