Auditing in Microsoft SQL Server 2012 12/6/2018 7:37 AM DBI407 Auditing in Microsoft SQL Server 2012 Il-Sung Lee Program Manager Microsoft Corporation © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Agenda What’s changed since SQL Server 2008? What is the performance impact? Can I protect the Audit log from the DBA? What happens if Audit fails to write? What do I do if the server fails to start because of SQL Server Audit? Anything else I should know?

What’s changed since SQL Server 2008?

Lots. We’ve made SQL Server Audit more flexible and reliable.

SQL Server Audit Enhancements Audit supported on all SKUs Improved Resilience User-Defined Audit Event Record Filtering T-SQL Stack Information

Audit Supported on All SKUs Basic Audit on all SKUs Server Audit Specs only DB Audit Specs for Enterprise No longer need SQLTrace Enjoy advantages of Audit Performance Multiple Audits and multiple targets Persist state Audit Resilience SQL Server Express © 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Improved Resilience Before: Now: Write failures may silently lose Audit records Use ON_FAILURE = SHUTDOWN Now: Automatically recover from most file or network errors Added “ON_FAILURE = FAIL_OPERATION” Added “MAX_FILES” option Select… Rollback © 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

T-SQL Stack Information select salary from hr.payroll exec hr.viewsalary hr.viewsalary hr.payroll Audit Log

T-SQL Stack Information 12/6/2018 7:37 AM demo T-SQL Stack Information © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

User-Defined Audit Event sp_audit_write() exec sp_audit_write 1234, 1, N‘Hello World’ @user_defined_event_id @succeeded @user_defined_info Audit Log © 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

User-Defined Audit Event 12/6/2018 7:37 AM demo User-Defined Audit Event © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Record Filtering Tightly constrain info written to Audit log CREATE SERVER AUDIT audit_name TO { [ FILE (<file_options> [ , ...n ]) ] | APPLICATION_LOG | SECURITY_LOG } [ WITH ( <audit_options> [ , ...n ] ) ] [ FILTER = <predicate_expression> ] } … <predicate_expression> ::= {     [ NOT ] <predicate_factor> | {( <predicate_expression> ) }     [ { AND | OR } [ NOT ] { <predicate_factor> | ( <predicate_expression> ) } ]     [ ,...n ] } Tightly constrain info written to Audit log Audit record generated but not written Leverages Xevent filtering

demo Record Filtering 12/6/2018 7:37 AM © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

What is the performance impact?

Depends…

Audit Performance Depends upon: The workload What’s being audited Comparison of SQL Server Audit against SQL Trace for 5 different typical customer workloads… Workload 1 Workload 2 Workload 3 Workload 4 Workload 5 11 dbs, ranging from 1.94 MB to 1812.5 MB. 755 tables with average of 2761 rows 1,219,234 stmts executed. 2 dbs ranging from 64 MB to 423.88 MB 35 tables with average of 49,141 rows 1,633,557 stmts executed 3 dbs ranging from 1.94 MB to 1059.63 MB 154 tables with average of 586 rows, Here is the activity 585,400 stmts executed 1 db at 3235.75 MB 84 tables with average of 144,245 rows 3,435,303 stmts executed. 1 db at 174.94 MB 152 tables with average of 4,108 rows 296,642 stmts executed.

SQL Server Audit vs SQL Trace

Can I protect the Audit log from the DBA?

Yes.

Protecting Audit Data Windows Security Log “Tamper-proof” log DBA cannot clear log (assuming not an Administrator) System Center Operations Manager Audit Collection Service Copy Audit logs to secure location Directory or share inaccessible by service account or DBA Audit logs files are shared-read and cannot be tampered with while active Possible momentary exposure if using multiple logs Combination of the two Audit “tamper” activity to Security Log, e.g., DBA modifying Audit All other Audit events are sent to file

What happens if Audit fails to write?

Depends again…

Audit Write Failure (Shutdown) Server shuts down Buffered audit events lost

Audit Write Failure (Continue) Audit Events Buffered Audit buffer size varies but is around 4MB (equivalent to at least 170 events, depending upon statement text) Server Blocks New Activity Generating Audit Event Does not effect other Audits Blocks until buffer space freed or audit disabled Audit Session Turned Off Buffered data is discarded and error written to errorlog Continue trying to write future events to Audit log Automatically try to restart Audit session when next event is generated Buffer filled System error

Audit Write Failure (Fail Operation) Audit Events Buffered Audit buffer size varies but is around 4MB (equivalent to at least 170 events, depending upon statement text) Server Fails New Activity Generating Audit Event Does not effect other Audits Fails new operations until buffer space freed or audit disabled Buffered audit events persist and continuously re-attempted tp write until audit disabled or server shut down Buffer filled

What do I do if the server fails to start because of SQL Server Audit?

Start the server in single-user mode

Starting the Server Option 1 Correct source of error E.g., file system full Option 2 Single-user mode, “-m” Audit is active but shutdown-on-failure behavior deactivated Audit Admin can fix Audit configuration Option 3 Minimal configuration mode, “-f” Audit disabled but Audit DDL can still be issued. Bonus If “Fail Operation” and “AUDIT_ CHANGE_GROUP”, use DAC connection Audit event still generated but will not fail operation

Using SQL Server Audit with Policy-Based Management 12/6/2018 7:37 AM demo Using SQL Server Audit with Policy-Based Management © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Anything else I should know?

Just a few things.

Other Things You Should Know Parameterized queries Audit Xevent Sessions may not be manipulated by Xevent DDL. Audit logs are not encrypted or compressed Audit events are fired with permission checks Writing to files are much faster than to event log No auditing of result sets

Other Things You Should Know Both Audit and Audit Specifications have STATE parameters. Can only change state outside user transaction. All other audit changes can be done in a transaction, but with Audit or Audit Specification OFF.

Securely and Easily Track DB Activity Consider SQL Server Audit for all security auditing requirements and leverage the 2012 enhancements Carefully devise a strategy for what needs to be audited and where to send the audit information based on security and performance needs Monitor administrator activity and prevent tampering of the logs.

Session Resources Books Online: Whitepaper: SQL Server Security Forum: Security Enhancements (Database Engine), http://msdn.microsoft.com/en-us/library/cc645578(v=sql.110).aspx SQL Server Audit (Database Engine), http://msdn.microsoft.com/en-us/library/cc280386(v=SQL.110).aspx Whitepaper: Auditing in SQL Server 2008, http://msdn.microsoft.com/en-us/library/dd392015(v=SQL.100).aspx SQL Server Security Forum: http://social.msdn.microsoft.com/forums/en-US/sqlsecurity/threads/ SQL Security Blog: http://blogs.msdn.com/b/sqlsecurity/

Related Content Bare Metal Microsoft SQL Server 2012 Deployment and Management (S. Hall B WRK Rm 1) Microsoft SQL Server: Mission Critical Confidence - Organizational Security and Compliance Demo Station (S. Hall A) Find Me Later At The Mission Critical Booth In The Expo

Il-Sung Lee http://blogs.msdn.com/b/sqlsecurity/ ilsung@microsoft.com I’m not a tweeter

mva Track Resources SQL Server 2012 Eval Copy Hands-On Labs @sqlserver @teched_europe mva Microsoft Virtual Academy Get Certified!

Resources Learning TechNet http://europe.msteched.com Connect. Share. Discuss. http://europe.msteched.com Microsoft Certification & Training Resources www.microsoft.com/learning TechNet Resources for IT Professionals http://microsoft.com/technet Resources for Developers http://microsoft.com/msdn

Submit your evals online 12/6/2018 7:37 AM Evaluations Submit your evals online http://europe.msteched.com/sessions © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12/6/2018 7:37 AM © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12/6/2018 7:37 AM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.