Presentation is loading. Please wait.

Presentation is loading. Please wait.

Auditing in SQL Server 2008 DBA-364-M

Published byJocelyn McKinney Modified over 6 years ago

Similar presentations

Presentation on theme: "Auditing in SQL Server 2008 DBA-364-M"— Presentation transcript:

1 Auditing in SQL Server 2008 DBA-364-M
Il-Sung Lee Senior Program Manager, Microsoft

2 Agenda What’s changed since SQL Server 2005?
Why should I use SQL Server Audit? What is the performance impact? Can I protect the Audit log from the DBA? What happens if Audit fails to write? What do I do if the server fails to start because of SQL Server Audit? Anything else I should know?

3 What’s changed since SQL Server 2005?

4 We now have a dedicated, security auditing feature.

5 Auditing Database Activity
SQL Server Connections Auditing Database Activity SQL Server 2005 SQL Trace DDL/DML Triggers Third-party tools to read transaction logs No management tools support SQL Server 2008 SQL Server Audit Audit replaces trace - but doesn't replace all use cases for DDL/DML Triggers as DDL Triggers can be more selective in both what they log and how they log it Updates will be available at

6 SQL Server Audit Audit now a 1st class object
Native DDL for configuration and management Security support Create an Audit object to automatically log actions to: File Windows Application Log Windows Security Log Ability to define granular Audit actions of Users or Roles on DB objects Multiple, independent audits may run concurrently

7 Audit Specifications Audit File system Server Audit Specification
Security Event Log Application Event Log 0..1 DB audit specification per database per Audit object 0..1 Server audit specification per Audit object Server Audit Specification Database Audit Components Database Audit Components Database Audit Components Database Audit Specification Server Audit Action Server Audit Action Server Audit Action Server and database audit specifications for Pre-defined action groups Individual action filters Server action groups Server config changes, login/logoff, role membership change, etc. Database action groups Schema object access, database role membership change, database object access, database config change Server Audit Action Database Audit Action Server Audit Action Database Audit Action Database Audit Action Database Audit Action Database Audit Action CREATE SERVER AUDIT SPECIFICATION SvrAC TO SERVER AUDIT PCI_Audit     ADD (FAILED_LOGIN_GROUP); CREATE DATABASE AUDIT SPECIFICATION AuditAC TO SERVER AUDIT PCI_Audit     ADD (SELECT ON Customers BY public)

8 Why should I use SQL Server Audit?

9 For performance, security, flexibility, and other good reasons!

10 Reasons to Use SQL Server Audit
SQL Server Connections Reasons to Use SQL Server Audit Faster than SQL Trace Leverages high performance eventing infrastructure Granular auditing Runs within engine More secure More choices for audit target Automatically records changes to Audit state Persists state between restarts Parity with SQL Server 2005 Audit Generation Configuration and management in SSMS Integration with Policy-Based Management Updates will be available at

11 DEMO Enabling SQL Server Audit

12 What is the performance impact?

13 Depends…

14 Audit Performance Depends upon:
The workload What’s being audited Comparison of SQL Server Audit against SQL Trace for 5 different typical customer workloads…

15 SQL Server Audit vs SQL Trace
Things to keep in mind: In order to be able to compare against SQL Trace, we enabled all Trace events and all server audit specifications. Since SQL Trace does not have the capability to audit at the specific database scope, a comparison was not possible. Hence, we could not do a real comparison for granular auditing to demonstrate that SQL Server Audit can be even more performant.

16 Can I protect the Audit log from the DBA?

17 Yes.

18 Protecting Audit Data Windows Security Log
“Tamper-proof” log DBA cannot clear log (assuming not an Administrator) System Center Operations Manager Audit Collection Service Copy Audit logs to secure location Directory or share inaccessible by service account or DBA Audit logs files are shared-read and cannot be tampered with while active Possible momentary exposure if using multiple logs Combination of the two Audit “tamper” activity to Security Log, e.g., DBA modifying Audit All other Audit events are sent to file

19 What happens if Audit fails to write?

20 Depends again…

21 Audit Write Failure (shutdown)
Shut down server on audit log failure Shutting down the server may seem drastic but for high-security environments, such as those for Common Criteria Compliance, this is a necessity. The login that sets this option must have the SERVER SHUTDOWN server permission

22 Audit Write Failure (non-shutdown)
Audit Events Buffered Audit buffer size varies but is around 4MB (equivalent to at least 170 events, depending upon statement text) Server Blocks Activity Generating Audit Event Does not effect other Audits Blocks until buffer space freed or audit disabled Audit Session Turned Off Buffered data is discarded and error written to errorlog Continue trying to write future events to Audit log If failure during creation of handle to file/Window log session, manual restart of Audit session required Buffer filled System error

23 What do I do if the server fails to start because of SQL Server Audit?

24 Start the server in single-user mode

25 Starting the Server Option 1 Option 2 Option 3 Correct source of error
E.g., file system full Option 2 Single-user mode, “-m” Audit is active but shutdown-on-failure behavior deactivated Audit Admin can fix Audit configuration Option 3 Minimal configuration mode, “-f” Audit disabled but Audit DDL can still be issued. Actually, the first thing you should do is correct the source of the problem is possible and the try to restart the server The “-f” is the last choice because it will start with all Audits disabled. Note with -m and -f a second restart is needed to get back to normal operating behavior.

26 DEMO Using SQL Server Audit with Policy-Based Management

27 Anything else I should know?

28 Just a few things.

29 Other Things You Should Know
Enterprise only Parameterized queries Audit Xevent Sessions may not be manipulated by Xevent DDL. Audit logs are not encrypted Audit events are fired with permission checks Writing to files are much faster than to event log As of RTM CU#5, Auto-parameterized queries will be recorded in their original form in the Audit log

30 Other Things You Should Know
Both Audit and Audit Specifications have STATE parameters. Can only change state outside user transaction. All other audit changes can be done in a transaction, but with Audit or Audit Specification OFF. These limitations were introduced due to performance reasons.

31 DEMO Creating an Audit Collector

32 Securely and Easily Track DB Activity
Consider SQL Server Audit for all security auditing requirements Carefully devise a strategy for what needs to be audited and where to send the audit information based on security and performance needs Monitor administrator activity and prevent tampering of the logs.

33 Questions?

34 Complete the Evaluation Form & Win!
You could win a Dell Mini Netbook – every day – just for handing in your completed form! Each session form is another chance to win! Pick up your Evaluation Form: Within each presentation room At the PASS Booth near registration area Drop off your completed Form: Near the exit of each presentation room Sponsored by Dell

35 for attending this session and the 2009 PASS Summit in Seattle
Thank you for attending this session and the PASS Summit in Seattle

Download ppt "Auditing in SQL Server 2008 DBA-364-M"

Similar presentations

Module 12: Auditing SQL Server Environments

Module 12: Auditing SQL Server Environments
Week 6: Chapter 6 Agenda Automation of SQL Server tasks using: SQL Server Agent Scheduling Scripting Technologies.

Week 6: Chapter 6 Agenda Automation of SQL Server tasks using: SQL Server Agent Scheduling Scripting Technologies.
Module 20 Troubleshooting Common SQL Server 2008 R2 Administrative Issues.

Module 20 Troubleshooting Common SQL Server 2008 R2 Administrative Issues.
FlareCo Ltd ALTER DATABASE AdventureWorks SET PARTNER FORCE_SERVICE_ALLOW_DATA_LOSS Slide 1.

FlareCo Ltd ALTER DATABASE AdventureWorks SET PARTNER FORCE_SERVICE_ALLOW_DATA_LOSS Slide 1.
Chapter 9 Auditing Database Activities

Chapter 9 Auditing Database Activities
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.

Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
Automating SQL Buildouts With Hyper-V and SQL Server 2008 R2 Robert L Davis, Sr. DBA, Microsoft Corp.

Automating SQL Buildouts With Hyper-V and SQL Server 2008 R2 Robert L Davis, Sr. DBA, Microsoft Corp.
Backup The flip side of recovery. Types of Failures Transaction failure –Transaction must be aborted System failure –Hardware or software problem resulting.

Backup The flip side of recovery. Types of Failures Transaction failure –Transaction must be aborted System failure –Hardware or software problem resulting.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
Advanced Databases Basic Database Administration Guide to Oracle 10g 1.

Advanced Databases Basic Database Administration Guide to Oracle 10g 1.
Auditing in Microsoft SQL Server 2012 Il-Sung Lee Program Manager Microsoft Corporation DBI407.

Auditing in Microsoft SQL Server 2012 Il-Sung Lee Program Manager Microsoft Corporation DBI407.
Backup and Recovery Part 1.

Backup and Recovery Part 1.
Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.

Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.
Chapter 9 Overview  Reasons to monitor SQL Server  Performance Monitoring and Tuning  Tools for Monitoring SQL Server  Common Monitoring and Tuning.

Chapter 9 Overview  Reasons to monitor SQL Server  Performance Monitoring and Tuning  Tools for Monitoring SQL Server  Common Monitoring and Tuning.
Managing and Monitoring SQL Server 2005 Shankar Pal Program Manager SQL Server, Redmond.

Managing and Monitoring SQL Server 2005 Shankar Pal Program Manager SQL Server, Redmond.
Il-Sung Lee Senior Program Manager Microsoft Corporation DAT304.

Il-Sung Lee Senior Program Manager Microsoft Corporation DAT304.
NovaBACKUP 10 xSP Technical Training By: Nathan Fouarge

NovaBACKUP 10 xSP Technical Training By: Nathan Fouarge
Adapted from Afyouni, Database Security and Auditing DB Auditing Examples (Ch. 9) Dr. Mario Guimaraes.

Adapted from Afyouni, Database Security and Auditing DB Auditing Examples (Ch. 9) Dr. Mario Guimaraes.
Implementing Database Snapshot & Database Mirroring in SQL Server 2005 Presented by Tarek Ghazali IT Technical Specialist Microsoft SQL Server MVP Microsoft.

Implementing Database Snapshot & Database Mirroring in SQL Server 2005 Presented by Tarek Ghazali IT Technical Specialist Microsoft SQL Server MVP Microsoft.

Similar presentations

Ads by Google