1. Auditing in Microsoft SQL Server 2012 Il-Sung Lee Program Manager Microsoft Corporation DBI407

5. Audit supported on all SKUsImproved ResilienceUser-Defined Audit EventRecord FilteringT-SQL Stack Information

6. SQL Server Express 6

7. Select… Rollback 7

8. Audit Log hr.viewsalaryhr.viewsalary hr.payrollhr.payroll exec hr.viewsalary select salary from hr.payroll

9. demo T-SQL Stack Information

10. exec sp_audit_write 1234, 1, N‘Hello World’ @user_defined_event_id @succeeded @user_defined_info Audit Log

11. demo User-Defined Audit Event

12. CREATE SERVER AUDIT audit_name TO { [ FILE ( [,...n ]) ] | APPLICATION_LOG | SECURITY_LOG } [ WITH ( [,...n ] ) ] [ FILTER = ] } … ::= { [ NOT ] | {( ) } [ { AND | OR } [ NOT ] { | ( ) } ] [,...n ] }

13. demo Record Filtering

16. Workload 1Workload 2Workload 3Workload 4Workload 5 11 dbs, ranging from 1.94 MB to 1812.5 MB. 755 tables with average of 2761 rows 1,219,234 stmts executed. 2 dbs ranging from 64 MB to 423.88 MB 35 tables with average of 49,141 rows 1,633,557 stmts executed 3 dbs ranging from 1.94 MB to 1059.63 MB 154 tables with average of 586 rows, Here is the activity 585,400 stmts executed 1 db at 3235.75 MB 84 tables with average of 144,245 rows 3,435,303 stmts executed. 1 db at 174.94 MB 152 tables with average of 4,108 rows 296,642 stmts executed.

20. Windows Security Log “Tamper-proof” log DBA cannot clear log (assuming not an Administrator) System Center Operations Manager Audit Collection Service Copy Audit logs to secure location Directory or share inaccessible by service account or DBA Audit logs files are shared-read and cannot be tampered with while active Possible momentary exposure if using multiple logs Combination of the two Audit “tamper” activity to Security Log, e.g., DBA modifying Audit All other Audit events are sent to file

24. Audit Events Buffered Audit buffer size varies but is around 4MB (equivalent to at least 170 events, depending upon statement text) Server Blocks New Activity Generating Audit Event Does not effect other Audits Blocks until buffer space freed or audit disabled Audit Session Turned Off Buffered data is discarded and error written to errorlog Continue trying to write future events to Audit log Automatically try to restart Audit session when next event is generated Buffer filled System error

25. Audit Events Buffered Audit buffer size varies but is around 4MB (equivalent to at least 170 events, depending upon statement text) Server Fails New Activity Generating Audit Event Does not effect other Audits Fails new operations until buffer space freed or audit disabled Buffered audit events persist and continuously re-attempted tp write until audit disabled or server shut down Buffer filled

28. Option 1 Correct source of error E.g., file system full Option 2 Single-user mode, “-m” Audit is active but shutdown-on-failure behavior deactivated Audit Admin can fix Audit configuration Option 3 Minimal configuration mode, “-f” Audit disabled but Audit DDL can still be issued. Bonus If “Fail Operation” and “AUDIT_ CHANGE_GROUP”, use DAC connection Audit event still generated but will not fail operation

29. demo Using SQL Server Audit with Policy-Based Management

36. Bare Metal Microsoft SQL Server 2012 Deployment and Management (S. Hall B WRK Rm 1) Microsoft SQL Server: Mission Critical Confidence - Organizational Security and Compliance Demo Station (S. Hall A) Find Me Later At The Mission Critical Booth In The Expo

37. Il-Sung Lee ilsung@microsoft.com http://blogs.msdn.com /b/sqlsecurity/ I’m not a tweeter

39. Connect. Share. Discuss. http://northamerica.msteched.com Learning Microsoft Certification & Training Resources www.microsoft.com/learning TechNet Resources for IT Professionals http://microsoft.com/technet Resources for Developers http://microsoft.com/msdn

40. Required Slide Complete an evaluation on CommNet and enter to win!