2. Il-Sung Lee Senior Program Manager Microsoft Corporation DAT304

3. Agenda What’s changed since SQL Server 2005? Why should I use SQL Server Audit? What is the performance impact? Can I protect the Audit log from the DBA? What happens if Audit fails to write? What do I do if the server fails to start because of SQL Server Audit? Anything else I should know?

4. What’s changed since SQL Server 2005?

5. We now have a dedicated, security auditing feature.

6. Auditing Database Activity SQL Server 2005 SQL Trace DDL/DML Triggers Third-party tools to read transaction logs No management tools support SQL Server 2008 SQL Server Audit

7. Audit now a 1st Class Server Object Native DDL for Audit configuration and management Security support Create an Audit object to automatically log actions to: File Windows Application Log Windows Security Log Ability to define granular Audit Actions of Users or Roles on DB objects

8. Audit Specifications Audit Security Event Log Application Event Log File system 0..1 Server audit specification per Audit object 0..1 DB audit specification per database per Audit object CREATE SERVER AUDIT SPECIFICATION SvrAC TO SERVER AUDIT PCI_Audit ADD (FAILED_LOGIN_GROUP); CREATE DATABASE AUDIT SPECIFICATION AuditAC TO SERVER AUDIT PCI_Audit ADD (SELECT ON Customers BY public) Server Audit Specification Server Audit Action Database Audit Components Database Audit Specification Database Audit Action File

9. Why should I use SQL Server Audit?

10. For performance, security, flexibility, and other good reasons! “We already have strict limits on who can see the data, and we use SQL Server 2008 auditing to verify this,” says Gerald Schinagl, Project Manager and Systems Architect for the Sports Database at Austrian Broadcasting Corporation Radio & Television (ORF).

11. Reasons to Use SQL Server Audit Faster than SQL Trace Leverages high performance eventing infrastructure Granular auditing Runs within engine More secure More choices for audit target Automatically records changes to Audit state Persists state between restarts Parity with SQL Server 2005 Audit Generation Configuration and management in SSMS Integration with Policy-Based Management

12. Enabling SQL Server Audit

13. What is the performance impact?

14. Depends…

15. Audit Performance Depends upon: The workload What’s being audited Comparison of SQL Server Audit against SQL Trace for 5 different typical customer workloads…

16. SQL Server Audit vs SQL Trace

17. Can I protect the Audit log from the DBA?

18. Yes. “We’re seeing more audit requests in the industry, and they often want us to demonstrate the ability to document who has accessed what data,” says Umut Nazlica, Manager of Open Systems Databases at Garanti Technology. “This was something that was extremely hard to do without third-party tools prior to SQL Server 2008. With Enhanced Auditing, we will be able to provide granular information including when and by whom each data change was made.”

19. Protecting Audit Data Windows Security Log “Tamper-proof” log DBA cannot clear log (assuming not an Administrator) System Center Operations Manager Audit Collection Service Copy Audit logs to secure location Directory or share inaccessible by service account or DBA Audit logs files are shared-read and cannot be tampered with while active Possible momentary exposure if using multiple logs Combination of the two Audit “tamper” activity to Security Log, e.g., DBA modifying Audit All other Audit events are sent to file

20. What happens if Audit fails to write?

21. Depends again…

22. Audit Write Failure (shutdown) Shut down server on audit log failure

23. Audit Write Failure (non-shutdown) Audit Events Buffered Audit buffer size varies but is around 4MB (equivalent to at least 170 events, depending upon statement text) Server Blocks Activity Generating Audit Event Does not effect other Audits Blocks until buffer space freed or audit disabled Audit Session Turned Off Buffered data is discarded and error written to errorlog Continue trying to write future events to Audit log If failure during creation of handle to file/Window log session, manual restart of Audit session required Buffer filled System error

24. What do I do if the server fails to start because of SQL Server Audit?

25. Start the server in single-user mode

26. Starting the Server Option 1 Correct source of error E.g., file system full Option 2 Single-user mode, “-m” Audit is active but shutdown-on-failure behavior deactivated Audit Admin can fix Audit configuration Option 3 Minimal configuration mode, “-f” Audit disabled but Audit DDL can still be issued.

27. Using SQL Server Audit with Policy- Based Management

28. Anything else I should know?

29. Just a few things.

30. Other Things You Should Know Enterprise only Parameterized queries Audit Xevent Sessions may not be manipulated by Xevent DDL. Audit logs are not encrypted Audit events are fired with permission checks Writing to files are much faster than to event log

31. Other Things You Should Know Both Audit and Audit Specifications have STATE parameters Can only change state outside user transaction All other audit changes can be done in a transaction, but with Audit or Audit Specification OFF

32. Creating an Audit Collector

33. Securely and Easily Track DB Activity Consider SQL Server Audit for all security auditing requirements Carefully devise a strategy for what needs to be audited and where to send the audit information based on security and performance needs Monitor administrator activity and prevent tampering of the logs

35. www.microsoft.com/teched Sessions On-Demand & Community http://microsoft.com/technet Resources for IT Professionals http://microsoft.com/msdn Resources for Developers www.microsoft.com/learning Microsoft Certification and Training Resources www.microsoft.com/learning Microsoft Certification & Training Resources Resources

36. Related Content DAT15-HOL: Using Microsoft SQL Server 2008 Policy-Based Management to Set Policies and Help Ensure Compliance DAT02-INT: Protecting Your Data Using Encryption in Microsoft SQL Server DAT02-HOL: Implementing Database Compliance Scenarios

37. Track Resources Understanding SQL Server Audit http://msdn.microsoft.com/en-us/library/cc280386.aspx http://msdn.microsoft.com/en-us/library/cc280386.aspxhttp://msdn.microsoft.com/en-us/library/cc280386.aspx Auditing in SQL Server 2008 whitepaper http://msdn.microsoft.com/en-us/library/dd392015.aspx http://msdn.microsoft.com/en-us/library/dd392015.aspxhttp://msdn.microsoft.com/en-us/library/dd392015.aspx SQL Server Security homepage http://www.microsoft.com/sqlserver/2008/en/us/security.aspx SQL Server Security blog http://blogs.msdn.com/sqlsecurity/ Administering Servers by Using Policy-Based Management http://msdn.microsoft.com/en-us/library/bb510667.aspx

38. SQL Server Community Resources Become a FREE PASS Member: www.sqlpass.org/RegisterforSQLPASS.aspx www.sqlpass.org/RegisterforSQLPASS.aspx Learn more about the PASS organization www.sqlpass.org/www.sqlpass.org/ Additional Community Resources SQL Server Community Center www.microsoft.com/sqlserver/2008/en/us/community-center.aspx www.microsoft.com/sqlserver/2008/en/us/community-center.aspx TechNet Community for IT Professionals http://technet.microsoft.com/en-us/sqlserver/bb671048.aspx Developer Center http://msdn.microsoft.com/en-us/sqlserver/bb671064.aspx SQL Server 2008 Learning Portal http://www.microsoft.com/learning/sql/2008/default.mspx http://www.microsoft.com/learning/sql/2008/default.mspx Connect: Local Chapters, Special Interest Groups, Online Community Share: PASSPort Social Networking, Community Connection Event Learn: PASS Summit Annual Conference, Technical Articles, Webcasts More about the PASS organization www.sqlpass.org/www.sqlpass.org/ Connect: Local Chapters, Special Interest Groups, Online Community Share: PASSPort Social Networking, Community Connection Event Learn: PASS Summit Annual Conference, Technical Articles, Webcasts More about the PASS organization www.sqlpass.org/www.sqlpass.org/ The Professional Association for SQL Server (PASS) is an independent, not-for-profit association, dedicated to supporting, educating, and promoting the Microsoft SQL Server community.

39. SQL Server Word of the Day POLICY-BASED MANAGEMENT Monday, May 11 *Game cards may be picked up at the SQL Server booths in the TLC

40. Complete an evaluation on CommNet and enter to win!

41. © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.