il-sung lee senior program manager microsoft corporation dat304
TRANSCRIPT
![Page 1: Il-Sung Lee Senior Program Manager Microsoft Corporation DAT304](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649db45503460f94aa439a/html5/thumbnails/1.jpg)
![Page 2: Il-Sung Lee Senior Program Manager Microsoft Corporation DAT304](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649db45503460f94aa439a/html5/thumbnails/2.jpg)
Auditing in Microsoft SQL Server 2008
Il-Sung LeeSenior Program ManagerMicrosoft CorporationDAT304
![Page 3: Il-Sung Lee Senior Program Manager Microsoft Corporation DAT304](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649db45503460f94aa439a/html5/thumbnails/3.jpg)
Agenda
What’s changed since SQL Server 2005?Why should I use SQL Server Audit?What is the performance impact?Can I protect the Audit log from the DBA?What happens if Audit fails to write?What do I do if the server fails to start because of SQL Server Audit?Anything else I should know?
![Page 4: Il-Sung Lee Senior Program Manager Microsoft Corporation DAT304](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649db45503460f94aa439a/html5/thumbnails/4.jpg)
What’s changed sinceSQL Server 2005?
![Page 5: Il-Sung Lee Senior Program Manager Microsoft Corporation DAT304](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649db45503460f94aa439a/html5/thumbnails/5.jpg)
We now have a dedicated, security auditing feature.
![Page 6: Il-Sung Lee Senior Program Manager Microsoft Corporation DAT304](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649db45503460f94aa439a/html5/thumbnails/6.jpg)
Auditing Database Activity
SQL Server 2005SQL TraceDDL/DML TriggersThird-party tools to read transaction logsNo management tools support
SQL Server 2008SQL Server Audit
![Page 7: Il-Sung Lee Senior Program Manager Microsoft Corporation DAT304](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649db45503460f94aa439a/html5/thumbnails/7.jpg)
SQL Server Audit
Audit now a 1st Class Server Object• Native DDL for Audit configuration and management• Security supportCreate an Audit object to automatically log actions to:
FileWindows Application LogWindows Security Log
Ability to define granular Audit Actions of Users or Roles on DB objects
![Page 8: Il-Sung Lee Senior Program Manager Microsoft Corporation DAT304](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649db45503460f94aa439a/html5/thumbnails/8.jpg)
Audit SpecificationsAudit
Security Event Log
Application Event Log File system
0..1Server audit specification per Audit object
0..1DB audit specificationper database per Audit object
CREATE SERVER AUDIT SPECIFICATION SvrACTO SERVER AUDIT PCI_Audit ADD (FAILED_LOGIN_GROUP);
CREATE DATABASE AUDIT SPECIFICATION AuditACTO SERVER AUDIT PCI_Audit ADD (SELECT ON Customers BY public)
Server Audit Specification
Server Audit ActionServer Audit Action
Server Audit ActionServer Audit Action
Server Audit Action
Database Audit ComponentsDatabase Audit
ComponentsDatabase Audit ComponentsDatabase Audit
Specification
Database Audit ActionDatabase Audit Action
Database Audit ActionDatabase Audit Action
Database Audit Action
File
![Page 9: Il-Sung Lee Senior Program Manager Microsoft Corporation DAT304](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649db45503460f94aa439a/html5/thumbnails/9.jpg)
Why should I use SQL Server Audit?
![Page 10: Il-Sung Lee Senior Program Manager Microsoft Corporation DAT304](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649db45503460f94aa439a/html5/thumbnails/10.jpg)
For performance, security, flexibility, and other
good reasons!“We already have strict limits on who can see the data, and we use SQL Server 2008 auditing to verify this,” says Gerald Schinagl, Project Manager and Systems Architect for the Sports Database at Austrian Broadcasting Corporation Radio & Television (ORF).
![Page 11: Il-Sung Lee Senior Program Manager Microsoft Corporation DAT304](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649db45503460f94aa439a/html5/thumbnails/11.jpg)
Reasons to Use SQL Server Audit
Faster than SQL TraceLeverages high performance eventing infrastructure Granular auditingRuns within engine
More secureMore choices for audit targetAutomatically records changes to Audit statePersists state between restarts
Parity with SQL Server 2005 Audit GenerationConfiguration and management in SSMSIntegration with Policy-Based Management
![Page 12: Il-Sung Lee Senior Program Manager Microsoft Corporation DAT304](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649db45503460f94aa439a/html5/thumbnails/12.jpg)
Enabling SQL Server Auditdemo
![Page 13: Il-Sung Lee Senior Program Manager Microsoft Corporation DAT304](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649db45503460f94aa439a/html5/thumbnails/13.jpg)
What is the performance impact?
![Page 14: Il-Sung Lee Senior Program Manager Microsoft Corporation DAT304](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649db45503460f94aa439a/html5/thumbnails/14.jpg)
Depends…
![Page 15: Il-Sung Lee Senior Program Manager Microsoft Corporation DAT304](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649db45503460f94aa439a/html5/thumbnails/15.jpg)
Audit Performance
Depends upon:The workloadWhat’s being audited
Comparison of SQL Server Audit against SQL Trace for 5 different typical customer workloads…
![Page 16: Il-Sung Lee Senior Program Manager Microsoft Corporation DAT304](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649db45503460f94aa439a/html5/thumbnails/16.jpg)
SQL Server Audit vs SQL Trace
Workload 1 Workload 2 Workload 3 Workload 4 Workload 5
13.3
41.3
5.1
63.4
3.6
15.9
101.9
6.3
76.6
4.7814.1
55.9
5.6
68.13
4
Customer Workload Performance
Base Time (min) SQL Trace (min) SQL Server Audit (min)
![Page 17: Il-Sung Lee Senior Program Manager Microsoft Corporation DAT304](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649db45503460f94aa439a/html5/thumbnails/17.jpg)
Can I protect the Audit log from the DBA?
![Page 18: Il-Sung Lee Senior Program Manager Microsoft Corporation DAT304](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649db45503460f94aa439a/html5/thumbnails/18.jpg)
Yes.“We’re seeing more audit requests in the industry, and they often want us to demonstrate the ability to document who has accessed what data,” says Umut Nazlica, Manager of Open Systems Databases at Garanti Technology. “This was something that was extremely hard to do without third-party tools prior to SQL Server 2008. With Enhanced Auditing, we will be able to provide granular information including when and by whom each data change was made.”
![Page 19: Il-Sung Lee Senior Program Manager Microsoft Corporation DAT304](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649db45503460f94aa439a/html5/thumbnails/19.jpg)
Protecting Audit Data
Windows Security Log• “Tamper-proof” log• DBA cannot clear log (assuming not an Administrator)• System Center Operations Manager Audit Collection Service
Copy Audit logs to secure location• Directory or share inaccessible by service account or DBA• Audit logs files are shared-read and cannot be tampered with while active• Possible momentary exposure if using multiple logs
Combination of the two• Audit “tamper” activity to Security Log, e.g., DBA modifying Audit• All other Audit events are sent to file
![Page 20: Il-Sung Lee Senior Program Manager Microsoft Corporation DAT304](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649db45503460f94aa439a/html5/thumbnails/20.jpg)
What happens if Audit fails to write?
![Page 21: Il-Sung Lee Senior Program Manager Microsoft Corporation DAT304](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649db45503460f94aa439a/html5/thumbnails/21.jpg)
Depends again…
![Page 22: Il-Sung Lee Senior Program Manager Microsoft Corporation DAT304](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649db45503460f94aa439a/html5/thumbnails/22.jpg)
Audit Write Failure (shutdown)
Shut down server on audit log failure
![Page 23: Il-Sung Lee Senior Program Manager Microsoft Corporation DAT304](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649db45503460f94aa439a/html5/thumbnails/23.jpg)
Audit Write Failure (non-shutdown)Audit Events Buffered• Audit buffer size varies but is around 4MB (equivalent to at least
170 events, depending upon statement text)
Server Blocks Activity Generating Audit Event• Does not effect other Audits• Blocks until buffer space freed or audit disabled
Audit Session Turned Off• Buffered data is discarded and error written to errorlog• Continue trying to write future events to Audit log• If failure during creation of handle to file/Window log session, manual
restart of Audit session required
Buffer filled
System error
![Page 24: Il-Sung Lee Senior Program Manager Microsoft Corporation DAT304](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649db45503460f94aa439a/html5/thumbnails/24.jpg)
What do I do if the server fails to start because of SQL Server Audit?
![Page 25: Il-Sung Lee Senior Program Manager Microsoft Corporation DAT304](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649db45503460f94aa439a/html5/thumbnails/25.jpg)
Start the server in single-user mode
![Page 26: Il-Sung Lee Senior Program Manager Microsoft Corporation DAT304](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649db45503460f94aa439a/html5/thumbnails/26.jpg)
Starting the Server
Option 1
•Correct source of error
•E.g., file system full
Option 2
•Single-user mode, “-m”
•Audit is active but shutdown-on-failure behavior deactivated
•Audit Admin can fix Audit configuration
Option 3
•Minimal configuration mode, “-f”
•Audit disabled but Audit DDL can still be issued.
![Page 27: Il-Sung Lee Senior Program Manager Microsoft Corporation DAT304](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649db45503460f94aa439a/html5/thumbnails/27.jpg)
Using SQL Server Audit with Policy-Based Management
demo
![Page 28: Il-Sung Lee Senior Program Manager Microsoft Corporation DAT304](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649db45503460f94aa439a/html5/thumbnails/28.jpg)
Anything else I should know?
![Page 29: Il-Sung Lee Senior Program Manager Microsoft Corporation DAT304](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649db45503460f94aa439a/html5/thumbnails/29.jpg)
Just a few things.
![Page 30: Il-Sung Lee Senior Program Manager Microsoft Corporation DAT304](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649db45503460f94aa439a/html5/thumbnails/30.jpg)
Other Things You Should Know
Enterprise onlyParameterized queriesAudit Xevent Sessions may not be manipulated by Xevent DDL.Audit logs are not encryptedAudit events are fired with permission checksWriting to files are much faster than to event log
![Page 31: Il-Sung Lee Senior Program Manager Microsoft Corporation DAT304](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649db45503460f94aa439a/html5/thumbnails/31.jpg)
Other Things You Should Know
Both Audit and Audit Specifications have STATE parameters
Can only change state outside user transactionAll other audit changes can be done in a transaction, but with Audit or Audit Specification OFF
![Page 32: Il-Sung Lee Senior Program Manager Microsoft Corporation DAT304](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649db45503460f94aa439a/html5/thumbnails/32.jpg)
Creating an Audit Collectordemo
![Page 33: Il-Sung Lee Senior Program Manager Microsoft Corporation DAT304](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649db45503460f94aa439a/html5/thumbnails/33.jpg)
Securely and Easily Track DB Activity
Consider SQL Server Audit for all security auditing requirementsCarefully devise a strategy for what needs to be audited and where to send the audit information based on security and performance needsMonitor administrator activity and prevent tampering of the logs
![Page 34: Il-Sung Lee Senior Program Manager Microsoft Corporation DAT304](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649db45503460f94aa439a/html5/thumbnails/34.jpg)
question & answer
![Page 35: Il-Sung Lee Senior Program Manager Microsoft Corporation DAT304](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649db45503460f94aa439a/html5/thumbnails/35.jpg)
www.microsoft.com/teched
Sessions On-Demand & Community
http://microsoft.com/technet
Resources for IT Professionals
http://microsoft.com/msdn
Resources for Developers
www.microsoft.com/learningMicrosoft Certification and Training Resources
www.microsoft.com/learning
Microsoft Certification & Training Resources
Resources
![Page 36: Il-Sung Lee Senior Program Manager Microsoft Corporation DAT304](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649db45503460f94aa439a/html5/thumbnails/36.jpg)
Related Content
DAT15-HOL: Using Microsoft SQL Server 2008 Policy-Based Management to Set Policies and Help Ensure Compliance
DAT02-INT: Protecting Your Data Using Encryption in Microsoft SQL Server
DAT02-HOL: Implementing Database Compliance Scenarios
![Page 37: Il-Sung Lee Senior Program Manager Microsoft Corporation DAT304](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649db45503460f94aa439a/html5/thumbnails/37.jpg)
Track Resources
Understanding SQL Server Audit http://msdn.microsoft.com/en-us/library/cc280386.aspx
Auditing in SQL Server 2008 whitepaper http://msdn.microsoft.com/en-us/library/dd392015.aspx
SQL Server Security homepagehttp://www.microsoft.com/sqlserver/2008/en/us/security.aspx
SQL Server Security bloghttp://blogs.msdn.com/sqlsecurity/
Administering Servers by Using Policy-Based Managementhttp://msdn.microsoft.com/en-us/library/bb510667.aspx
![Page 38: Il-Sung Lee Senior Program Manager Microsoft Corporation DAT304](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649db45503460f94aa439a/html5/thumbnails/38.jpg)
SQL Server Community Resources
Become a FREE PASS Member: www.sqlpass.org/RegisterforSQLPASS.aspxLearn more about the PASS organization www.sqlpass.org/
Additional Community ResourcesSQL Server Community Center www.microsoft.com/sqlserver/2008/en/us/community-center.aspxTechNet Community for IT Professionalshttp://technet.microsoft.com/en-us/sqlserver/bb671048.aspxDeveloper Center http://msdn.microsoft.com/en-us/sqlserver/bb671064.aspxSQL Server 2008 Learning Portalhttp://www.microsoft.com/learning/sql/2008/default.mspx
• Connect: Local Chapters, Special Interest Groups, Online Community• Share: PASSPort Social Networking, Community Connection Event• Learn: PASS Summit Annual Conference, Technical Articles, Webcasts
• More about the PASS organization www.sqlpass.org/
The Professional Association for SQL Server (PASS) is an independent, not-for-profit association, dedicated to supporting, educating, and promoting the Microsoft SQL Server community.
![Page 39: Il-Sung Lee Senior Program Manager Microsoft Corporation DAT304](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649db45503460f94aa439a/html5/thumbnails/39.jpg)
SQL Server Word of the Day
POLICY-BASEDMANAGEMENT
Monday, May 11
*Game cards may be picked up at the SQL Server booths in the TLC
![Page 40: Il-Sung Lee Senior Program Manager Microsoft Corporation DAT304](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649db45503460f94aa439a/html5/thumbnails/40.jpg)
Complete an evaluation on CommNet and enter to win!
![Page 41: Il-Sung Lee Senior Program Manager Microsoft Corporation DAT304](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649db45503460f94aa439a/html5/thumbnails/41.jpg)
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.