Auditing in Microsoft SQL Server 2008

Il-Sung LeeSenior Program ManagerMicrosoft CorporationDAT304

Agenda

What’s changed since SQL Server 2005?Why should I use SQL Server Audit?What is the performance impact?Can I protect the Audit log from the DBA?What happens if Audit fails to write?What do I do if the server fails to start because of SQL Server Audit?Anything else I should know?

What’s changed sinceSQL Server 2005?

We now have a dedicated, security auditing feature.

Auditing Database Activity

SQL Server 2005SQL TraceDDL/DML TriggersThird-party tools to read transaction logsNo management tools support

SQL Server 2008SQL Server Audit

SQL Server Audit

Audit now a 1st Class Server Object• Native DDL for Audit configuration and management• Security supportCreate an Audit object to automatically log actions to:

FileWindows Application LogWindows Security Log

Ability to define granular Audit Actions of Users or Roles on DB objects

Audit SpecificationsAudit

Security Event Log

Application Event Log File system

0..1Server audit specification per Audit object

0..1DB audit specificationper database per Audit object

CREATE SERVER AUDIT SPECIFICATION SvrACTO SERVER AUDIT PCI_Audit    ADD (FAILED_LOGIN_GROUP);

CREATE DATABASE AUDIT SPECIFICATION AuditACTO SERVER AUDIT PCI_Audit    ADD (SELECT ON Customers BY public)

Server Audit Specification

Server Audit ActionServer Audit Action

Server Audit ActionServer Audit Action

Server Audit Action

Database Audit ComponentsDatabase Audit

ComponentsDatabase Audit ComponentsDatabase Audit

Specification

Database Audit ActionDatabase Audit Action

Database Audit ActionDatabase Audit Action

Database Audit Action

File

Why should I use SQL Server Audit?

For performance, security, flexibility, and other

good reasons!“We already have strict limits on who can see the data, and we use SQL Server 2008 auditing to verify this,” says Gerald Schinagl, Project Manager and Systems Architect for the Sports Database at Austrian Broadcasting Corporation Radio & Television (ORF).

Reasons to Use SQL Server Audit

Faster than SQL TraceLeverages high performance eventing infrastructure Granular auditingRuns within engine

More secureMore choices for audit targetAutomatically records changes to Audit statePersists state between restarts

Parity with SQL Server 2005 Audit GenerationConfiguration and management in SSMSIntegration with Policy-Based Management

Enabling SQL Server Auditdemo

What is the performance impact?

Depends…

Audit Performance

Depends upon:The workloadWhat’s being audited

Comparison of SQL Server Audit against SQL Trace for 5 different typical customer workloads…

SQL Server Audit vs SQL Trace

Workload 1 Workload 2 Workload 3 Workload 4 Workload 5

13.3

41.3

5.1

63.4

3.6

15.9

101.9

6.3

76.6

4.7814.1

55.9

5.6

68.13

4

Customer Workload Performance

Base Time (min) SQL Trace (min) SQL Server Audit (min)

Can I protect the Audit log from the DBA?

Yes.“We’re seeing more audit requests in the industry, and they often want us to demonstrate the ability to document who has accessed what data,” says Umut Nazlica, Manager of Open Systems Databases at Garanti Technology. “This was something that was extremely hard to do without third-party tools prior to SQL Server 2008. With Enhanced Auditing, we will be able to provide granular information including when and by whom each data change was made.”

Protecting Audit Data

Windows Security Log• “Tamper-proof” log• DBA cannot clear log (assuming not an Administrator)• System Center Operations Manager Audit Collection Service

Copy Audit logs to secure location• Directory or share inaccessible by service account or DBA• Audit logs files are shared-read and cannot be tampered with while active• Possible momentary exposure if using multiple logs

Combination of the two• Audit “tamper” activity to Security Log, e.g., DBA modifying Audit• All other Audit events are sent to file

What happens if Audit fails to write?

Depends again…

Audit Write Failure (shutdown)

Shut down server on audit log failure

Audit Write Failure (non-shutdown)Audit Events Buffered• Audit buffer size varies but is around 4MB (equivalent to at least

170 events, depending upon statement text)

Server Blocks Activity Generating Audit Event• Does not effect other Audits• Blocks until buffer space freed or audit disabled

Audit Session Turned Off• Buffered data is discarded and error written to errorlog• Continue trying to write future events to Audit log• If failure during creation of handle to file/Window log session, manual

restart of Audit session required

Buffer filled

System error

What do I do if the server fails to start because of SQL Server Audit?

Start the server in single-user mode

Starting the Server

Option 1

•Correct source of error

•E.g., file system full

Option 2

•Single-user mode, “-m”

•Audit is active but shutdown-on-failure behavior deactivated

•Audit Admin can fix Audit configuration

Option 3

•Minimal configuration mode, “-f”

•Audit disabled but Audit DDL can still be issued.

Using SQL Server Audit with Policy-Based Management

demo

Anything else I should know?

Just a few things.

Other Things You Should Know

Enterprise onlyParameterized queriesAudit Xevent Sessions may not be manipulated by Xevent DDL.Audit logs are not encryptedAudit events are fired with permission checksWriting to files are much faster than to event log

Other Things You Should Know

Both Audit and Audit Specifications have STATE parameters

Can only change state outside user transactionAll other audit changes can be done in a transaction, but with Audit or Audit Specification OFF

Creating an Audit Collectordemo

Securely and Easily Track DB Activity

Consider SQL Server Audit for all security auditing requirementsCarefully devise a strategy for what needs to be audited and where to send the audit information based on security and performance needsMonitor administrator activity and prevent tampering of the logs

question & answer

www.microsoft.com/teched

Sessions On-Demand & Community

http://microsoft.com/technet

Resources for IT Professionals

http://microsoft.com/msdn

Resources for Developers

www.microsoft.com/learningMicrosoft Certification and Training Resources

www.microsoft.com/learning

Microsoft Certification & Training Resources

Resources

Related Content

DAT15-HOL: Using Microsoft SQL Server 2008 Policy-Based Management to Set Policies and Help Ensure Compliance

DAT02-INT: Protecting Your Data Using Encryption in Microsoft SQL Server

DAT02-HOL: Implementing Database Compliance Scenarios

Track Resources

Understanding SQL Server Audit http://msdn.microsoft.com/en-us/library/cc280386.aspx

Auditing in SQL Server 2008 whitepaper http://msdn.microsoft.com/en-us/library/dd392015.aspx

SQL Server Security homepagehttp://www.microsoft.com/sqlserver/2008/en/us/security.aspx

SQL Server Security bloghttp://blogs.msdn.com/sqlsecurity/

Administering Servers by Using Policy-Based Managementhttp://msdn.microsoft.com/en-us/library/bb510667.aspx

SQL Server Community Resources

Become a FREE PASS Member: www.sqlpass.org/RegisterforSQLPASS.aspxLearn more about the PASS organization www.sqlpass.org/

Additional Community ResourcesSQL Server Community Center www.microsoft.com/sqlserver/2008/en/us/community-center.aspxTechNet Community for IT Professionalshttp://technet.microsoft.com/en-us/sqlserver/bb671048.aspxDeveloper Center http://msdn.microsoft.com/en-us/sqlserver/bb671064.aspxSQL Server 2008 Learning Portalhttp://www.microsoft.com/learning/sql/2008/default.mspx

• Connect: Local Chapters, Special Interest Groups, Online Community• Share: PASSPort Social Networking, Community Connection Event• Learn: PASS Summit Annual Conference, Technical Articles, Webcasts

• More about the PASS organization www.sqlpass.org/

The Professional Association for SQL Server (PASS) is an independent, not-for-profit association, dedicated to supporting, educating, and promoting the Microsoft SQL Server community.

SQL Server Word of the Day

POLICY-BASEDMANAGEMENT

Monday, May 11

*Game cards may be picked up at the SQL Server booths in the TLC

Complete an evaluation on CommNet and enter to win!

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,

IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.