SQL Server 2008 Compliance Guidance

SQL Server 2008

SQL Server

: JC CannonDenny Lee

: Andy RobertsAyad Shammout

: Dan JonesCraig GickJack RichinsRaul GarciaDevendra TiwariSteven GottAl ComeauLara Rubbelke

: 2008 11

: SQL Server 2008

:SQL Server SQL Server 2008 IT

:

Microsoft Microsoft Microsoft

Microsoft

Microsoft Corporation

Microsoft Microsoft

2008 Microsoft Corporation. All rights reserved.

MicrosoftActive DirectoryActiveXBitLockerExcelInternet ExplorerPivotTablePowerShellSQL ServerVistaVisual BasicVisual StudioWindowsWindows Server Windows Vista Microsoft

7

7

7

7

7

GRC 8

8

9

9

GRC 10

11

11

IT 11

SQL Server 2008 IT 13

13

SQL Server 2008 14

SQL Server 2008 14

ID 15

Windows 16

18

19

20

21

21

21

22

23

25

sysadmin 25

sa 25

sysadmin ( sysadmin )26

sysadmin 26

SQL Server 2008 sysadmin 26

Windows Vista Windows Server 2008 SID 28

BUILTIN\Administrators 29

ID 29

30

SQL Server 30

30

30

31

32

32

33

33

33

sysadmin dbo 34

34

35

36

36

36

37

37

38

sysadmin db_owner 38

39

39

40

40

41

42

43

DDL 43

DDL 44

DML 44

DML 45

46

46

47

47

47

48

49

49

KPI KRI 51

52

52

53

54

57

SQL Server 57

SMO57

Transact-SQL57

Windows PowerShell57

VBScript58

Windows Data Access Components58

(Server Security Policy.xml)59

(SOD Policy.xml)61

62

sysadmin (ManageSA.sql)63

sa (ValidateSA.sql)64

sysadmin (ValidateSysadmins.sql)65

(SOD Policy.xml)65

(ValidateServerRoles.sql)66

(ValidateServerRoles.sql)66

(ValidateDatabaseRoles.sql)67

69

(AuditCryptoActions.sql)69

(ViewKeys.sql)69

(RotateCerts.sql)71

(BackupCerts.sql)72

(CertRotationPolicy.xml)73

73

SQL Server Audit (StoreAuditLogs.sql)73

SSIS (LoadLogsPackage.dtsx)76

Excel SQL Server Audit (AuditReport.xlsx)79

IP 81

82

87

PowerShell 87

PowerShell (DeployPBMPolicies.ps1)87

88

92

IT Microsoft Microsoft SQL Server 2008 SQL Server 2008 SQL Server 2008 compliance software development kit (SDK)

IT IT SQL Server 2008 SDK IT SDK Readme

SQL Server 2008 Microsoft Solution Accelerator Team Windows Server

SQL Server SQL Server 2008 SDK Compliance Hands-on-Lab()

PCI-DSS SQL Server

GRC () 3 GRC GRC Forrester GRC GRC SQL Server GRC

GRC

GRC 1

1: GRC

()

IT ()SQL Server sysadmin sysadmin sysadmin

1. 2. 3. IT 4.

GRC

GRC 2

2: GRC

() GRC

SQL Server 2008 2 (sa ) SQL Server Audit

(KPI) KPI IT KPI CPU

(KRI) KRI IT KRI IT KRI

KPI KRI KPI KRI

IT

IT IT IT

3 IT IT Microsoft Microsoft IT Compliance Planning Guide()

3: SOX: PCI: Payment Card IndustryHIPAA: Health Information Portability and Accountability ActGLBA: Graham Leach Bliley Act

IT

ID

7

SQL Server 2008 IT

SQL Server 2008 IT SQL Server IT IT IT IT

ID

SQL Server 2008

SQL Server 2008

SQL Server 2008 1

SQL Server SQL Server IT SQL Server

Service Pack

Windows Server 2008 Windows Server 2008 Security Guide()

SQL Server 2008

IT SQL Server SQL Server 2008 SQL Server

SQL Server 2008

SQL Server 2008 SQL Server (PBM) 4 PBM Analysis Services Reporting Services

4:

4 SQL Server 5 SQL Server

5: SQL Server

SQL Server sp_configure

ID

SQL Server 2008 6 SQL Server 2008 ID

Windows

ID

6:

Windows

ID ID

Windows SQL Server ID Active Directory ID SQL Server Active Directory (ADDS)

ID

-

Windows SQL Server Management Studio [] [] (7)

7:

Windows Windows SQL Server Windows Windows

CREATE LOGIN [SQLVM03-18158EA\Pat] FROM WINDOWS

[ - ] (8) [] []

8: [ - ]

SQL Server SQL Server sysadmin dbcreator

sp_addsrvrolemember N'SQLVM03-18158EA\Pat', N'dbcreator'

9 [] [ ]

9: SQL Server

Test1

USE Test1

CREATE USER [Pat] FOR LOGIN [SQLVM03-18158EA\Pat]

10 [ - ] [] []

10: [ - ]

SQL Server db_owner db_datareader

sp_addrolemember N'db_datareader', N'Pat'

sp_addrolemember N'db_datawriter', N'Pat'

[ - ]

() ( )

db_datareader db_datawriter DENY CCTable1

DENY DELETE ON OBJECT::CCTable1 TO [Pat]

: DBCC

( )

GRANT ALTER ANY LOGIN TO [SQLVM03-18158EA\Pat]

11 [] [] [] 11 Pat CCTable1

11: SQL Server

( )

USE Test1

GRANT CREATE TABLE TO [SQLVM03-18158EA\Pat]

12 [ ] [] []

12:

DENY

DENY SELECT ON [CCTable1] ([CCNumber]) TO [SQLVM03-18158EA\Pat]

: SELECT * SELECT *

13 Pat [] SELECT

13:

(SOD: ) ID 1 SOD 2

()

SQL Server sysadmin SOD sysadmin 1. sa 2. sysadmin 3. sysadmin

sysadmin

SQL Server sysadmin

sa

sa SQL Server sa SQL Server Management Studio

sysadmin ( sysadmin )

sysadmin sa DBCC PINTABLE sysadmin sysadmin sysadmin sysadmin sysadmin sysadmin sysadmin

: CONTROL SERVER sysadmin sa () CONTROL SEVER sysadmin DENY IMPERSONATE

USE master

DENY IMPERSONATE ON LOGIN::Yukonsa TO [SQLVM03-18158EA\Pat];

sysadmin

sysadmin sysadmin

SQL Server 2008 sysadmin

SQL Server SQL Server Windows

SQL Server 2008 3 sysadmin

sa

sysadmin Windows SQL Server

Windows

Windows SQL Server sysadmin

NT AUTHORITY\SYSTEM

Microsoft UpdateWindows UpdateSystem Center Configuration ManagerWindows Cluster Server Windows

1: sysadmin

Windows Vista Windows Server 2008 SQL Server sysadmin

NT SERVICE\MSSQLSERVER

SQL Server (SID) SQL Server "NETWORK SERVICE" SID SQL Server ()

NT SERVICE\SQLSERVERAGENT

SQL Server SID SQL Server "NETWORK SERVICE" SID SQL Server ()

2: Windows Vista Windows Server 2008 sysadmin

Windows Vista Windows Server 2008 SQL Server sysadmin

NT AUTHORITY\NETWORK SERVICE

SQL Server SQL Server SQL Server SQL Server Windows Windows []

localhost\SQLServer2005MSSQLUser$

localhost$MSSQLSERVER

SQL Server Windows

localhost\SQLServer2005SQLAgentUser$localhost$MSSQLSERVER

SQL Server Windows

3: Windows sysadmin

: localhost

Windows Vista Windows Server 2008 SID

Windows Vista Windows Server 2008 SID SQL Server 2008 SQL Server SQL Server SID SQL Server ( ) SID

BUILTIN\Administrators

BUILTIN\Administrators SQL Server 2008 SQL Server sysadmin Windows Vista Windows Server 2008 SQL Server SQL Server SQL Server 2005 SP2 Windows sysadmin

SQL Server 2008 BUILTIN\Administrators sysadmin Windows sysadmin Windows sysadmin Windows sysadmin / SQL Server

ID

IMPERSONATE EXECUTE AS

SQL Server 2008 SQL Server

SQL Server

SQL Server 2005 Windows CAPICOM SQL Server SQL Server

SQL Server

SQL Server 2008 (TDE) TDE

14 TDE

(EKM)

14:

TDE TDE TDE

USE master

BACKUP CERTIFICATE [MyServerCert] TO FILE = 'c:\certificates\MyServerCert.crt'

WITH PRIVATE KEY (FILE = 'c:\certificates\MyServerCert.pvk',

ENCRYPTION BY PASSWORD = 'MyPass7779311#');

( )

TDE

100 100 1 100

:

PCI TDE master DATABASE_OBJECT_ACCESS_GROUP DATABASE_OBJECT_CHANGE_GROUP

()

()

()

(SQL Server 2008 )

()

()

Service Broker

()

TDE DATABASE_CHANGE_GROUP

SQL Server 2008

Windows (EFS)Windows BitLocker TDE EFS BitLocker SQL Server EFS BitLocker EFS BitLocker TDE TDE BitLocker EFS Database Encryption in SQL Server 2008 Enterprise Edition()

sysadmin dbo

sysadmin (dbo) sysadmin db_owner sysadmin sysadmin sysadmin dbo SQL Server Audit sysadmin db_owner

SQL Server 2008

SQL Server Audit SQL Server Audit Web

System Center Operations Manager SQL Server Integration Services (SSIS) SQL Server Reporting Services (SSRS) (15 )

15:

(15 ) SQL Server Integration Services

SQL Server Audit SQL Server NETWORK SERVICE SQL Server

SSIS SQL Server

SQL Server SQL Server

16

16: GRC

1) :

2) ID : ETL ID ID

3) /: ( ) ID ID

4) /: ID 3. 4.

5) /: ()

SQL Server Audit SQL Server Audit () (SELECTUPDATEEXECUTE )

( sysadmin ) sysadmin sysadmin

sysadmin

HIPAA (SQL ) (sysadmin)

()

sysadmin db_owner

SQL Server Audit sysadmin db_owner "db_owner" db_owner sysadmin sysadmin dbo db_owner

USE [Test1]

ALTER DATABASE AUDIT SPECIFICATION [AuditDBO]

ADD (SELECT ON [dbo].[CCTable1] BY [dbo])

1 1 1 () 1

() 100MB

1

: ( HIPPA ) 100MB 1

SQL Server DDL DML

1

17:

2008 8 19 2008 8 21 3 18

18:

2008 8 21

17 83

19:

20 2 2008 8 21 3 4

20:

DataCollectionSPW 3 GRANT master 4 CREATE 4 CREATE MYDOMAIN\Sql () RESTORE LABELONLY

21:

: master CREATE CREATE RESTORE LABELONLY

DDL

22 DDL 2008 8 20 SQLDBADMIN 44 DROP TABLE

22: DDL

DDL

DROP TABLE DDL

23: DDL

DML

DML DML 2008 8 21 SQLDBADMIN 4 DELETE

24: DML

DML

DML "4" DELETE

25: DML

SDK ID

1 1 ( ) 26

SQL Server 2008 Web

26:

PCI PCI PCI 27 PCI

27:

2

"" "" [: ] [: ]

IT

: (UI usp )

: mastermsdb tempDB

: (24 )

:

: SQL Server

: (2 )

sysadmin : sysadmin sa

IT

1

2

28

H:\

1

50

2

3

:

40

"foo"

4:

1

IT

""

SQL Server (H:\ ) ([: ])

5 ": " CoC: ": " CoC: "" CoS SQL Server Policy-Based Management: Facets()

CoC:

CoC:

CoS

Broker

Broker

DDL

DDL

AS

RS

XML

5:

KPI KRI

(KPI) (KRI) SQL Server KPI KRI KPI KRI KPI KRI

KPI

:sysadmin

1

(TDE) ()

( 1 )

1

28:

29 SQL Server Management Studio []

29:

PowerShell Windows PowerShell

1 1

30:

30 SQLAudit ( PowerShell ) SQLAudit

31

31:

2008 6 18 ServerInstanceName "Caregroup" "Test Policy with Lots of Violations" "Evaluated Policy"

32:

32 33 [] LogOnSuccess True LogOnSuccess

33:

SDK

SQL Server

SQL Server SQL Server (SMO)Transact-SQL Windows PowerShell 3

SMO

SQL Server (SMO) Microsoft SQL Server SMO SQL Server SMO SQL (SQL-DMO) SQL-DMO SQL-DMO SMO SQL Server

Transact-SQL

Transact-SQL SQL Server SQL Server Transact-SQL

Windows PowerShell

Windows PowerShell IT Windows PowerShell 130 Windows PowerShell Windows Server 2008 Windows PowerShell Quick Reference()

PowerShell SQL Server PowerShell Web SQL Server PowerShell ()

:PowerShell PowerShell SQLPS PowerShell Running Windows PowerShell Scripts()

VBScript

Microsoft Visual Basic Scripting Edition (VBScript) Microsoft Internet Explorer Web Microsoft (IIS) Web VBScript SQL Server SQL Server Script Repository: SQL Server()

Windows Data Access Components

Windows Data Access Components Microsoft ActiveX Data Objects (ADO)OLE DB Microsoft Open Database Connectivity (ODBC) Web LAN / SQL Server

(Server Security Policy.xml)

Windows Windows SQL Server Management Studio [] [] (34 ) Server Security Policy.xml

34:

Windows [] 35 []

35:

[] (36)

36:

(SOD Policy.xml)

SOD Policy.xml sa sysadmin 1 2

:[] (37 )SQL Server Management Studio []

37: []

1 SOD Policy Validate Roles

IsNull(ExecuteSql('Numeric',

'SELECT COUNT(DISTINCT name)

FROM sys.server_role_members,

sys.server_principals

WHERE principal_id = member_principal_id

AND role_principal_id

IN (SUSER_ID (''sysadmin''),

SUSER_ID (''bulkadmin''),

SUSER_ID (''securityadmin''))

GROUP BY name

HAVING COUNT(member_principal_id)> 1 '), 0)

ExecuteSQL SELECT SELECT 0 SELECT 2 IsNull NULL

sysadmin (ManageSA.sql)

sysadmin 1 sysadmin sysadmin sysadmin sysadmin

USE master

GO

CREATE PROCEDURE sp_DisableSA AS

IF (DB_ID() = 1)

BEGIN

DECLARE @cmd nvarchar(max)

-- SID 0x01 "sa"

SET @cmd = N'ALTER LOGIN ' + QUOTENAME(SUSER_NAME(0x01)) +

N' DISABLE'

EXEC ( @cmd )

END

ELSE

BEGIN

RAISERROR ('sp_DisableSA is only valid when hosted in master DB', --

16, --

1 --

);

END

GO

CREATE PROCEDURE sp_EnableSA AS

IF (DB_ID() = 1)

BEGIN

DECLARE @cmd nvarchar(max)

-- SID 0x01 "sa"

SET @cmd = N'ALTER LOGIN ' + QUOTENAME(SUSER_NAME(0x01)) +

N' ENABLE'

EXEC ( @cmd )

END

ELSE

BEGIN

RAISERROR ('sp_EnableSA is only valid when hosted in master DB', --

16, --

1 --

);

END

GO

--

CREATE CERTIFICATE SACert WITH SUBJECT = 'For signing stored procedures'

GO

--

GRANT EXECUTE ON sp_DisableSA TO [SQLVM03-18158EA\Pat];

--

ADD SIGNATURE TO sp_DisableSA BY CERTIFICATE SACert;

--

CREATE LOGIN [CertLogin] FROM CERTIFICATE SACert;

-- sa

-- sysadmin

EXEC sp_addsrvrolemember [CertLogin], N'sysadmin';

--

ALTER CERTIFICATE [SACert] REMOVE PRIVATE KEY;

--

-- ALTER

--

ALTER SERVER AUDIT SPECIFICATION [Audit Login Changes]

WITH (STATE = OFF)

GO

ALTER SERVER AUDIT SPECIFICATION [Audit Login Changes]

ADD (SERVER_PRINCIPAL_CHANGE_GROUP)

GO

ALTER SERVER AUDIT SPECIFICATION [Audit Login Changes]

WITH (STATE = ON)

GO

sa (ValidateSA.sql)

Validate Roles sa

IF (SELECT COUNT(*)

FROM sys.server_principals

WHERE = principal_id 1

AND is_disabled = 1

AND name != 'sa') = 1

PRINT 'Compliant'

ELSE

PRINT 'Non-compliant'

sysadmin (ValidateSysadmins.sql)

SOD Policy.xml Validate Roles sysadmin

DECLARE @Admin1 sysname

DECLARE @Admin2 sysname

DECLARE @Admin3 sysname

DECLARE @Admin4 sysname

SET @Admin1 = @@SERVERNAME + '\Pat'

SET @Admin2 = 'NT AUTHORITY\SYSTEM'

SET @Admin3 = 'NT AUTHORITY\NETWORK SERVICE'

SET @Admin4 = 'sa'

IF EXISTS (SELECT name

FROM sys.server_role_members A,

sys.server_principals B

WHERE A.member_principal_id = B.principal_id

AND role_principal_id = SUSER_ID('sysadmin')

AND name NOT IN (@Admin1, @Admin2,

@Admin3, @Admin4))

PRINT 'Non-compliant'

ELSE

PRINT 'Compliant'

(SOD Policy.xml)

1 1

SQL Server Windows SQL Server SQL Server

(ValidateServerRoles.sql)

[] (38 )

38: []

SOD Policy.xml 0

SELECT COUNT(*)Count

FROM sys.server_role_members, sys.server_principals

WHERE principal_id = member_principal_id

AND role_principal_id

IN (SUSER_ID('sysadmin'), SUSER_ID ('bulkadmin'),

SUSER_ID ('securityadmin'))

GROUP BY member_principal_id

HAVING COUNT(member_principal_id)> 1

(ValidateServerRoles.sql)

3

SELECT A.Name, B.NAME Role

FROM sys.server_principals A,

sys.server_principals B,

sys.server_role_members C

WHERE A.name IN (SELECT Name

FROM sys.server_role_members,

sys.server_principals

WHERE principal_id = member_principal_id

AND role_principal_id

IN (SUSER_ID('sysadmin'),

SUSER_ID ('bulkadmin'),

SUSER_ID ('securityadmin'))

GROUP BY member_principal_id, name

HAVING COUNT(member_principal_id)> 1

)

AND A.principal_id = C.member_principal_id

AND B.principal_id = C.role_principal_id

ORDER BY Name

(ValidateDatabaseRoles.sql)

[ ] (39 )

39:

NULL 3

SELECT COUNT(member_principal_id) Count, Name

FROM sys.database_role_members,

sys.database_principals

WHERE principal_id = member_principal_id

AND role_principal_id

IN (DATABASE_PRINCIPAL_ID('db_securityadmin'),

DATABASE_PRINCIPAL_ID('db_backupoperator'),

DATABASE_PRINCIPAL_ID('db_datawriter'))

GROUP BY member_principal_id, Name

HAVING COUNT(member_principal_id)> 1

ORDER BY Name

3

SELECT A.Name, B.Name Role

FROM sys.database_principals A,

sys.database_principals B,

sys.database_role_members C

WHERE A.name IN

(SELECT Name

FROM sys.database_role_members,

sys.database_principals

WHERE principal_id = member_principal_id

AND role_principal_id

IN (DATABASE_PRINCIPAL_ID('db_securityadmin'),

DATABASE_PRINCIPAL_ID('db_backupoperator'),

DATABASE_PRINCIPAL_ID('db_datawriter'))

GROUP BY member_principal_id, name

HAVING COUNT(member_principal_id)> 1

)

AND A.principal_id = C.member_principal_id

AND B.principal_id = C.role_principal_id

ORDER BY Name

SQL Server

(AuditCryptoActions.sql)

SQL Server Audit DATABASE_OBJECT_ACCESS_GROUP DATABASE_OBJECT_CHANGE_GROUP DATABASE_CHANGE_GROUP

(ViewKeys.sql)

master (TDE)

USE master;

CREATE MASTER KEY ENCRYPTION

BY PASSWORD = 'UseStrongPassword1!';

GO

CREATE CERTIFICATE MyServerCert

WITH SUBJECT = 'My DEK Certificate for Sensitive Data'

master certificates

USE master

SELECT name, certificate_id, start_date, thumbprint, pvt_key_last_backup_date

FROM sys.certificates

6 certificates start_date thumbprint encryptor_thumbprint pvt_key_last_backup_date NULL ( )

name

start_date

thumbprint

pvt_key_last_backup_date

NewServerCert

2008-07-20 19:43:04.000

0xBF372D91C333B1E

NULL

DEKCert_258

2008-07-23 04:21:40.000

0x99CF8887C56CEC9

2008-07-23 04:50:36.553

DEKCert_260

2008-07-23 04:51:55.000

0x8BFD5885501314B

2008-07-23 04:51:56.490

DEKCert_261

2008-07-25 05:11:26.000

0xC1B737DAFDCFAC

2008-07-25 05:11:28.800

6: certificates

TDE TDE

CREATE DATABASE ENCRYPTION KEY

WITH ALGORITHM = AES_128

ENCRYPTION BY SERVER CERTIFICATE DEKCert_258

GO

SELECT database_id, create_date, regenerate_date,

encryptor_thumbprint

FROM sys.dm_database_encryption_keys

7 database_id ID 2 tempdb regenerate_date create_date encryptor_thumbprint

database_id

create_date

regenerate_date

encryptor_thumbprint

2

2008-08-20 17:46:28.110

2008-08-20 17:46:28.110

0

7

2008-07-01 20:27:03.983

2008-08-07 16:14:36.013

0xC1B737DAFDCFAC9C

8

2008-07-01 20:27:04.137

2008-08-07 16:14:36.103

0xC1B737DAFDCFAC9C

9

2008-07-01 20:27:32.667

2008-08-07 16:14:36.213

0xC1B737DAFDCFAC9C

7: sys.dm_database_encryption_keys

(RotateCerts.sql)

master 1 DATEDIFF ID SQL Server

:

DECLARE @Thumbprint varbinary(32)

DECLARE @CertID int

DECLARE @CertName sysname

DECLARE @DB_ID int

DECLARE @cmd nvarchar(max)

--

-- INSENSITIVE

DECLARE Certificate_Cursor INSENSITIVE CURSOR FOR

SELECT [thumbprint], [certificate_id]

FROM sys.certificates

WHERE (DATEDIFF(MONTH, [start_date], GETDATE()) > 0 )

AND [thumbprint]

IN (SELECT DISTINCT encryptor_thumbprint

FROM sys.dm_database_encryption_keys)

OPEN Certificate_Cursor;

FETCH NEXT FROM Certificate_Cursor INTO @Thumbprint, @CertID;

WHILE @@FETCH_STATUS = 0

BEGIN

SET @CertName = 'DEKCert' + '_' + LTRIM(STR(@CertID));

SET @cmd = N'CREATE CERTIFICATE ' + QUOTENAME(@CertName) +

N' WITH SUBJECT = ''DEK Certificate'''

EXEC( @cmd )

DECLARE Database_Cursor CURSOR FOR

SELECT [database_id]

FROM sys.dm_database_encryption_keys

WHERE [encryptor_thumbprint] = @Thumbprint

OPEN Database_Cursor;

FETCH NEXT FROM Database_Cursor INTO @DB_ID;

WHILE @@FETCH_STATUS = 0

BEGIN

SET @cmd = N'USE ' + QUOTENAME(DB_NAME(@DB_ID)) + ';' +

N'ALTER DATABASE ENCRYPTION KEY ' +

N'ENCRYPTION BY SERVER CERTIFICATE ' +

QUOTENAME(@CertName)

EXEC (@cmd);

FETCH NEXT FROM Database_Cursor INTO @DB_ID;

END

CLOSE Database_Cursor;

DEALLOCATE Database_Cursor;

FETCH NEXT FROM Certificate_Cursor INTO @Thumbprint, @CertID;

END

CLOSE Certificate_Cursor;

DEALLOCATE Certificate_Cursor;

: 3

(BackupCerts.sql)

(pvt_key_last_backup_date NULL ) C:\certificates "crt" "pvt"

:

DECLARE @CertName sysname

DECLARE @cmd nvarchar(max)

DECLARE Cert_Cursor CURSOR FOR

SELECT [name]

FROM sys.certificates

WHERE [pvt_key_last_backup_date] IS NULL AND [thumbprint] IN

(SELECT DISTINCT [encryptor_thumbprint]

FROM sys.dm_database_encryption_keys)

OPEN Cert_Cursor;

FETCH NEXT FROM Cert_Cursor INTO @CertName;

WHILE @@FETCH_STATUS = 0

BEGIN

SET @cmd =

N'BACKUP CERTIFICATE ' + QUOTENAME(@CertName) +

N' TO FILE = ''c:\certificates\' + @CertName +

N'.crt'' WITH PRIVATE KEY ( FILE = ''c:\certificates\' +

@CertName +

N'.pvk'', ENCRYPTION BY PASSWORD = ''MyPass7779311#'');'

EXEC ( @cmd )

FETCH NEXT FROM Cert_Cursor INTO @CertName;

END

CLOSE Cert_Cursor;

DEALLOCATE Cert_Cursor;

(CertRotationPolicy.xml)

CetRotationPolicy.xml 3 1 1

SQL Server Audit

SQL Server Audit (StoreAuditLogs.sql)

40 SQL Server Integration Services (SSIS) Microsoft Excel

40:

SQL Server Audit 2

SQL Server Audit action object

2

USE [Test1]

GO

DECLARE @data_path nvarchar(256),

@offset int

SET @data_path = NULL

SET @offset = NULL

IF NOT EXISTS (SELECT * FROM sys.objects

WHERE object_id = OBJECT_ID(N'[dbo].[AuditLog]')

AND type in (N'U'))

CREATE TABLE [dbo].[AuditLog](

[event_time] [datetime2](7) NULL,

[sequence_number] [int] NULL,

[action_id] [varchar](4) NULL,

[action_name] [nvarchar](128) NULL,

[succeeded] [bit] NULL,

[permission_bitmask] [bigint] NULL,

[is_column_permission] [bit] NULL,

[session_id] [smallint] NULL,

[server_principal_id] [int] NULL,

[database_principal_id] [int] NULL,

[target_server_principal_id] [int] NULL,

[target_database_principal_id] [int] NULL,

[object_id] [int] NULL,

[class_type] [varchar](2) NULL,

[class_type_desc] [nvarchar](35) NULL,

[session_server_principal_name] [nvarchar](128) NULL,

[server_principal_name] [nvarchar](128) NULL,

[server_principal_sid] [binary](85) NULL,

[database_principal_name] [nvarchar](128) NULL,

[target_server_principal_name] [nvarchar](128) NULL,

[target_server_principal_sid] [binary](85) NULL,

[target_database_principal_name] [nvarchar](128) NULL,

[server_instance_name] [nvarchar](128) NULL,

[database_name] [nvarchar](128) NULL,

[schema_name] [nvarchar](128) NULL,

[object_name] [nvarchar](128) NULL,

[statement] [nvarchar](2000) NULL,

[additional_information] [nvarchar](2000) NULL,

[file_name] [nvarchar](260) NULL,

[audit_file_offset] [bigint] NULL

) ON [PRIMARY]

--

SELECT @data_path = file_name, @offset = audit_file_offset

FROM AUDITLOG

WHERE event_time = (select MAX(event_time)FROM AUDITLOG)

INSERT INTO [Test1].[dbo].[AuditLog]

([action_name]

,[class_type_desc]

,[event_time]

,[sequence_number]

,[action_id]

,[succeeded]

,[permission_bitmask]

,[is_column_permission]

,[session_id]

,[server_principal_id]

,[database_principal_id]

,[target_server_principal_id]

,[target_database_principal_id]

,[object_id]

,[class_type]

,[session_server_principal_name]

,[server_principal_name]

,[server_principal_sid]

,[database_principal_name]

,[target_server_principal_name]

,[target_server_principal_sid]

,[target_database_principal_name]

,[server_instance_name]

,[database_name]

,[schema_name]

,[object_name]

,[statement]

,[additional_information]

,[file_name]

,[audit_file_offset])

SELECT name, class_type_desc, C.*

FROM sys.dm_audit_actions A, sys.dm_audit_class_type_map B,

sys.fn_get_audit_file('C:\logs\*', @data_path, @offset) C

WHERE A.action_id = C.action_id

AND B.class_type = C.class_type

SSIS (LoadLogsPackage.dtsx)

40 SQL Server Integration Services (SSIS) 41 SQL Server Audit SSIS ()2

41: 2 SSIS

42 SQL Server Audit

42: 1

SSIS 43 SQL Server Agent CreateAuditJob.sql C:\ LoadLogsPackage.dtsx 5

43: SQL Server Agent SSIS

Excel SQL Server Audit (AuditReport.xlsx)

Excel SQL Server Audit Excel 44 SQL Server Audit [] Excel

44: Excel SQL Server Audit

Excel [] PivotTable 45 PivotTable PivotTable PivotTable PivotTable

45: SQL Server Audit PivotTable

IP

server_principal_name ID Windows SQL Server server_principal_name ID session_id ID ID ( ID "LGIS" ) additional_information IP server_principal_name IP

SELECT event_time, statement,

CAST(additional_information AS XML).value('declare namespace z="http://schemas.microsoft.com/sqlserver/2008/sqlaudit_data";

(//z:address)[1]', 'nvarchar(300)')

FROM sys.fn_get_audit_file('C:\logs\*',Null, Null)

WHERE action_id = 'LGIS'

ORDER BY event_time DESC

Caregroup Healthcare (Ayad Shammout)Microsoft Consulting Services (Andy Roberts) SQL Customer Advisory Team (Denny Lee) Audit Project Technical Spotlight()

46:

SQLAudit.zip

SQLAuditRepositoryDatabase.sql SQLAudit SQL

LoadLogsPackage.dtsx SSIS

SQLAuditReports SQL Server Reporting Services (SSRS)

SQLAudit

1. SQL Server Management Studio SQLAuditRepositoryDatabase.sql SQLCMD ([] SQLCMD )SQLCMD :setvar

2.

DataDirectory

SQL DB (H:\sqldata\ )

"\"

LogDirectory

SQL DB (H:\sqllog\ )

"\"

DatabaseName

(SQLAudit )

3.

LoadLogsPackageSSIS

SSIS

1. [SQLAuditLoader.SSISDeploymentManifest] C:\program files\Microsoft SQL Server\100\DTS\Binn\dtsinstall.exe http://msdn.microsoft.com/ja-jp/library/ms365321(SQL.100).aspx

2. [] [ ] [] (C:\Program Files\Microsoft SQL Server\100\DTS\Packages\SQLAuditLoader ) [] []

3.

SSIS log provider for SQL Server

SqlAuditLogRepository

SqlAuditLogRepository

SQLAudit (SQLAudit )

Data Source=.;Initial Catalog=$DBName$;Provider=SQLNCLI10.1;Integrated Security=SSPI;Auto Translate=False;Application Name=SSIS-Package-{21C9032A-E45A-41F2-BA67-9EF35FCD18C3}SqlAuditLogRepository;

User:auditLogArchivePath

D:\audit\logs\archive

User:LogFilePath

D:\Audit\logs

LoadLogsPackageConfig.dtsConfig SSIS

:

4. [] []

SSIS

D:\audit\logs () D:\audit\logs\archive

1. SQLAuditLoader (C:\Program Files\Microsoft SQL Server\100\DTS\Packages\SQLAuditLoader )

2.

dtexec /ConfigFile LoadLogsPackageConfig.dtsConfig /File LoadLogsPackage.dtsx

:SQL Server 2008 DTExec SQL Server 2005 SQL Server 2008 DTExec SQL Server 2008 (10.00.xxxx) SQL Server 2005 (9.00.xxxx) DTExec (C:\Program Files\Microsoft SQL Server\100\DTS\Binn\dtexec.exe )

SSIS (15 )

SSIS SQLAudit aud.AuditLog_[EventType] ( )

SQL Server Management Studio SQLAudit

exec aud.rspAggServerActions @EventDate = '08/22/2008'

exec aud.rspAggDatabaseActions @EventDate = '08/22/2008'

exec aud.rspAggDMLActions @EventDate = '08/22/2008'

exec aud.rspAggDDLActions @EventDate = '08/22/2008'

aud.rptAgg[AuditEvent]Actions

SQL Server

-- @LastDay

-- 12

Declare @LastDay char(11)

select @LastDay = Convert(char(11), getdate()-1 , 1)

Select @LastDay

Exec aud.rspAggServerActions @LastDay

Exec aud.rspAggDatabaseActions @LastDay

Exec aud.rspAggDDLActions @LastDay

Exec aud.rspAggDMLActions @LastDay

(SQLAudit) SQL 12 aud.AuditLog_%

select partition_id, OBJECT_NAME(object_id), object_id, index_id, partition_number, partition_id, rows as [RowCount], x.value

from sys.partitions

left outer join (

select boundary_id, value

from sys.partition_range_values

where function_id = (

select function_id

from sys.partition_functions

where [name] = 'monthly_partition_function'

)

) x

on x.boundary_id = partition_number - 1

where OBJECT_NAME(object_id) like 'AuditLog%' and index_id = 1

order by OBJECT_NAME(object_id), partition_number

SQLAuditReports Reporting Services

1. SQLAuditReports Reporting Services Microsoft Visual Studio

2. TargetServerURL http://campschurmann/

47: SQL AuditingReports

3. SQLAudit.rds SQLAudit ( SQLAudit )

4. ([] > [])http://[] /Reports/Pages/Folder.aspx?ItemPath=%2fSQL+Auditing+Reports&ViewMode=List

SSIS ( 1 1 )

SQLAudit$%Server$InstanceName%_%GUID%.sqlaudit

[aud].[fn_GetServerInstanceName] %Server$InstanceName% SQLAudit$Server$InstanceName

PowerShell

SQL Server Management Studio PowerShell Sethu

http://blogs.msdn.com/sethus/archive/2008/06/16/sql-2008-powershell-script-for-creating-a-policy-and-saving-to-file.aspx ()

Microsoft.SqlServer.Management.Dmf SQL Server

http://msdn.microsoft.com/ja-jp/library/microsoft.sqlserver.management.dmf.aspx

PowerShell (DeployPBMPolicies.ps1)

PowerShell

#

$policydir = "C:\Policies\"

del C:\Policies\*

$sourceserver = "\"

$conn = new-object Microsoft.SQlServer.Management.Sdk.Sfc.SqlStoreConnection("server=$sourceserver;Trusted_Connection=true");

$polstore = new-object Microsoft.SqlServer.Management.DMF.PolicyStore($conn);

$fileprefix = "ExportedPolicy_"

$policycount = 0

#

#$sourcepolicycount = $polstore.Policies.Count;

foreach ($policy in $polstore.Policies)

{

$policycount++;

$StringWriter = New-Object System.IO.StringWriter;

$XmlWriter = New-Object System.XMl.XmlTextWriter $StringWriter;

#$polstore.ExportPolicy($polstore.Policies[$policy.Key], $XmlWriter);

$policy.serialize($XmlWriter);

$XmlWriter.Flush();

$StringWriter.Flush();

$outputfile = $policydir + ("{0}.xml" -f (Encode-SqlName $policy.Name));

$StringWriter.ToString() | out-file $outputfile;

}

if ($policycount -gt 0)

{

Write-Host $policycount "of" $sourcepolicycount "policies have been exported to" $policydir -foregroundcolor "green"

}

else

{

write-host "No policies were exported" -foregroundcolor "red"

}

#

$policylocation = "C:\Policies"

$serversfile = "C:\Servers.txt"

$servercount = 0

$servers = Get-Content $serversfile

foreach ($server in $servers) {

$servercount++;

$conn = new-object Microsoft.SQlServer.Management.Sdk.Sfc.SqlStoreConnection("server='$server';Trusted_Connection=true");

$polstore = new-object Microsoft.SqlServer.Management.DMF.PolicyStore($conn);

foreach ($fileobject in get-childitem $policylocation){

$file = $fileobject.FullName

$reader = [System.Xml.XmlReader]::Create((convert-path $file));

$output = $polstore.ImportPolicy($reader, 0, $true, $true);

}

}

if ($servercount -gt 0)

{

Write-Host "Policies have been imported to" $servercount "servers."-foregroundcolor "green"

}

else

{

write-host "No policies were imported" -foregroundcolor "red"

}

PowerShell SQL

:msdb SDK Dan Jones PBMTalk PBMTalk PowerPoint

Policy.zip (D:\audit\code\Policy )

SQLAudit

SQLAudit PolicyLoad.sql SQLAudit

SQLAudit pol.ServerList

insert into pol.ServerList values ('campschurmann', 1)

insert into pol.ServerList values ('emmonsroute', 1)

insert into pol.ServerList values ('emmonsglacier', 0)

1 0

PowerShell

pol.ServerList PowerShell PolicyExLoad.ps1 (D:\audit\code\Policy )

(D:\audit\code\Policy\archive )

SQL Server PowerShell (PowerShell ) "sqlps"

.\PolicyExLoad.ps1 "[SQLCentral]" "[Database]" "[Date]" "[Folder]"

SQLCentral: (SQLAudit )

Database: SQLAudit

Date: ""

Folder:

CSV 2

: () msdb

syspolicy_policies

syspolicy_conditions

syspolicy_policy_categories

: ()

syspolicy_policy_execution_history

syspolicy_policy_execution_history_details

syspolicy_system_health_state

CSV

ServerName_[policytable]_yyyyMMdd_hhmmss.csv

PowerShell *.csv [pol].[uspImportPolicyData]

()

Folder\archive

SQL PolicyReports.sql (PolicyLoad.sql )

[Policy Reports - PBM] Reporting Services

Visual Studio [Policy Reports PBM] Reporting Services

TargetServerURL http://campschurmann/

48: [Policy Reports PBM] RS

SQLAudit.rds SQLAudit ( SQLAudit )

([] > [])http://[] /Reports/Pages/Folder.aspx?ItemPath=%2fSQL+Auditing+Reports&ViewMode=List

SQL Server SQL Server 2008 SQL Server 2008

SQL Server2008 http://www.microsoft.com/japan/sql

http://www.microsoft.com/japan/sqlserver/: SQL Server Web

http://technet.microsoft.com/ja-jp/sqlserver/: SQL Server TechCenter

http://msdn.microsoft.com/ja-jp/sqlserver/: SQL Server DevCenter

http://www.microsoft.com/sqlserver/2008/en/us/wp-sql-2008-security.aspx: SQL Server Security White Paper ()

http://social.msdn.microsoft.com/forums/ja-jp/sqlsecurity/threads/: SQL Server Security

http://blogs.msdn.com/sqlsecurity/: SQL Server Security Blog ()

http://blogs.msdn.com/sqlpbm/: SQL Server Policy-Based Management Blog ()

? 1 () 5 () 5

()

66

SQLAudit

Central Server

Server 1

Server 2

Server n

Policy Extract

Extract Policy

Data

Obtain Server

List

Load Policy Data

V

i

e

w

R

e

p

o

r

t

s

E

x

t

r

a

c

t

L

o

g

s

t

o

f

il

e

s

h

a

r

e

Process Audit Information

Use SSIS to process SQL Server Audit log data and store in its own SQL Server

database.

File ServerSQL Server

database

SQL Server Audit

SSIS

SQL Servers

SQL Server

database

SQL Server

database

SQL Server

database

T

ransf

er Lo

gs

Security Information

Process Audit Information

Use SSIS to process SQL Server Audit Information

File ServerSQL 2008

SQL Audit

SSIS

G

e

n

e

r

a

t

e

R

e

p

o

r

t

s

SQL Server Audit Data

T

r

a

n

s

f

e

r

L

o

g

s

SQL Server

2008

SSRS 2008

Security Analysis

Security Reports

Compliance

Reports

SQL Server

2008

SQL Server 2008

AssessmentPrioritizationAction planMonitoringValidationRemediationPoliciesTraining Practices

Loss from theft, vandalism and injury to personnelReview entrance and guard logs, tapes and news

reports

Locked door, guard, camera, badges and policies

ITControlSOXPCIHIPAAGLBA

ID ManagementSeparation of DutiesEncryptionKey ManagementAuditingControl TestingPolicy Management

BackupOperatorApplicationAdminApplicationAdminAuditorUserAdminRolesP123#$?

Possible algorithms include

AES (128, 192, 256bit) and 3DES

ProtectsExtensible Key

Management

RotationKey Server Backup

Compliance Reports

Process Audit Information

Use SQL Server Integration Services to process SQL Server 2008 audit log data

and store in its own SQL Server database.

File ServerSQL Server

database

SQL Audit

SSIS

G

e

n

e

r

a

t

e

R

e

p

o

r

t

s

SQL Server Database Servers

SQL Server

database

SQL Server

database

SQL Server

database

T

ransf

er Lo

gs

SSRS

Read Logs

Add

Import Id

Manage/

Load

Dimensions

Split FactsLoad Facts

Count Rows

Store File

Information

Read Logs

Add Import Id

Manage/Load Dimensions

Split Facts

Load Facts

Count Rows

Store File Information

PolicyConditionExpression 1

Expression 2:

Expression nCategoryPolicyConditionExpression 1

Expression 2:

Expression nPolicyConditionExpression 1

Expression 2:

Expression nTableServerCertificateAuditDatabase

:

Target

Access PolicyLimit Accesssadisabled

limit DB users:

audit DB access

PCI

Encryption PolicyEncrypt Dataencryption enabled

log flag access

KeyPolicyManage Keyskeys rotated

keys copied:

log key accessPCI DB3PCI DBnPCI DB2PCI DB1PCI DB4

:

Target