1. A Comparative Analysis of Auditing Solutions in SQL Server or How The Hell Can I Tell Who's Messing With My Data

2. Audit A methodical examination or review of a condition or situation

3. Compliance Acting according to certain accepted standards Monitoring the extent of compliance with the standards and ethical codes at either an agency or sector level

4. Compliance

5. Auditing in SQL User actions data changes Data read Schema changes Security events Logins Server security activities

6. Audit Solutions Timeline

7. Agenda Schema changes and Security Audit Trace SQL Audit DDL Triggers (& Login Triggers) Data changes Audit DML Triggers Change Tracking Change Data Capture (CDC) Third party tools Idera SQL Compliance Manager

8. SQL Trace Versions Available: 6.x + (Profiler since 7) Editions available: All (Profiler not available in Express Edition) What does it audit? User Actions (who read, who wrote, who altered) Most of the events we can dream of: object access and management in any scope, security changes and events, logins (in addition to everything required for debugging, monitoring and performance tuning)

9. SQL Trace Pros A one-stop mechanism to get tons of security related information. No objects have to be altered or created. Captures things that can’t be captured otherwise (DBCC, create/alter trace, backup/restore) - until SQL Server 2008 Actions are ALWAYS audited (even if transaction was rolled back) Cons Data changes are not collected (can be collected with user defined events, but this requires triggers and is complex to work out) May be harder to filter and analyze for relevant events. The syntax is complicated and harder to understand what we are auditing (when not using profiler). There is no guarantee the trace will run when the server starts, we should take care of it (using a startup proc. Or agent job)

10. SQL Trace How to create See YanivEtrogi’s UG 87 session in sqlserver.co.il How does it work? Based on internal trace events

11. SQL Trace Performance overhead Minimal (when not used with Profiler) 5 events, only profiler filtered out: http://sqlblog.com/blogs/linchi_shea/archive/2007/08/01/trace-profiler-test.aspx

12. SQL Trace Interesting events to look for (Security): Audit Schema Object Access Audit Schema Object Management Audit Schema Object GDR Audit Schema Object Take Ownership Audit Login Failed

13. SQL Trace Default trace File growth, shrink Mirroring state change Errors and warnings Fulltext crawl start/stop/abort Object create/alter/drop 17 audit events Server memory change 5 20mb file-rollover files

14. SQL Trace Blackbox trace 5mb files (size and file-rollover file count can be overridden after setup) Saved to default data folder Traces: RPC Starting Batch Starting Exception Attention (timeouts) No filters, no event/column configuration

15. C2 Audit Versions Available: 2000+ Editions available: All What does it audit? Failed and successful attempts to access statements and objects.

16. C2 Audit Pros Simple trace to set up (one checkbox) Audits every action on every object within the SQL Server instance. No audit – no SQL Server. SQL Shuts down if it can’t write audit information. Cons Requires instance restart to enable/disable. Not configurable in terms of events, columns, filters or file size. It saves audit trail in 200mb files in the default data folder (any worse choice?) – can cause disk space problems

17. C2 Audit How to create or check the option in Server properties EXEC sp_configure 'c2 audit mode', 1 GO RECONFIGURE

18. C2 Audit Performance overhead Like SQL trace (with audit 40 events, 45 columns and no filters)

19. Common Criteria Compliance Versions Available: 2005 SP2 + Editions available: Enterprise only What does it do? Enables elements that are required for the Common Criteria.

20. Common Criteria Compliance

21. Common Criteria Compliance How to create or check the option Server properties Also requires to run a script that finishes configuring SQL Server to comply with Common Criteria Evaluation Assurance Level 4+ (EAL4+) EXEC sp_configure 'common criteria compliance enabled', 1 GO RECONFIGURE

22. Common Criteria Compliance Performance overhead Not tested.

23. SQL Audit Versions Available: 2008 Editions available: Enterprise only What does it audit? Audit user actions (who read, who wrote, who altered) Unlike SQL Trace, SQL Audit is meant to provide full auditing capabilities and only auditing capabilities

24. SQL Audit How does it work? SQL Server Audit is a brand new audit mechanism. Different set of events for server scope and database scope. Based on Extended Events Tightly bound to DBMS engine - implemented by hooking the internal permissions checks Can output to File Windows Application Log Windows Security Log Can be synchronous or asynchronous (default)

25. SQL Audit Sample Event groups: Server scope: SUCCESSFUL_LOGIN_GROUP FAILED_LOGIN_GROUP LOGIN_CHANGE_PASSWORD_GROUP DBCC_GROUP Database scope: SCHEMA_OBJECT_CHANGE_GROUP DATABASE_OWNERSHIP_CHANGE_GROUP DATABASE_PERMISSION_CHANGE_GROUP

26. SQL Audit Pros A one-stop mechanism to get tons of security related information. Captures things that can’t be captured otherwise (DBCC, create/alter trace, backup/restore) Easy to set up, filter in any granularity of objects, actions and users. Performs even better than a trace Actions are ALWAYS audited (even if transaction was rolled back) Many options of output – can be combined with System Center Operations Manager (formerly known as MOM) Can be configured to shutdown the server if fails to audit. Cons Data changes are not collected Audit data saved to sqlaudit file or event log and not to a table.

27. SQL Audit How to create USE master CREATE SERVER AUDIT audit1 TO FILE (FILEPATH = 'srvdt') USE hr_db CREATE DATABASE AUDIT SPECIFICATION hr_dbspec FOR SERVER AUDIT audit1 ADD(SELECT,UPDATE,INSERT,DELETE ON hr.salary by dbo) --and enable the audit & audit specification

28. SQL Audit How to read SELECT * FROM fn_get_audit_file('E:qlAudits', default, default)

29. SQL Audit Performance overhead Lower than Profiler! http://msdn.microsoft.com/en-us/library/dd392015.aspx

30. SQL Audit Tips: It’s disabled by default – don’t forget to enable it after you set it up. Just like with DCL statements we can use database or schema scopes. For example: SELECT ON DATABASE::MyDB UPDATE ON SCHEMA::HR Can output to application/security log (look for event ID 33205)

31. DDL Triggers Versions Available: 2005+ (logon triggers in 2005 SP2+) Editions available: All What does it audit? Tracks object changes in server, database and schema levels + login events

32. DDL Triggers Pros Useful for auditing but can also be used to act on DDL statements (i.e. ROLLBACK) Can have lots of logic within it (we write all the code) Cons Transaction bound (if change is done within transaction, the audit can be rolled back as well) Requires code and object generation. The tracking table (if exists) needs to be managed.

33. DDL Triggers How to create, prerequisites Logon triggers require 2005 SP2+ Use EVENTDATA() function to get information CREATE TRIGGER [name] ON [DATABASE] / [ALL SERVER] FOR [DDL_DATABASE_LEVEL_EVENTS] AS ...

34. DDL Triggers Performance overhead Slightly higher than trace Depends on the statements inside the trigger.

35. DML Triggers Versions Available: Any Editions available: All What does it audit? Audit data changes in a table + security information.

36. DML Triggers Pros Useful for auditing but can also be used to act on DML statements (i.e. ROLLBACK) Can have lots of logic within it (we write all the code) Can combine security information and data changes Cons Transaction bound (change is done within transaction, the audit can be rolled back as well, if trigger fails, transaction is doomed) Requires code and object generation. The tracking table (if exists) needs to be managed.

37. DML Triggers How to create Use deleted and inserted table to retrieve changed data. Use built in functions like Suser_sname() to get security information. Use the UPDATE (column) function to check if a column changed or COLUMNS_UPDATED ( ) to check which columns have changed. CREATE TRIGGER [name] ON { table | view } [ WITH <dml_trigger_option> ] { FOR | AFTER | INSTEAD OF } {[ INSERT ][,][ UPDATE ][,][ DELETE ] } AS ...

38. DML Triggers Performance overhead Depends on the statements inside the trigger.

39. Change Tracking Versions Available: 2008 Editions available: All What does it audit? Audits the fact that a certain row has changed and using what action (Insert, Update or Delete): Which rows have changed in a user table? Has a row changed?

40. Change Tracking How to create, prerequisites Should be enabled in the database and then on the table Table must have a primary key or a unique index. How does it work? Synchronous – if a problem occurs in the change tracking, the transaction is rolled back. Creates internal tables that have columns to store the primary key value, action performed (insert, update, delete) ,optional columns updated bitmap, version of the change. A version in a DB level. Has a retention period that cleans the internal tables. Built-in functions to retrieve changes and versions.

41. Change Tracking Performance overhead More IO: The incremental performance overhead that is associated with using change tracking on a table is similar to the overhead incurred when an index is created for a table and needs to be maintained.

42. Change Tracking Pros No need to develop complex procedures for tracking changes Doesn’t take a lot of disk space Synchronous Auto cleanup tasks Cons Doesn’t keep historical data Doesn’t keep security information Usually used with snapshot isolation level which cause performance to drop Affects the system IO

43. Change Tracking Remarks When change tracking is enabled, there are restrictions on the DDL that can be performed on a table being tracked. The most notable restriction is that the primary key cannot be altered in any way. Switching a partition fails if one or both of the tables has change tracking enabled.

44. Change Data Capture (CDC) Versions Available: 2008 Editions available: Enterprise Only What does it Audit? Audits all the changes on all rows in a table on specific columns.

45. CDC How does it work? Asynchronous Uses log reader (like transactional replication) Creates schema and tables Performance overhead A lot of disk space More IO

46. CDC Pros Asynchronous Has the option to choose what to monitor. Keeps data history Has a cleaning mechanism Cons A lot of disk space More IO Can cause log truncation problem

47. CDC vs. Change Tracking http://technet.microsoft.com/en-us/magazine/2008.11.sql.aspx?pr=blog

48. Audit Tools in SQL - Summary

49. Audit Tools in SQL - Summary What about… Archive and retention of audit data Reporting Alerting Threshold definition (alert only after 10 failed logins in 5 minutes) Aggregations Audit the auditor

50. Idera Compliance Manager Examples

51. References Auditing in SQL server 2008 - http://msdn.microsoft.com/en-us/library/dd392015.aspx SQL Server 2008 Improves Auditing, Change Tracking - http://www.directionsonmicrosoft.com/sample/DOMIS/update/2008/11nov/1108ss2iac.htm Tracking Changes in Your Enterprise Database by Paul S. Randal - http://technet.microsoft.com/en-us/magazine/2008.11.sql.aspx?pr=blog SQL Server 2005 Security Overview for Database Administrators - http://www.microsoft.com/sqlserver/2008/en/us/wp-sql-2008-security.aspx SQL Server 2005 security best practices white paper - http://www.microsoft.com/sqlserver/2005/en/us/white-papers.aspx SQL Server 2008 Compliance Guide - http://www.microsoft.com/downloads/details.aspx?FamilyId=6E1021DD-65B9-41C2-8385-438028F5ACC2&displaylang=en