sql server 2008 compliance guidancedownload.microsoft.com/.../reachingcompliance_jpn.docx · web...
TRANSCRIPT
SQL Server 2008 Compliance Guidance
SQL Server 2008
SQL Server
: JC CannonDenny Lee
: Andy RobertsAyad Shammout
: Dan JonesCraig GickJack RichinsRaul GarciaDevendra TiwariSteven GottAl ComeauLara Rubbelke
: 2008 11
: SQL Server 2008
:SQL Server SQL Server 2008 IT
:
Microsoft Microsoft Microsoft
Microsoft
Microsoft Corporation
Microsoft Microsoft
2008 Microsoft Corporation. All rights reserved.
MicrosoftActive DirectoryActiveXBitLockerExcelInternet ExplorerPivotTablePowerShellSQL ServerVistaVisual BasicVisual StudioWindowsWindows Server Windows Vista Microsoft
7
7
7
7
7
GRC 8
8
9
9
GRC 10
11
11
IT 11
SQL Server 2008 IT 13
13
SQL Server 2008 14
SQL Server 2008 14
ID 15
Windows 16
18
19
20
21
21
21
22
23
25
sysadmin 25
sa 25
sysadmin ( sysadmin )26
sysadmin 26
SQL Server 2008 sysadmin 26
Windows Vista Windows Server 2008 SID 28
BUILTIN\Administrators 29
ID 29
30
SQL Server 30
30
30
31
32
32
33
33
33
sysadmin dbo 34
34
35
36
36
36
37
37
38
sysadmin db_owner 38
39
39
40
40
41
42
43
DDL 43
DDL 44
DML 44
DML 45
46
46
47
47
47
48
49
49
KPI KRI 51
52
52
53
54
57
SQL Server 57
SMO57
Transact-SQL57
Windows PowerShell57
VBScript58
Windows Data Access Components58
(Server Security Policy.xml)59
(SOD Policy.xml)61
62
sysadmin (ManageSA.sql)63
sa (ValidateSA.sql)64
sysadmin (ValidateSysadmins.sql)65
(SOD Policy.xml)65
(ValidateServerRoles.sql)66
(ValidateServerRoles.sql)66
(ValidateDatabaseRoles.sql)67
69
(AuditCryptoActions.sql)69
(ViewKeys.sql)69
(RotateCerts.sql)71
(BackupCerts.sql)72
(CertRotationPolicy.xml)73
73
SQL Server Audit (StoreAuditLogs.sql)73
SSIS (LoadLogsPackage.dtsx)76
Excel SQL Server Audit (AuditReport.xlsx)79
IP 81
82
87
PowerShell 87
PowerShell (DeployPBMPolicies.ps1)87
88
92
IT Microsoft Microsoft SQL Server 2008 SQL Server 2008 SQL Server 2008 compliance software development kit (SDK)
IT IT SQL Server 2008 SDK IT SDK Readme
SQL Server 2008 Microsoft Solution Accelerator Team Windows Server
SQL Server SQL Server 2008 SDK Compliance Hands-on-Lab()
PCI-DSS SQL Server
GRC () 3 GRC GRC Forrester GRC GRC SQL Server GRC
GRC
GRC 1
1: GRC
()
IT ()SQL Server sysadmin sysadmin sysadmin
1. 2. 3. IT 4.
GRC
GRC 2
2: GRC
() GRC
SQL Server 2008 2 (sa ) SQL Server Audit
(KPI) KPI IT KPI CPU
(KRI) KRI IT KRI IT KRI
KPI KRI KPI KRI
IT
IT IT IT
3 IT IT Microsoft Microsoft IT Compliance Planning Guide()
3: SOX: PCI: Payment Card IndustryHIPAA: Health Information Portability and Accountability ActGLBA: Graham Leach Bliley Act
IT
ID
7
SQL Server 2008 IT
SQL Server 2008 IT SQL Server IT IT IT IT
ID
SQL Server 2008
SQL Server 2008
SQL Server 2008 1
SQL Server SQL Server IT SQL Server
Service Pack
Windows Server 2008 Windows Server 2008 Security Guide()
SQL Server 2008
IT SQL Server SQL Server 2008 SQL Server
SQL Server 2008
SQL Server 2008 SQL Server (PBM) 4 PBM Analysis Services Reporting Services
4:
4 SQL Server 5 SQL Server
5: SQL Server
SQL Server sp_configure
ID
SQL Server 2008 6 SQL Server 2008 ID
Windows
ID
6:
Windows
ID ID
Windows SQL Server ID Active Directory ID SQL Server Active Directory (ADDS)
ID
-
Windows SQL Server Management Studio [] [] (7)
7:
Windows Windows SQL Server Windows Windows
CREATE LOGIN [SQLVM03-18158EA\Pat] FROM WINDOWS
[ - ] (8) [] []
8: [ - ]
SQL Server SQL Server sysadmin dbcreator
sp_addsrvrolemember N'SQLVM03-18158EA\Pat', N'dbcreator'
9 [] [ ]
9: SQL Server
Test1
USE Test1
CREATE USER [Pat] FOR LOGIN [SQLVM03-18158EA\Pat]
10 [ - ] [] []
10: [ - ]
SQL Server db_owner db_datareader
sp_addrolemember N'db_datareader', N'Pat'
sp_addrolemember N'db_datawriter', N'Pat'
[ - ]
() ( )
db_datareader db_datawriter DENY CCTable1
DENY DELETE ON OBJECT::CCTable1 TO [Pat]
: DBCC
( )
GRANT ALTER ANY LOGIN TO [SQLVM03-18158EA\Pat]
11 [] [] [] 11 Pat CCTable1
11: SQL Server
( )
USE Test1
GRANT CREATE TABLE TO [SQLVM03-18158EA\Pat]
12 [ ] [] []
12:
DENY
DENY SELECT ON [CCTable1] ([CCNumber]) TO [SQLVM03-18158EA\Pat]
: SELECT * SELECT *
13 Pat [] SELECT
13:
(SOD: ) ID 1 SOD 2
()
SQL Server sysadmin SOD sysadmin 1. sa 2. sysadmin 3. sysadmin
sysadmin
SQL Server sysadmin
sa
sa SQL Server sa SQL Server Management Studio
sysadmin ( sysadmin )
sysadmin sa DBCC PINTABLE sysadmin sysadmin sysadmin sysadmin sysadmin sysadmin sysadmin
: CONTROL SERVER sysadmin sa () CONTROL SEVER sysadmin DENY IMPERSONATE
USE master
DENY IMPERSONATE ON LOGIN::Yukonsa TO [SQLVM03-18158EA\Pat];
sysadmin
sysadmin sysadmin
SQL Server 2008 sysadmin
SQL Server SQL Server Windows
SQL Server 2008 3 sysadmin
sa
sysadmin Windows SQL Server
Windows
Windows SQL Server sysadmin
NT AUTHORITY\SYSTEM
Microsoft UpdateWindows UpdateSystem Center Configuration ManagerWindows Cluster Server Windows
1: sysadmin
Windows Vista Windows Server 2008 SQL Server sysadmin
NT SERVICE\MSSQLSERVER
SQL Server (SID) SQL Server "NETWORK SERVICE" SID SQL Server ()
NT SERVICE\SQLSERVERAGENT
SQL Server SID SQL Server "NETWORK SERVICE" SID SQL Server ()
2: Windows Vista Windows Server 2008 sysadmin
Windows Vista Windows Server 2008 SQL Server sysadmin
NT AUTHORITY\NETWORK SERVICE
SQL Server SQL Server SQL Server SQL Server Windows Windows []
localhost\SQLServer2005MSSQLUser$
localhost$MSSQLSERVER
SQL Server Windows
localhost\SQLServer2005SQLAgentUser$localhost$MSSQLSERVER
SQL Server Windows
3: Windows sysadmin
: localhost
Windows Vista Windows Server 2008 SID
Windows Vista Windows Server 2008 SID SQL Server 2008 SQL Server SQL Server SID SQL Server ( ) SID
BUILTIN\Administrators
BUILTIN\Administrators SQL Server 2008 SQL Server sysadmin Windows Vista Windows Server 2008 SQL Server SQL Server SQL Server 2005 SP2 Windows sysadmin
SQL Server 2008 BUILTIN\Administrators sysadmin Windows sysadmin Windows sysadmin Windows sysadmin / SQL Server
ID
IMPERSONATE EXECUTE AS
SQL Server 2008 SQL Server
SQL Server
SQL Server 2005 Windows CAPICOM SQL Server SQL Server
SQL Server
SQL Server 2008 (TDE) TDE
14 TDE
(EKM)
14:
TDE TDE TDE
USE master
BACKUP CERTIFICATE [MyServerCert] TO FILE = 'c:\certificates\MyServerCert.crt'
WITH PRIVATE KEY (FILE = 'c:\certificates\MyServerCert.pvk',
ENCRYPTION BY PASSWORD = 'MyPass7779311#');
( )
TDE
100 100 1 100
:
PCI TDE master DATABASE_OBJECT_ACCESS_GROUP DATABASE_OBJECT_CHANGE_GROUP
()
()
()
(SQL Server 2008 )
()
()
Service Broker
()
TDE DATABASE_CHANGE_GROUP
SQL Server 2008
Windows (EFS)Windows BitLocker TDE EFS BitLocker SQL Server EFS BitLocker EFS BitLocker TDE TDE BitLocker EFS Database Encryption in SQL Server 2008 Enterprise Edition()
sysadmin dbo
sysadmin (dbo) sysadmin db_owner sysadmin sysadmin sysadmin dbo SQL Server Audit sysadmin db_owner
SQL Server 2008
SQL Server Audit SQL Server Audit Web
System Center Operations Manager SQL Server Integration Services (SSIS) SQL Server Reporting Services (SSRS) (15 )
15:
(15 ) SQL Server Integration Services
SQL Server Audit SQL Server NETWORK SERVICE SQL Server
SSIS SQL Server
SQL Server SQL Server
16
16: GRC
1) :
2) ID : ETL ID ID
3) /: ( ) ID ID
4) /: ID 3. 4.
5) /: ()
SQL Server Audit SQL Server Audit () (SELECTUPDATEEXECUTE )
( sysadmin ) sysadmin sysadmin
sysadmin
HIPAA (SQL ) (sysadmin)
()
sysadmin db_owner
SQL Server Audit sysadmin db_owner "db_owner" db_owner sysadmin sysadmin dbo db_owner
USE [Test1]
ALTER DATABASE AUDIT SPECIFICATION [AuditDBO]
ADD (SELECT ON [dbo].[CCTable1] BY [dbo])
1 1 1 () 1
() 100MB
1
: ( HIPPA ) 100MB 1
SQL Server DDL DML
1
17:
2008 8 19 2008 8 21 3 18
18:
2008 8 21
17 83
19:
20 2 2008 8 21 3 4
20:
DataCollectionSPW 3 GRANT master 4 CREATE 4 CREATE MYDOMAIN\Sql () RESTORE LABELONLY
21:
: master CREATE CREATE RESTORE LABELONLY
DDL
22 DDL 2008 8 20 SQLDBADMIN 44 DROP TABLE
22: DDL
DDL
DROP TABLE DDL
23: DDL
DML
DML DML 2008 8 21 SQLDBADMIN 4 DELETE
24: DML
DML
DML "4" DELETE
25: DML
SDK ID
1 1 ( ) 26
SQL Server 2008 Web
26:
PCI PCI PCI 27 PCI
27:
2
"" "" [: ] [: ]
IT
: (UI usp )
: mastermsdb tempDB
: (24 )
:
: SQL Server
: (2 )
sysadmin : sysadmin sa
IT
1
2
28
H:\
1
50
2
3
:
40
"foo"
4:
1
IT
""
SQL Server (H:\ ) ([: ])
5 ": " CoC: ": " CoC: "" CoS SQL Server Policy-Based Management: Facets()
CoC:
CoC:
CoS
Broker
Broker
DDL
DDL
AS
RS
XML
5:
KPI KRI
(KPI) (KRI) SQL Server KPI KRI KPI KRI KPI KRI
KPI
:sysadmin
1
(TDE) ()
( 1 )
1
28:
29 SQL Server Management Studio []
29:
PowerShell Windows PowerShell
1 1
30:
30 SQLAudit ( PowerShell ) SQLAudit
31
31:
2008 6 18 ServerInstanceName "Caregroup" "Test Policy with Lots of Violations" "Evaluated Policy"
32:
32 33 [] LogOnSuccess True LogOnSuccess
33:
SDK
SQL Server
SQL Server SQL Server (SMO)Transact-SQL Windows PowerShell 3
SMO
SQL Server (SMO) Microsoft SQL Server SMO SQL Server SMO SQL (SQL-DMO) SQL-DMO SQL-DMO SMO SQL Server
Transact-SQL
Transact-SQL SQL Server SQL Server Transact-SQL
Windows PowerShell
Windows PowerShell IT Windows PowerShell 130 Windows PowerShell Windows Server 2008 Windows PowerShell Quick Reference()
PowerShell SQL Server PowerShell Web SQL Server PowerShell ()
:PowerShell PowerShell SQLPS PowerShell Running Windows PowerShell Scripts()
VBScript
Microsoft Visual Basic Scripting Edition (VBScript) Microsoft Internet Explorer Web Microsoft (IIS) Web VBScript SQL Server SQL Server Script Repository: SQL Server()
Windows Data Access Components
Windows Data Access Components Microsoft ActiveX Data Objects (ADO)OLE DB Microsoft Open Database Connectivity (ODBC) Web LAN / SQL Server
(Server Security Policy.xml)
Windows Windows SQL Server Management Studio [] [] (34 ) Server Security Policy.xml
34:
Windows [] 35 []
35:
[] (36)
36:
(SOD Policy.xml)
SOD Policy.xml sa sysadmin 1 2
:[] (37 )SQL Server Management Studio []
37: []
1 SOD Policy Validate Roles
IsNull(ExecuteSql('Numeric',
'SELECT COUNT(DISTINCT name)
FROM sys.server_role_members,
sys.server_principals
WHERE principal_id = member_principal_id
AND role_principal_id
IN (SUSER_ID (''sysadmin''),
SUSER_ID (''bulkadmin''),
SUSER_ID (''securityadmin''))
GROUP BY name
HAVING COUNT(member_principal_id)> 1 '), 0)
ExecuteSQL SELECT SELECT 0 SELECT 2 IsNull NULL
sysadmin (ManageSA.sql)
sysadmin 1 sysadmin sysadmin sysadmin sysadmin
USE master
GO
CREATE PROCEDURE sp_DisableSA AS
IF (DB_ID() = 1)
BEGIN
DECLARE @cmd nvarchar(max)
-- SID 0x01 "sa"
SET @cmd = N'ALTER LOGIN ' + QUOTENAME(SUSER_NAME(0x01)) +
N' DISABLE'
EXEC ( @cmd )
END
ELSE
BEGIN
RAISERROR ('sp_DisableSA is only valid when hosted in master DB', --
16, --
1 --
);
END
GO
CREATE PROCEDURE sp_EnableSA AS
IF (DB_ID() = 1)
BEGIN
DECLARE @cmd nvarchar(max)
-- SID 0x01 "sa"
SET @cmd = N'ALTER LOGIN ' + QUOTENAME(SUSER_NAME(0x01)) +
N' ENABLE'
EXEC ( @cmd )
END
ELSE
BEGIN
RAISERROR ('sp_EnableSA is only valid when hosted in master DB', --
16, --
1 --
);
END
GO
--
CREATE CERTIFICATE SACert WITH SUBJECT = 'For signing stored procedures'
GO
--
GRANT EXECUTE ON sp_DisableSA TO [SQLVM03-18158EA\Pat];
--
ADD SIGNATURE TO sp_DisableSA BY CERTIFICATE SACert;
--
CREATE LOGIN [CertLogin] FROM CERTIFICATE SACert;
-- sa
-- sysadmin
EXEC sp_addsrvrolemember [CertLogin], N'sysadmin';
--
ALTER CERTIFICATE [SACert] REMOVE PRIVATE KEY;
--
-- ALTER
--
ALTER SERVER AUDIT SPECIFICATION [Audit Login Changes]
WITH (STATE = OFF)
GO
ALTER SERVER AUDIT SPECIFICATION [Audit Login Changes]
ADD (SERVER_PRINCIPAL_CHANGE_GROUP)
GO
ALTER SERVER AUDIT SPECIFICATION [Audit Login Changes]
WITH (STATE = ON)
GO
sa (ValidateSA.sql)
Validate Roles sa
IF (SELECT COUNT(*)
FROM sys.server_principals
WHERE = principal_id 1
AND is_disabled = 1
AND name != 'sa') = 1
PRINT 'Compliant'
ELSE
PRINT 'Non-compliant'
sysadmin (ValidateSysadmins.sql)
SOD Policy.xml Validate Roles sysadmin
DECLARE @Admin1 sysname
DECLARE @Admin2 sysname
DECLARE @Admin3 sysname
DECLARE @Admin4 sysname
SET @Admin1 = @@SERVERNAME + '\Pat'
SET @Admin2 = 'NT AUTHORITY\SYSTEM'
SET @Admin3 = 'NT AUTHORITY\NETWORK SERVICE'
SET @Admin4 = 'sa'
IF EXISTS (SELECT name
FROM sys.server_role_members A,
sys.server_principals B
WHERE A.member_principal_id = B.principal_id
AND role_principal_id = SUSER_ID('sysadmin')
AND name NOT IN (@Admin1, @Admin2,
@Admin3, @Admin4))
PRINT 'Non-compliant'
ELSE
PRINT 'Compliant'
(SOD Policy.xml)
1 1
SQL Server Windows SQL Server SQL Server
(ValidateServerRoles.sql)
[] (38 )
38: []
SOD Policy.xml 0
SELECT COUNT(*)Count
FROM sys.server_role_members, sys.server_principals
WHERE principal_id = member_principal_id
AND role_principal_id
IN (SUSER_ID('sysadmin'), SUSER_ID ('bulkadmin'),
SUSER_ID ('securityadmin'))
GROUP BY member_principal_id
HAVING COUNT(member_principal_id)> 1
(ValidateServerRoles.sql)
3
SELECT A.Name, B.NAME Role
FROM sys.server_principals A,
sys.server_principals B,
sys.server_role_members C
WHERE A.name IN (SELECT Name
FROM sys.server_role_members,
sys.server_principals
WHERE principal_id = member_principal_id
AND role_principal_id
IN (SUSER_ID('sysadmin'),
SUSER_ID ('bulkadmin'),
SUSER_ID ('securityadmin'))
GROUP BY member_principal_id, name
HAVING COUNT(member_principal_id)> 1
)
AND A.principal_id = C.member_principal_id
AND B.principal_id = C.role_principal_id
ORDER BY Name
(ValidateDatabaseRoles.sql)
[ ] (39 )
39:
NULL 3
SELECT COUNT(member_principal_id) Count, Name
FROM sys.database_role_members,
sys.database_principals
WHERE principal_id = member_principal_id
AND role_principal_id
IN (DATABASE_PRINCIPAL_ID('db_securityadmin'),
DATABASE_PRINCIPAL_ID('db_backupoperator'),
DATABASE_PRINCIPAL_ID('db_datawriter'))
GROUP BY member_principal_id, Name
HAVING COUNT(member_principal_id)> 1
ORDER BY Name
3
SELECT A.Name, B.Name Role
FROM sys.database_principals A,
sys.database_principals B,
sys.database_role_members C
WHERE A.name IN
(SELECT Name
FROM sys.database_role_members,
sys.database_principals
WHERE principal_id = member_principal_id
AND role_principal_id
IN (DATABASE_PRINCIPAL_ID('db_securityadmin'),
DATABASE_PRINCIPAL_ID('db_backupoperator'),
DATABASE_PRINCIPAL_ID('db_datawriter'))
GROUP BY member_principal_id, name
HAVING COUNT(member_principal_id)> 1
)
AND A.principal_id = C.member_principal_id
AND B.principal_id = C.role_principal_id
ORDER BY Name
SQL Server
(AuditCryptoActions.sql)
SQL Server Audit DATABASE_OBJECT_ACCESS_GROUP DATABASE_OBJECT_CHANGE_GROUP DATABASE_CHANGE_GROUP
(ViewKeys.sql)
master (TDE)
USE master;
CREATE MASTER KEY ENCRYPTION
BY PASSWORD = 'UseStrongPassword1!';
GO
CREATE CERTIFICATE MyServerCert
WITH SUBJECT = 'My DEK Certificate for Sensitive Data'
master certificates
USE master
SELECT name, certificate_id, start_date, thumbprint, pvt_key_last_backup_date
FROM sys.certificates
6 certificates start_date thumbprint encryptor_thumbprint pvt_key_last_backup_date NULL ( )
name
start_date
thumbprint
pvt_key_last_backup_date
NewServerCert
2008-07-20 19:43:04.000
0xBF372D91C333B1E
NULL
DEKCert_258
2008-07-23 04:21:40.000
0x99CF8887C56CEC9
2008-07-23 04:50:36.553
DEKCert_260
2008-07-23 04:51:55.000
0x8BFD5885501314B
2008-07-23 04:51:56.490
DEKCert_261
2008-07-25 05:11:26.000
0xC1B737DAFDCFAC
2008-07-25 05:11:28.800
6: certificates
TDE TDE
CREATE DATABASE ENCRYPTION KEY
WITH ALGORITHM = AES_128
ENCRYPTION BY SERVER CERTIFICATE DEKCert_258
GO
SELECT database_id, create_date, regenerate_date,
encryptor_thumbprint
FROM sys.dm_database_encryption_keys
7 database_id ID 2 tempdb regenerate_date create_date encryptor_thumbprint
database_id
create_date
regenerate_date
encryptor_thumbprint
2
2008-08-20 17:46:28.110
2008-08-20 17:46:28.110
0
7
2008-07-01 20:27:03.983
2008-08-07 16:14:36.013
0xC1B737DAFDCFAC9C
8
2008-07-01 20:27:04.137
2008-08-07 16:14:36.103
0xC1B737DAFDCFAC9C
9
2008-07-01 20:27:32.667
2008-08-07 16:14:36.213
0xC1B737DAFDCFAC9C
7: sys.dm_database_encryption_keys
(RotateCerts.sql)
master 1 DATEDIFF ID SQL Server
:
DECLARE @Thumbprint varbinary(32)
DECLARE @CertID int
DECLARE @CertName sysname
DECLARE @DB_ID int
DECLARE @cmd nvarchar(max)
--
-- INSENSITIVE
DECLARE Certificate_Cursor INSENSITIVE CURSOR FOR
SELECT [thumbprint], [certificate_id]
FROM sys.certificates
WHERE (DATEDIFF(MONTH, [start_date], GETDATE()) > 0 )
AND [thumbprint]
IN (SELECT DISTINCT encryptor_thumbprint
FROM sys.dm_database_encryption_keys)
OPEN Certificate_Cursor;
FETCH NEXT FROM Certificate_Cursor INTO @Thumbprint, @CertID;
WHILE @@FETCH_STATUS = 0
BEGIN
SET @CertName = 'DEKCert' + '_' + LTRIM(STR(@CertID));
SET @cmd = N'CREATE CERTIFICATE ' + QUOTENAME(@CertName) +
N' WITH SUBJECT = ''DEK Certificate'''
EXEC( @cmd )
DECLARE Database_Cursor CURSOR FOR
SELECT [database_id]
FROM sys.dm_database_encryption_keys
WHERE [encryptor_thumbprint] = @Thumbprint
OPEN Database_Cursor;
FETCH NEXT FROM Database_Cursor INTO @DB_ID;
WHILE @@FETCH_STATUS = 0
BEGIN
SET @cmd = N'USE ' + QUOTENAME(DB_NAME(@DB_ID)) + ';' +
N'ALTER DATABASE ENCRYPTION KEY ' +
N'ENCRYPTION BY SERVER CERTIFICATE ' +
QUOTENAME(@CertName)
EXEC (@cmd);
FETCH NEXT FROM Database_Cursor INTO @DB_ID;
END
CLOSE Database_Cursor;
DEALLOCATE Database_Cursor;
FETCH NEXT FROM Certificate_Cursor INTO @Thumbprint, @CertID;
END
CLOSE Certificate_Cursor;
DEALLOCATE Certificate_Cursor;
: 3
(BackupCerts.sql)
(pvt_key_last_backup_date NULL ) C:\certificates "crt" "pvt"
:
DECLARE @CertName sysname
DECLARE @cmd nvarchar(max)
DECLARE Cert_Cursor CURSOR FOR
SELECT [name]
FROM sys.certificates
WHERE [pvt_key_last_backup_date] IS NULL AND [thumbprint] IN
(SELECT DISTINCT [encryptor_thumbprint]
FROM sys.dm_database_encryption_keys)
OPEN Cert_Cursor;
FETCH NEXT FROM Cert_Cursor INTO @CertName;
WHILE @@FETCH_STATUS = 0
BEGIN
SET @cmd =
N'BACKUP CERTIFICATE ' + QUOTENAME(@CertName) +
N' TO FILE = ''c:\certificates\' + @CertName +
N'.crt'' WITH PRIVATE KEY ( FILE = ''c:\certificates\' +
@CertName +
N'.pvk'', ENCRYPTION BY PASSWORD = ''MyPass7779311#'');'
EXEC ( @cmd )
FETCH NEXT FROM Cert_Cursor INTO @CertName;
END
CLOSE Cert_Cursor;
DEALLOCATE Cert_Cursor;
(CertRotationPolicy.xml)
CetRotationPolicy.xml 3 1 1
SQL Server Audit
SQL Server Audit (StoreAuditLogs.sql)
40 SQL Server Integration Services (SSIS) Microsoft Excel
40:
SQL Server Audit 2
SQL Server Audit action object
2
USE [Test1]
GO
DECLARE @data_path nvarchar(256),
@offset int
SET @data_path = NULL
SET @offset = NULL
IF NOT EXISTS (SELECT * FROM sys.objects
WHERE object_id = OBJECT_ID(N'[dbo].[AuditLog]')
AND type in (N'U'))
CREATE TABLE [dbo].[AuditLog](
[event_time] [datetime2](7) NULL,
[sequence_number] [int] NULL,
[action_id] [varchar](4) NULL,
[action_name] [nvarchar](128) NULL,
[succeeded] [bit] NULL,
[permission_bitmask] [bigint] NULL,
[is_column_permission] [bit] NULL,
[session_id] [smallint] NULL,
[server_principal_id] [int] NULL,
[database_principal_id] [int] NULL,
[target_server_principal_id] [int] NULL,
[target_database_principal_id] [int] NULL,
[object_id] [int] NULL,
[class_type] [varchar](2) NULL,
[class_type_desc] [nvarchar](35) NULL,
[session_server_principal_name] [nvarchar](128) NULL,
[server_principal_name] [nvarchar](128) NULL,
[server_principal_sid] [binary](85) NULL,
[database_principal_name] [nvarchar](128) NULL,
[target_server_principal_name] [nvarchar](128) NULL,
[target_server_principal_sid] [binary](85) NULL,
[target_database_principal_name] [nvarchar](128) NULL,
[server_instance_name] [nvarchar](128) NULL,
[database_name] [nvarchar](128) NULL,
[schema_name] [nvarchar](128) NULL,
[object_name] [nvarchar](128) NULL,
[statement] [nvarchar](2000) NULL,
[additional_information] [nvarchar](2000) NULL,
[file_name] [nvarchar](260) NULL,
[audit_file_offset] [bigint] NULL
) ON [PRIMARY]
--
SELECT @data_path = file_name, @offset = audit_file_offset
FROM AUDITLOG
WHERE event_time = (select MAX(event_time)FROM AUDITLOG)
INSERT INTO [Test1].[dbo].[AuditLog]
([action_name]
,[class_type_desc]
,[event_time]
,[sequence_number]
,[action_id]
,[succeeded]
,[permission_bitmask]
,[is_column_permission]
,[session_id]
,[server_principal_id]
,[database_principal_id]
,[target_server_principal_id]
,[target_database_principal_id]
,[object_id]
,[class_type]
,[session_server_principal_name]
,[server_principal_name]
,[server_principal_sid]
,[database_principal_name]
,[target_server_principal_name]
,[target_server_principal_sid]
,[target_database_principal_name]
,[server_instance_name]
,[database_name]
,[schema_name]
,[object_name]
,[statement]
,[additional_information]
,[file_name]
,[audit_file_offset])
SELECT name, class_type_desc, C.*
FROM sys.dm_audit_actions A, sys.dm_audit_class_type_map B,
sys.fn_get_audit_file('C:\logs\*', @data_path, @offset) C
WHERE A.action_id = C.action_id
AND B.class_type = C.class_type
SSIS (LoadLogsPackage.dtsx)
40 SQL Server Integration Services (SSIS) 41 SQL Server Audit SSIS ()2
41: 2 SSIS
42 SQL Server Audit
42: 1
SSIS 43 SQL Server Agent CreateAuditJob.sql C:\ LoadLogsPackage.dtsx 5
43: SQL Server Agent SSIS
Excel SQL Server Audit (AuditReport.xlsx)
Excel SQL Server Audit Excel 44 SQL Server Audit [] Excel
44: Excel SQL Server Audit
Excel [] PivotTable 45 PivotTable PivotTable PivotTable PivotTable
45: SQL Server Audit PivotTable
IP
server_principal_name ID Windows SQL Server server_principal_name ID session_id ID ID ( ID "LGIS" ) additional_information IP server_principal_name IP
SELECT event_time, statement,
CAST(additional_information AS XML).value('declare namespace z="http://schemas.microsoft.com/sqlserver/2008/sqlaudit_data";
(//z:address)[1]', 'nvarchar(300)')
FROM sys.fn_get_audit_file('C:\logs\*',Null, Null)
WHERE action_id = 'LGIS'
ORDER BY event_time DESC
Caregroup Healthcare (Ayad Shammout)Microsoft Consulting Services (Andy Roberts) SQL Customer Advisory Team (Denny Lee) Audit Project Technical Spotlight()
46:
SQLAudit.zip
SQLAuditRepositoryDatabase.sql SQLAudit SQL
LoadLogsPackage.dtsx SSIS
SQLAuditReports SQL Server Reporting Services (SSRS)
SQLAudit
1. SQL Server Management Studio SQLAuditRepositoryDatabase.sql SQLCMD ([] SQLCMD )SQLCMD :setvar
2.
DataDirectory
SQL DB (H:\sqldata\ )
"\"
LogDirectory
SQL DB (H:\sqllog\ )
"\"
DatabaseName
(SQLAudit )
3.
LoadLogsPackageSSIS
SSIS
1. [SQLAuditLoader.SSISDeploymentManifest] C:\program files\Microsoft SQL Server\100\DTS\Binn\dtsinstall.exe http://msdn.microsoft.com/ja-jp/library/ms365321(SQL.100).aspx
2. [] [ ] [] (C:\Program Files\Microsoft SQL Server\100\DTS\Packages\SQLAuditLoader ) [] []
3.
SSIS log provider for SQL Server
SqlAuditLogRepository
SqlAuditLogRepository
SQLAudit (SQLAudit )
Data Source=.;Initial Catalog=$DBName$;Provider=SQLNCLI10.1;Integrated Security=SSPI;Auto Translate=False;Application Name=SSIS-Package-{21C9032A-E45A-41F2-BA67-9EF35FCD18C3}SqlAuditLogRepository;
User:auditLogArchivePath
D:\audit\logs\archive
User:LogFilePath
D:\Audit\logs
LoadLogsPackageConfig.dtsConfig SSIS
:
4. [] []
SSIS
D:\audit\logs () D:\audit\logs\archive
1. SQLAuditLoader (C:\Program Files\Microsoft SQL Server\100\DTS\Packages\SQLAuditLoader )
2.
dtexec /ConfigFile LoadLogsPackageConfig.dtsConfig /File LoadLogsPackage.dtsx
:SQL Server 2008 DTExec SQL Server 2005 SQL Server 2008 DTExec SQL Server 2008 (10.00.xxxx) SQL Server 2005 (9.00.xxxx) DTExec (C:\Program Files\Microsoft SQL Server\100\DTS\Binn\dtexec.exe )
SSIS (15 )
SSIS SQLAudit aud.AuditLog_[EventType] ( )
SQL Server Management Studio SQLAudit
exec aud.rspAggServerActions @EventDate = '08/22/2008'
exec aud.rspAggDatabaseActions @EventDate = '08/22/2008'
exec aud.rspAggDMLActions @EventDate = '08/22/2008'
exec aud.rspAggDDLActions @EventDate = '08/22/2008'
aud.rptAgg[AuditEvent]Actions
SQL Server
-- @LastDay
-- 12
Declare @LastDay char(11)
select @LastDay = Convert(char(11), getdate()-1 , 1)
Select @LastDay
Exec aud.rspAggServerActions @LastDay
Exec aud.rspAggDatabaseActions @LastDay
Exec aud.rspAggDDLActions @LastDay
Exec aud.rspAggDMLActions @LastDay
(SQLAudit) SQL 12 aud.AuditLog_%
select partition_id, OBJECT_NAME(object_id), object_id, index_id, partition_number, partition_id, rows as [RowCount], x.value
from sys.partitions
left outer join (
select boundary_id, value
from sys.partition_range_values
where function_id = (
select function_id
from sys.partition_functions
where [name] = 'monthly_partition_function'
)
) x
on x.boundary_id = partition_number - 1
where OBJECT_NAME(object_id) like 'AuditLog%' and index_id = 1
order by OBJECT_NAME(object_id), partition_number
SQLAuditReports Reporting Services
1. SQLAuditReports Reporting Services Microsoft Visual Studio
2. TargetServerURL http://campschurmann/
47: SQL AuditingReports
3. SQLAudit.rds SQLAudit ( SQLAudit )
4. ([] > [])http://[] /Reports/Pages/Folder.aspx?ItemPath=%2fSQL+Auditing+Reports&ViewMode=List
SSIS ( 1 1 )
SQLAudit$%Server$InstanceName%_%GUID%.sqlaudit
[aud].[fn_GetServerInstanceName] %Server$InstanceName% SQLAudit$Server$InstanceName
PowerShell
SQL Server Management Studio PowerShell Sethu
http://blogs.msdn.com/sethus/archive/2008/06/16/sql-2008-powershell-script-for-creating-a-policy-and-saving-to-file.aspx ()
Microsoft.SqlServer.Management.Dmf SQL Server
http://msdn.microsoft.com/ja-jp/library/microsoft.sqlserver.management.dmf.aspx
PowerShell (DeployPBMPolicies.ps1)
PowerShell
#
$policydir = "C:\Policies\"
del C:\Policies\*
$sourceserver = "\"
$conn = new-object Microsoft.SQlServer.Management.Sdk.Sfc.SqlStoreConnection("server=$sourceserver;Trusted_Connection=true");
$polstore = new-object Microsoft.SqlServer.Management.DMF.PolicyStore($conn);
$fileprefix = "ExportedPolicy_"
$policycount = 0
#
#$sourcepolicycount = $polstore.Policies.Count;
foreach ($policy in $polstore.Policies)
{
$policycount++;
$StringWriter = New-Object System.IO.StringWriter;
$XmlWriter = New-Object System.XMl.XmlTextWriter $StringWriter;
#$polstore.ExportPolicy($polstore.Policies[$policy.Key], $XmlWriter);
$policy.serialize($XmlWriter);
$XmlWriter.Flush();
$StringWriter.Flush();
$outputfile = $policydir + ("{0}.xml" -f (Encode-SqlName $policy.Name));
$StringWriter.ToString() | out-file $outputfile;
}
if ($policycount -gt 0)
{
Write-Host $policycount "of" $sourcepolicycount "policies have been exported to" $policydir -foregroundcolor "green"
}
else
{
write-host "No policies were exported" -foregroundcolor "red"
}
#
$policylocation = "C:\Policies"
$serversfile = "C:\Servers.txt"
$servercount = 0
$servers = Get-Content $serversfile
foreach ($server in $servers) {
$servercount++;
$conn = new-object Microsoft.SQlServer.Management.Sdk.Sfc.SqlStoreConnection("server='$server';Trusted_Connection=true");
$polstore = new-object Microsoft.SqlServer.Management.DMF.PolicyStore($conn);
foreach ($fileobject in get-childitem $policylocation){
$file = $fileobject.FullName
$reader = [System.Xml.XmlReader]::Create((convert-path $file));
$output = $polstore.ImportPolicy($reader, 0, $true, $true);
}
}
if ($servercount -gt 0)
{
Write-Host "Policies have been imported to" $servercount "servers."-foregroundcolor "green"
}
else
{
write-host "No policies were imported" -foregroundcolor "red"
}
PowerShell SQL
:msdb SDK Dan Jones PBMTalk PBMTalk PowerPoint
Policy.zip (D:\audit\code\Policy )
SQLAudit
SQLAudit PolicyLoad.sql SQLAudit
SQLAudit pol.ServerList
insert into pol.ServerList values ('campschurmann', 1)
insert into pol.ServerList values ('emmonsroute', 1)
insert into pol.ServerList values ('emmonsglacier', 0)
1 0
PowerShell
pol.ServerList PowerShell PolicyExLoad.ps1 (D:\audit\code\Policy )
(D:\audit\code\Policy\archive )
SQL Server PowerShell (PowerShell ) "sqlps"
.\PolicyExLoad.ps1 "[SQLCentral]" "[Database]" "[Date]" "[Folder]"
SQLCentral: (SQLAudit )
Database: SQLAudit
Date: ""
Folder:
CSV 2
: () msdb
syspolicy_policies
syspolicy_conditions
syspolicy_policy_categories
: ()
syspolicy_policy_execution_history
syspolicy_policy_execution_history_details
syspolicy_system_health_state
CSV
ServerName_[policytable]_yyyyMMdd_hhmmss.csv
PowerShell *.csv [pol].[uspImportPolicyData]
()
Folder\archive
SQL PolicyReports.sql (PolicyLoad.sql )
[Policy Reports - PBM] Reporting Services
Visual Studio [Policy Reports PBM] Reporting Services
TargetServerURL http://campschurmann/
48: [Policy Reports PBM] RS
SQLAudit.rds SQLAudit ( SQLAudit )
([] > [])http://[] /Reports/Pages/Folder.aspx?ItemPath=%2fSQL+Auditing+Reports&ViewMode=List
SQL Server SQL Server 2008 SQL Server 2008
SQL Server2008 http://www.microsoft.com/japan/sql
http://www.microsoft.com/japan/sqlserver/: SQL Server Web
http://technet.microsoft.com/ja-jp/sqlserver/: SQL Server TechCenter
http://msdn.microsoft.com/ja-jp/sqlserver/: SQL Server DevCenter
http://www.microsoft.com/sqlserver/2008/en/us/wp-sql-2008-security.aspx: SQL Server Security White Paper ()
http://social.msdn.microsoft.com/forums/ja-jp/sqlsecurity/threads/: SQL Server Security
http://blogs.msdn.com/sqlsecurity/: SQL Server Security Blog ()
http://blogs.msdn.com/sqlpbm/: SQL Server Policy-Based Management Blog ()
? 1 () 5 () 5
()
66
SQLAudit
Central Server
Server 1
Server 2
Server n
Policy Extract
Extract Policy
Data
Obtain Server
List
Load Policy Data
V
i
e
w
R
e
p
o
r
t
s
E
x
t
r
a
c
t
L
o
g
s
t
o
f
il
e
s
h
a
r
e
Process Audit Information
Use SSIS to process SQL Server Audit log data and store in its own SQL Server
database.
File ServerSQL Server
database
SQL Server Audit
SSIS
SQL Servers
SQL Server
database
SQL Server
database
SQL Server
database
T
ransf
er Lo
gs
Security Information
Process Audit Information
Use SSIS to process SQL Server Audit Information
File ServerSQL 2008
SQL Audit
SSIS
G
e
n
e
r
a
t
e
R
e
p
o
r
t
s
SQL Server Audit Data
T
r
a
n
s
f
e
r
L
o
g
s
SQL Server
2008
SSRS 2008
Security Analysis
Security Reports
Compliance
Reports
SQL Server
2008
SQL Server 2008
AssessmentPrioritizationAction planMonitoringValidationRemediationPoliciesTraining Practices
Loss from theft, vandalism and injury to personnelReview entrance and guard logs, tapes and news
reports
Locked door, guard, camera, badges and policies
ITControlSOXPCIHIPAAGLBA
ID ManagementSeparation of DutiesEncryptionKey ManagementAuditingControl TestingPolicy Management
BackupOperatorApplicationAdminApplicationAdminAuditorUserAdminRolesP123#$?
Possible algorithms include
AES (128, 192, 256bit) and 3DES
ProtectsExtensible Key
Management
RotationKey Server Backup
Compliance Reports
Process Audit Information
Use SQL Server Integration Services to process SQL Server 2008 audit log data
and store in its own SQL Server database.
File ServerSQL Server
database
SQL Audit
SSIS
G
e
n
e
r
a
t
e
R
e
p
o
r
t
s
SQL Server Database Servers
SQL Server
database
SQL Server
database
SQL Server
database
T
ransf
er Lo
gs
SSRS
Read Logs
Add
Import Id
Manage/
Load
Dimensions
Split FactsLoad Facts
Count Rows
Store File
Information
Read Logs
Add Import Id
Manage/Load Dimensions
Split Facts
Load Facts
Count Rows
Store File Information
PolicyConditionExpression 1
Expression 2:
Expression nCategoryPolicyConditionExpression 1
Expression 2:
Expression nPolicyConditionExpression 1
Expression 2:
Expression nTableServerCertificateAuditDatabase
:
Target
Access PolicyLimit Accesssadisabled
limit DB users:
audit DB access
PCI
Encryption PolicyEncrypt Dataencryption enabled
log flag access
KeyPolicyManage Keyskeys rotated
keys copied:
log key accessPCI DB3PCI DBnPCI DB2PCI DB1PCI DB4
:
Target