Beruflich Dokumente
Kultur Dokumente
DEMOS!
SQL SERVER 2014 CTP2
Windows Server 2012R2
Windows Azure VM on Azure Portal
12/7/2013
12/7/2013
Agenda
Introduction to SQL Server Audit
Configuring SQL Server Audit
Audit Actions and Action Groups
Defining Audit Targets
Creating Audits
Creating Server Audit Specifications
Creating Database Audit Specifications
Audit-related DMVs and System Views
Demonstration Using SQL Server Audit
Other Issues and Considerations
Resources for More Information
12/7/2013
Best Practice
Test in Non-Production Environment
Initiate/Sample with a Narrow Scope
12/7/2013
Comprised of:
Audits
Server and Database Audit Specifications
Actions and Action Groups
Targets
12/7/2013
Extended
Event Engine
SQL Engine
12/7/2013
Create Server
Audit
Configure Server
or Database Audit
Specification
Enable Audit
Specification
Monitor and
Review
12/7/2013
12/7/2013
12/7/2013
Creating Audits
Creating Audits
Create Server
Audit
Configure Server
or Database Audit
Specification
Enable Audit
Specification
Monitor and
Review
10
12/7/2013
Creating Audits
Configuration
Comment
Audit name
Continue
Shut Down Server
Fail Operation
Audit destination
Maximum files
Creating Audits
Queue Delay - A bit more on configurations specifics:
Specifies the amount of time in milliseconds that can elapse
before audit actions are forced to be processed.
A value of 0 indicates synchronous delivery.
The default minimum value is 1000 (1 second).
The maximum is 2,147,483,647 (2,147,483.647 seconds or 24
days, 20 hours, 31 minutes, 23.647 seconds).
11
12/7/2013
Creating Audits
On Audit Log Failure - Continue - A bit more on configurations
specifics:
SQL Server operations continue. Audit records are not
retained. The audit continues to attempt to log events and
will resume if the failure condition is resolved. Selecting the
Continue option can allow unaudited activity which could
violate your security policies. Select this option when
continuing operation of the Database Engine is more
important than maintaining a complete audit. This is the
default selection.
Creating Audits
On Audit Log Failure Shut Down Server - A bit more on
configurations specifics:
Forces a server shut down when the server instance writing
to the target cannot write data to the audit target. The login
issuing this must have the SHUTDOWN permission. If the
logon does not have this permission, this function will fail and
an error message will be raised. No audited events occur.
Select this option when an audit failure could compromise
the security or integrity of the system
12
12/7/2013
Creating Audits
On Audit Log Failure Fail Operation- A bit more on
configurations specifics:
In cases where the SQL Server Audit cannot write to the audit
log this option causes database actions to fail if they would
otherwise cause audited events. No audited events occur.
Actions which do not cause audited events can continue. The
audit continues to attempt to log events and will resume if
the failure condition is resolved. Select this option when
maintaining a complete audit is more important than full
access to the Database Engine.
Creating Audits
Audit File Maximum Limit -A bit more on configurations
specifics:
Maximum rollover files
Specifies that, when the maximum number of audit files is reached, the oldest audit
files are overwritten by new file content.
Maximum files
Specifies that, when the maximum number of audit files is reached, any action that
causes additional audit events to be generated will fail with an error.
13
12/7/2013
Creating Audits
Maximum File Size -A bit more on configurations specifics:
Specifies the maximum size for an audit file in either
megabytes (MB), gigabytes (GB), or terabytes (TB).
You can specify between 1024 MB and 2,147,483,647 TB.
Selecting the Unlimited check box does not place a limit on
the size of the file.
Specifying a value lower than 1024 MB will fail, returning an
error.
The Unlimited check box is selected by default.
Creating Audits
Reserve Disk Space - A bit more on configurations specifics:
Specifies that space is pre-allocated on the disk equal to the
specified maximum file size.
This setting can only be used if the Unlimited check box under
Maximum file size is not selected.
This check box is not selected by default.
14
12/7/2013
Create Server
Audit
Configure
Server Audit
Specification
Enable Audit
Specification
Monitor and
Review
15
12/7/2013
CREATE SERVER
AUDIT SPECIFICATION
FailedLoginSpec
FOR SERVER AUDIT
Audit-20121222-171544
ADD (FAILED_LOGIN_GROUP);
16
12/7/2013
Create Server
Audit
Configure
Database Audit
Specification
Enable Audit
Specification
Monitor and
Review
17
12/7/2013
CREATE DATABASE
AUDIT SPECIFICATION
BackupRestoreSpec
FOR SERVER AUDIT
Audit-20121222-171544
ADD (BACKUP_RESTORE_GROUP);
18
12/7/2013
19
12/7/2013
Viewer
View the results of a file-based audit
20
12/7/2013
Create Server
Audit
Configure Server
or Database Audit
Specification
Enable Audit
Specification
Monitor and
Review
21
12/7/2013
22
12/7/2013
Application Log
Writing to the Windows Security log requires the SQL Server service
database
To Use DMVs:
VIEW SERVER STATE or ALTER ANY AUDIT
23
12/7/2013
24
12/7/2013
Summary
Introduction to SQL Server Audit
Configuring SQL Server Audit
Audit Actions and Action Groups
Defining Audit Targets
Creating Audits
Creating Server Audit Specifications
Creating Database Audit Specifications
Audit-related DMVs and System Views
Demonstration Using SQL Server Audit
Other Issues and Considerations
Resources for More Information
Q&A?
Email me at
timothy.mcaliley@microsoft.com
Follow Me on Twitter @Sysframeworks
LinkedIn: Timothy P. McAliley
25
12/7/2013
Thank You!
26