Start setting up your server audit, enabling the server audit, and then creating the database audit specification.. Your code should resemble the following: USE MASTER GO -- You are cr
Trang 1ExERciSE 4.7
set UP a Database aUDit sPeCifiCatioN
You need to set up a database audit specification on the HumanResources.
Employee table to monitor any SELEcT or DELETE statements Start setting
up your server audit, enabling the server audit, and then creating the
database audit specification Your code should resemble the following:
USE MASTER
GO
You are creating the server audit with this statement
CREATE SERVER AUDIT Employee_Security_Audit
TO FILE ( FILEPATH =
'C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\
MSSQL\DATA' );
GO
You need to then enable the server audit
ALTER SERVER AUDIT Employee_Security_Audit
WITH (STATE = ON) ;
GO
Now you need to set up the database audit by switching to the
target database.
USE AdventureWorks
GO
Now create the database audit specification for the Employee
table.
CREATE DATABASE AUDIT SPECIFICATION Employee_Table
FOR SERVER AUDIT Employee_Security_Audit
ADD (SELECT, DELETE
ON HumanResources.Employee BY dbo ) WITH (STATE = ON)
GO
You have now completed setting up database auditing for the
HumanResources.Employee table in the AdventureWorks2008 database.
Trang 2change Data capture (cDc)
New in SQL Server 2008 and only available in the Developer, Enterprise, and Evaluation additions, Change data capture (CDC) can be implemented to capture INSERT, UPDATE, and DELETE activity applied to SQL Server tables from the SQL Server transaction log CDC captures column information along with the metadata, such as the action being taken, that is required to apply the changes to a target environment for rows affected The data capture information is stored in change tables that resemble the column structure of the tracked source tables
New & Noteworthy…
Change Data Capture (CDC)
cDc functionality is new in SQL Server 2008, providing the capability to capture iNSERT, UPDATE, and DELETE activity from the SQL Server transaction logs.
Before CDC can be used it must be enabled; the following SQL code shows how to do this
use testDatabase
Activate CDC
EXEC sys.sp_cdc_enable_db_change_data_capture
IsDatabaseEnabled?
SELECT is_cdc_enabled FROM sys.databases WHERE name = 'testDatabase'
Enable CDC on table
EXEC sys.sp_cdc_enable_table_change_data_capture @source_schema = 'dbo',
@source_name = 'Table_1', @role_name = 'cdc_test'
IsTableEnabled?
SELECT is_tracked_by_cdc FROM sys.tables WHERE name = 'table_1'
Using DDL Triggers
DDL triggers are a great way to keep track of any structural changes to the database schema DDL triggers fire after DDL language events and are fully transactional
Trang 3Changes can roll back and, besides running Transact-SQL code, Common Language Runtime (CLR) code can be executed as well
Providing an audit of schema changes can be very helpful when you want to
make sure that column data types tied to data loads are not inadvertently changed
or production tables are not dropped, resulting in data load or application failures
DDL triggers can be set up at the database-level and at the server-level An
example of a database-level trigger would be a trigger that tracks or prevents DDL
changes to tables A server-level DDL trigger could track such changes as Logins
being added to SQL Server
Once created, you can see DDL and DML triggers using the database-level
cat-alog view, sys.triggers, or the server-level view, sys.server_triggers.
The syntax for creating a DDL trigger is:
CREATE TRIGGER trigger_name
ON { ALL SERVER | DATABASE }
[ WITH <ddl trigger_option> [, n ] ]
{ FOR | AFTER } { event_type | event_group } [, .n ]
AS { sql_statement [ ; ] [, .n ] | EXTERNAL NAME < method specifier > [ ; ] }
<ddl_trigger_option> ::=
[ ENCRYPTION ]
[ EXECUTE AS Clause ]
Here is an example of a database-level DDL that prevents a table from being
altered or dropped:
CREATE TRIGGER DONOTCHANGEIT
ON DATABASE
FOR DROP_TABLE, ALTER_TABLE
AS
PRINT 'You must contact a DBA before dropping or altering tables!'
ROLLBACK
;
TesT Day Tip
Make sure that you are familiar with the difference between database-level and server-level DDL triggers.
Trang 4ExERciSE 4.8
iMPleMeNtiNg a Database-level DDL trigger
You have an application vendor that supports their application and the supporting SQL Server database remotely When support issues or maintenance requests arise, this vendor can log in securely and make database schema changes Unfortunately, the vendor is not aware of any of the in-house custom development so you want to make sure that you are aware of the changes that they are making so that you can head off any problems arising from table changes.
Write a DDL trigger that will keep track of any table changes and the User who has made the change You will want to save this table audit information to an audit table.
The SQL Server Configuration Manager
In SQL Server 2005, The Surface Area Configuration Tool was used to manage SQL Server features such as Database mail and xp_cmdshell In SQL Server 2008, the Surface Area Configuration Tool no longer exists; it has been replaced with the SQL Server Configuration Manager Available as a Facet at the server instance level, Database mail, CLR integration, and xp_cmdshell, as well as a few other features, can be enabled or disabled through this new interface
Configuring & Implementing…
Secure by Default
Many SQL Server 2008 features are installed in a disabled state requiring that they be manually enabled when needed.
Following the “secure by default” philosophy of SQL Server, many features are installed in a disabled state so that potential attackers cannot exploit them In order
to use functions such as the Service Broker, database mail, xp_cmdshell, and CLR they have to be enabled by using the Surface Area Configuration Tool This tool can
Trang 5be accessed by Right Clicking on the Server and selecting Facets Then by selecting
Surface Area Configuration from the drop-down menu, you will see a screen
that looks like Figure 4.11
TesT Day Tip
Be aware of what features are automatically set up to run when
SQL Server 2008 is installed and which functions need to be enabled,
as well as their purpose.
Keep in mind that you only want to enable what you know you need Enabling
unused functions will leave your server vulnerable to potential attack
Using sp_configure will display configuration settings for the current server
Changes can also be made using sp_configure Configuration settings can be viewed
by executing the following: