Mustafa EL-Masry Administration

Building Your Security Audit in SQL Server 2012


Introduction :

Auditing an instance of the SQL Server Database Engine or an individual database involves tracking and logging events that occur on the Database Engine. SQL Server audit lets you create server audits, which can contain server audit specifications for server level events, and database audit specifications for database level events. Audited events can be written to the event logs or to audit files.

There are several levels of auditing for SQL Server, depending on government or standards requirements for your installation. SQL Server Audit provides the tools and processes you must have to enable, store, and view audits on various server and database objects.

You can record either server audit action groups’ per-instance, and database audit action groups or database audit actions per database. The audit event will occur every time that the auditable action is encountered.

All editions of SQL Server support server level audits. Database level auditing is limited to Enterprise, Developer, and Evaluation editions

How SQL Server Audit Works:

Auditing a SQL Server instance is not anything new. Previous and current versions of SQL have had C2 auditing functionality, which can incur more overhead than necessary and is not always flexible. For example, if the c2 logs fill up the disk to which they are being saved, the SQL instance will shut itself down. The data being collected by c2 gives details about both failed and successful attempts to access or modify objects and data, but the results are not returned in a way to make it easy to determine the nature of the events, simply the events themselves.

SQL 2008 Enterprise version allows for you to quickly and easily configure SQL Server Auditing to automate your auditing needs. The simple explanation for how this works is as follows:

 

  1. Create a SQL Server Audit object
  2. Create an Audit Specification (can be at the server or database level)
  3. Turn it on

It really is that easy to get it up and running. The hard part will come later on when someone stops by to ask for the details surrounding specific events, but even that is not difficult to provide due to the inclusion of an audit log reader.

Audit

Building Your Security Audit by T-SQL Script :

i will Explain Now :

How to Build SQL SERVER AUDIT SPECIFICATION  in SQL Server 2012 by T-SQL.

How to Build SQL DATABASE AUDIT SPECIFICATION in SQL Server 2012 by T-SQL.

Hot Read your SQL Server Audit file by Fn_get_Audit_File Function.

SQL SERVER Audit-Server:

Now if you Need to build Audit on All your Server to Check for Example The FAILED_LOGIN_GROUPWhat is the Steps we will do it one by one that’s what i will Explain now .

At the First We Need to Check if you have SQL Server Audit Created or no on our Servers i will Check the server_audits and the Server_audit_specificationsc by using the DMV:

Check Your Server Audits:

Select from Sys.server_audits
SELECT FROM sys.server_audit_specifications

before the Creating i will Check if i have Server Audit by my new audit name or no if i have i will delete it

USE [master]
GO
IF EXISTS (SELECT FROM sys.server_audits WHERE name = N'Audit-Server-FAILED_LOGIN_GROUP')
BEGIN
 ALTER SERVER AUDIT [Audit-Server-FAILED_LOGIN_GROUP]
 WITH ( STATE = OFF );
 DROP SERVER AUDIT [Audit-Server-FAILED_LOGIN_GROUP]
END
GO
IF EXISTS (SELECT FROM sys.server_audit_specifications WHERE name = N'ServerAuditSpecification-FAILED_LOGIN_GROUP')
BEGIN
 ALTER SERVER AUDIT SPECIFICATION [ServerAuditSpecification-FAILED_LOGIN_GROUP]
 WITH ( STATE = OFF );
 DROP SERVER AUDIT SPECIFICATION [ServerAuditSpecification-FAILED_LOGIN_GROUP]
END
GO

CREATE SERVER AUDIT :

CREATE SERVER AUDIT [Audit-Server-FAILED_LOGIN_GROUP]
TO FILE
( FILEPATH = N'E:\My Work\SQLServer Audit\'
 ,MAXSIZE = 100 MB
 ,MAX_ROLLOVER_FILES = 2
 ,RESERVE_DISK_SPACE = OFF
)
WITH
( QUEUE_DELAY = 1000
 ,ON_FAILURE = CONTINUE
)
GO
USE [master]
GO

Enable SERVER AUDIT :

ALTER SERVER AUDIT [Audit-Server-FAILED_LOGIN_GROUP]
WITH ( STATE = ON );
GO

CREATE SERVER AUDIT SPECIFICATION:

CREATE SERVER AUDIT SPECIFICATION [ServerAuditSpecification-FAILED_LOGIN_GROUP]
FOR SERVER AUDIT [Audit-Server-FAILED_LOGIN_GROUP]
ADD (FAILED_LOGIN_GROUP)
WITH (STATE = OFF)
GO

Enable SERVER AUDIT SPECIFICATION :

ALTER SERVER AUDIT SPECIFICATION [ServerAuditSpecification-FAILED_LOGIN_GROUP]
WITH ( STATE = ON );
GO

Now your SQL Server Audit Building on your Server level is Completed Let’s Check it and try to login with any Failed User or with correct user but with uncorrected password to test our New Audit

Check your SQL Server Audit from your SSMS(SQL Server Mangment Studio)
Audit2

Check your Audit File under your path of ‘E:\My Work\SQLServer Audit\’

Audit3

Now i tried to login with uncorrected user name DBA let’s go to Read the SQL Server Audit file by T-SQL to See if this action is saved or no

Read all information from a specific audit file:

SELECT FROM sys.fn_get_audit_file
('E:\My Work\SQLServer Audit\Audit-Server-FAILED_LOGIN_GROUP_CC232C99-8C93-4DAD-89A6-7CE7001F9364_0_130229499734310000.sqlaudit'nullnull)
GO

Audit4

DATABASE AUDIT SPECIFICATION:[Audit_Database_Backup_and_Restore]

DATABASE AUDIT SPECIFICATION is SQL Server Audit on Database level. i will work in Database [AdventureWorks2012] and my Example will be How to Audit

Create Server Audit : 

USE [AdventureWorks2012]
GO
IF EXISTS (SELECT FROM sys.database_audit_specifications WHERE name = N'DatabaseAuditSpecification-Backup_and_Restore')
BEGIN
 ALTER DATABASE AUDIT SPECIFICATION [DatabaseAuditSpecification-Backup_and_Restore]
 WITH ( STATE = OFF );
 DROP DATABASE AUDIT SPECIFICATION [DatabaseAuditSpecification-Backup_and_Restore];
END
GO
USE [master]
GO
IF EXISTS (SELECT FROM sys.server_audits WHERE name = N'Audit_Database_Backup_and_Restore')
BEGIN
 ALTER SERVER AUDIT [Audit_Database_Backup_and_Restore]
 WITH ( STATE = OFF );
DROP SERVER AUDIT [Audit_Database_Backup_and_Restore]
END
GO
CREATE SERVER AUDIT [Audit_Database_Backup_and_Restore]
TO FILE
( FILEPATH = N'E:\My Work\SQLServer Audit\'
 ,MAXSIZE = 100 MB
 ,MAX_ROLLOVER_FILES = 2
 ,RESERVE_DISK_SPACE = OFF
)
WITH
( QUEUE_DELAY = 1000
 ,ON_FAILURE = CONTINUE
)
GO

Enable SERVER AUDIT:

USE [AdventureWorks2012]
GO
ALTER SERVER AUDIT [Audit_Database_Backup_and_Restore]
WITH ( STATE = ON );

CREATE DATABASE AUDIT SPECIFICATION : DatabaseAuditSpecification-Backup_and_Restore

CREATE DATABASE AUDIT SPECIFICATION [DatabaseAuditSpecification-Backup_and_Restore]
FOR SERVER AUDIT [Audit_Database_Backup_and_Restore]
ADD (BACKUP_RESTORE_GROUP)
GO

ENABLE DATABASE AUDIT SPECIFICATION:

ALTER Database AUDIT SPECIFICATION [DatabaseAuditSpecification-Backup_and_Restore]
WITH ( STATE = ON );
GO

Now try to take backup from Database Adventurework2012 then check the Audit file in ‘E:\My Work\SQLServer Audit’

Backup Database AdventureWork2012 :

BACKUP DATABASE [AdventureWorks2012] TO DISK = N'C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\Backup\AdventureWorks2012.bak' WITHNOFORMAT, NOINIT, NAME = N'AdventureWorks2012-Full Database Backup', SKIP, NOREWIND, NOUNLOAD, STATS = 10

Read the Audit File :

SELECT FROM sys.fn_get_audit_file
('E:\My Work\SQLServer Audit\Audit_Database_Backup_and_Restore_B3D67D19-2753-4B0C-8FB1-90B732A56DDD_0_130229523138080000.sqlaudit'nullnull)
GO

Audit5

How to read SQL Server Audit :

Read all information from a specific audit file :

SELECT FROM sys.fn_get_audit_file
('E:\My Work\SQLServer Audit\Audit_Database_Backup_and_Restore_B3D67D19-2753-4B0C-8FB1-90B732A56DDD_0_130229523138080000.sqlaudit'nullnull)
GO

Read all audit files with a specified name :

SELECT FROM sys.fn_get_audit_file
('E:\My Work\SQLServer Audit\Audit_Database_Backup_*.sqlaudit'nullnull)
GO

Read all audit files with a specified name:

SELECT FROM sys.fn_get_audit_file
('E:\My Work\SQLServer Audit\Audit_Database_Backup_*.sqlaudit'nullnull)
GO
Mustafa EL-Masry Administration, SQl server Administration

Policy # Check the Data and Log file Extensions for All Dataabases


Today i will explain how to Check all Data file and log file for all your database we will check the Extensions for (MDF , NDF , LDF) by using policy management .

1- Create Conditions

at the first we will create 2 condition one for Data file and the other for Log file

I- Data File Extensions Condition

Open SQL Server Management studio >>> Mangment >>> Policy Mangment >>> Conditions >>>> Right Click on it >>> New Condition

Name : Data File Extensions .

Facet  : Data File .

Field : @File name

Data File Extensions Conditions

II – Log File Extensions Conditions :

Open SQL Server Management studio >>> Mangment >>> Policy Mangment >>> Conditions >>>> Right Click on it >>> New Condition

Name : Log File Extensions .

Facet  : Data File .

Field : @File name

Log File Extensions Conditions

2- Create policy :

Now we will Create 2 Policy one “Check Data File” and the Other is “Check log File”

I – Policy – Check Data File :

Open SQL Server Management studio >>> Mangment >>> Policy Mangment >>> Policies>>>> Right Click on it >>> New Policy

Name : Check Data File  .

Check Condition : Data File Extensions

Check Data File Policy

II – Policy – Check Log File :

Open SQL Server Management studio >>> Mangment >>> Policy Mangment >>> Policies>>>> Right Click on it >>> New Policy

Name : Check Log File  .

Check Condition : Log File Extensions

Check log File Policy

Now after we create the policy if you go to Policies and right click on Policy name ” Check Data File ” >>> Evaluate

Evaluate

After the Evaluate Finish you will find the Data file for your all databases in your SQl Server Instance if you clicked on View you will See the Full path to the MDF and NDF

in my example now i have MDF only no File Extensions  With NDF so i have More Cross

I Wish Success To Everyone

Eng. Mostafa Elmasry

Database Administrator

Mustafa EL-Masry Administration, SQl server Administration

How to Transfer SQL Server Jobs Task from Source Server to Distention Server!


Question :

How i can transfer SQL Server jobs Task from Source Server to Distention Server without T-SQL Script ?

Answer :

We can do that by SSIS ” SQL SERVER INTEGRATION SERVICES ”  by creating new package on it to transfer the jobs task from one server to another server.

Note : also by SSIS i can trnsfer

1- Database Task

2- Error Massage Task

3- Login Task

4- Master Stored procedure Task

5- SQL Server objects Task

 

Demo to how to transfer SQL Server jobs task :

1- open Start menu >>> SQL Server >>>  SQL Server Business Intelligence Development Studio >>> File Menu >>> New >>> project >>> Select project type is Business Intelligence Projects from the left bar >>> select from the Right template Integration Services Project >>>write name for this Project EX (Transfer Jobs) >>> Choose your path to save the project >>> OK

Transfer Jobs_1

2- from the left Select from the Toolbox Menu under the Control flow items >>> Transfer job Task  >>> Drag and Drop this task on Control flow page >>> right click on the task >>> Select Edit .

 Transfer Jobs_2

 

3- After the Edit we will view New Screen ” Transfer Jobs Task Editor ” >>> Select jobs from the left bar .

4- We have 3 Group :

A- Connection :

Source Connection           : The SQL Server Instance the Jobs Crated on it .

Destination Connection : The SQL Server you need to referrer the jobs to it .

B- Jobs :

Transfer All Jobs : False if you don’t need to transfer All jobs and this is Default Value , True  if you need to transfer All jobs .

Job List : if you select The transfer All jobs is FALSE Select from here the Jobs list you need to transfer it to another Server .

C- Option :

If Object Exist : Meaning if the one Job from the List job you need to transfer it to another Server it’s Created already on this Server you will Select from this 3 Value

  • FailTask : If the job Found Fail The task.
  • Overwrite : if the job Found Overwrite on it .
  • Skip : if the job Found Skip this job

EnablejobsAtDistention : False = Disable , True = Enable .

After you finish your Configuration Click OK

Transfer Jobs_3

4- now we need to run the task by F5 or Click on play icon to execute the package.

5- Now Check your Distinction SQL Server Agent Jobs you will found the New Jobs you Selected it to Transfer .

I Wish Success To Everyone

Eng. Mostafa Elmasry

Database Administrator

Mustafa EL-Masry Administration, SQl server Administration

How to Change the Default Database Location


Problem :

After I Create Cluster and I make 2 Share Disk one for Data and the another for Logs I forget to Customize the location For the database What can I do to Change this Location ?

Salutation : 

You have two ways the first by T-SQL and the Second is Wizard Steps :

First Way:

A- Change the Default location for data file :

EXEC xp_instance_regwrite

N’HKEY_LOCAL_MACHINE’,

N’Software\Microsoft\MSSQLServer\MSSQLServer’,

N’DefaultData’,

REG_SZ

,N’F:\MSSQL10_50.MSSQLSERVER\MSSQL\DATA’

GO

B- Change the Default location for Logs file :

EXEC xp_instance_regwrite

N’HKEY_LOCAL_MACHINE’,

N’Software\Microsoft\MSSQLServer\MSSQLServer’,

N’DefaultLog’,

REG_SZ

,N’G:\MSSQL10_50.MSSQLSERVER\MSSQL\Log’

GO

Second Way:

Open the management Studio >>> Write Click on the Server >>> Select properties

Change1

Then Select Database Setting >>> you Will See Database Default Location

Change2