The Multifunctioning DBA » Audit

Auditor Nightmare

Colin Smith — Thu, 28 Jul 2011 21:00:44 +0000

My company has an audit coming up and I saw this post and thought I should take a look since we are getting ready for our audit. So take a look and let me know what you think about this.

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:”Table Normal”;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:”";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:”Calibri”,”sans-serif”;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:”Times New Roman”;
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:”Times New Roman”;
mso-bidi-theme-font:minor-bidi;}

http://serverfault.com/questions/293217/our-security-auditor-is-an-idiot-how-do-i-give-him-the-information-he-wants

My thoughts are that one of two things are going on here.

1. The poster just wanted to get a rise out of the community and if that is true he did it!!

2. The person that is the rep is really a hacker that somehow found out all the information about the audit and decided to represent the company and attempt to get some information. So be vigilant and aware and look for the red flags.

Triggers for protection

Colin Smith — Sun, 30 Jan 2011 21:21:19 +0000

I have recently had to find a way to prevent someone that has elevated privileges from removing logins, databases, as well as keep them from adding new databases to my production systems. I was amazed at how easy this was to do thanks to event level ddl triggers. I created a table in master called ddlaudit. The format is below:

create table DDLAUDIT

(PostTime datetime,

DatabaseName varchar(100),

Event nvarchar(100),

ObjectName varchar(256),

TSQL nvarchar(2000),

Now that I have a table to push data into I just needed to create the triggers. Below is one of them but I did create all three.

Create Trigger AUDIT_Drop_Login

On all server

for drop_login

Declare @audit XML

DECLARE @ed XML

SET @ed = EVENTDATA()

Print ‘You are not allowed to drop logins from this instance of SQL Server. Please contact the DBA’

rollback

INSERT INTO DDLAudit (PostTime, DatabaseName, Event, ObjectName, TSQL,Login)

VALUES

(

GetDate(),

@ed.value(‘(/EVENT_INSTANCE/DatabaseName)[1]‘, ‘varchar(256)’),

@ed.value(‘(/EVENT_INSTANCE/EventType)[1]‘, ‘nvarchar(100)’),

@ed.value(‘(/EVENT_INSTANCE/ObjectName)[1]‘, ‘varchar(256)’),

@ed.value(‘(/EVENT_INSTANCE/TSQLCommand)[1]‘, ‘nvarchar(2000)’),

@ed.value(‘(/EVENT_INSTANCE/LoginName)[1]‘, ‘varchar(256)’)

)

Now that I have them create no one, not even me, can perform these actions. And when someone does attempt one of the actions you will have an audit trail of who did what and when they did it. Now if you want to be able to drop a login after this is in place you will need to disable or drop the trigger. You can find the trigger by running the following query.

select * from sys.server_triggers

Disable trigger trigger_name

on all server

Enable trigger_name

on all server

That way you, as the DBA, can make the changes you need to make.

IT Audit

Colin Smith — Tue, 27 Jul 2010 20:36:43 +0000

Recently my company went through an internal audit of our financial systems. First let me say that I am proud because we did well and do not have many issues to resolve, and no issues on the Database Side. Any way I also want to point out that the auditors are not IT people. They are accountants and they have no idea what they are asking for from us or what we give them. An example of this is that I was working in Powershell when the auditor came over to me and asked for a screenshot of all sysadmin role users on a particular server. I pulled it up in powershell and printed it out. No he said this is no good. I need the SQL Server screen that will tell me. OK I say and I go into SSMS and pull it up and print it out for him. To me this said that he does not know what he is looking at and I could, not that I ever would, give him the same screenshot from last year and he would not know. For the remaining time that he was around I tried to point out what was what and help him learn abit about what he was asking for. Hope that will help in in future audits.

Powershell Sysadmin Role Audit Script

Colin Smith — Thu, 25 Feb 2010 10:00:51 +0000

I am working on a Powershell script that will audit my SQL Servers Logins and tell me who is a member of the sysadmin role. I think that this is a good idea for any DBA. I know that I do not want to have very many people with this type of access to data that I am in charge of protecting. This script will enumerate a list of users and groups with sysadmin role and then for each group it will list the members of the group. I am doing this because the Local Admin group has the sysadmin role on all of my servers. I have a vested interest in knowing who is a part of that group. I have already found some dev application service accounts that are a member of the local admin group on one of my servers. I do not like this and I do not like applications that require it. If an application does require sysadmin role then I am a big fan of giving that appllication its own instance of SQL Server.

Another reason that I am doing this is to show how many people have access that they do not need. I will use this as ammunition to remove the local admin group from the sysadmin role. I would like to have very tight control over that role and not turn over the keys to the SQL kingdom to anyone or anything that I do not deem worthy of it. Now that is not to say that I think that the people in that group are not technically sound, I just do not want more hands in the cookie jar than are necessary.

Health Check into SQL Server

Colin Smith — Fri, 22 Jan 2010 13:12:48 +0000

I have recently posted about my new job and how I am walking into the unknown. Like I have said in the past, I did get a list of Host Names that are running SQL Server. I have written a script to go out and look at each of those hosts and get me all instances. I have put together a list of about 150 SQL Servers that are running but I still no very little about. I have also posted about a Powershell script that I have written that goes out and gathers information about the SQL Server instances in question. I ran this and I was shocked. After glancing at the output I see things that just should not be. I see many DB’s that have logs larger than the Database. I see many that are running from the system drive, I see some that are far behind on patching, I even see one with only system databases on it. Like I said I have about 150 identified running instances and just over 1000 databases. You read that correctly over 1000. I just really do not even know where to start.

Because I have so many servers and so many databases, I thought that a simple Excel Spreadsheet is just not going to do it for me this time. I need more than just a simple report. I want to put all this data in a database so that I can slice and dice the data more easily, when I finally figure out how to prioritize what needs to be done. So here is what I have so far. I will use the same Powershell script to go get all the data that I am after and then I will have it insert the data into the database. This is just the beginning for this database as I have some bigger plans brewing in my head now. For now though, I just need something quick and basic to get the data into so I can prioritize and identify the largest problem areas.

I have two tables consisting of the following:

Instance Table	Database Table
ID PK	I_ID FK to I.ID
Host_Name	DB_Name
Instance_Name	Recovery_Model
SQL_Version	Data_Disk
SQL_SP	Log_Disk
OS_Version	Database _Size
	Log_Size
	Type (Test or Prod)
	Dbspace_Available
	Logspace_Available

I think that this will give me the ability to look at the basics and identify major problems. As I get things taken care of I will then start to add more to this Database so that I can do some more tunning, baselining, trending, and so forth.

Got any thoughts on what I should add to this initially. I am all ears.

AD Audit in Powershell

Colin Smith — Fri, 18 Sep 2009 16:37:58 +0000

I have mentioned this before but I have finally done what I set out to do and re-wrote my old vbscript that audits AD Accounts based on Create Date and Last LogonDate in Powershell. This is another great example of how much better powershell is and why everyone should now it. My VB Script was just under 800 lines of code and that was without many comments that documented the process. Now I feel that documenting scripts is very important. This is because I have had to try to fix other peoples scripts when they did not document it well and it is not fun. My powershell version of the same script with added functionality as well as over 100 lines of comments is only just over 400 lines. That means that I was able to remove about 500 lines of actual code from the script as well as add functionality to the script.
I will break the script down and post each one of the functions with a good explanation of each in my next few posts. It is a very cool script and it could be added to and customized to fit any situation that you may need. My version is based on my companies policy of disabling an account after 90 days of inactivity and deleting the account after 180 days of inactivity. My company runs the script weekly and the script sends out emails about the accounts that have been disabled and deleted to the needed personal so that the appropriate paperwork can be completed for those accounts. The script is soon to be posted. I am still testing but I will have it very soon.