Securing SQL Server with Transparent Data Encryption (TDE)

If it was not clear by my recent post Auditing SQL Server, I have compliance and security on my mind lately. This post is no different.

While SQL Server has had encryption for some time, implementation takes significant planning and can require modification of application code. With SQL Server 2008, Microsoft introduced Transparent Data Encryption (TDE). This feature allows for encryption of the actual data and log files and any subsequent backups of those files. TDE avoids the need for application modification by performing the encryption and decryption in real time and at the database level.

Note: TDE is an Enterprise Only feature

Before covering how to enable TDE and encrypt the database, it needs to be noted that the certificate used to encrypt the database needs to be backed up and available in the event a recovery is necessary. This needs to be included in DR planning before TDE is enabled.

The first step toward TDE is creation and subsequent backup of the Master Key.

USE master
GO
--Create the Master Key Encryption
CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'MyP@$$w0rd'
GO
--Backup the Master Key
BACKUP MASTER KEY TO FILE = N'C:\SQLCertBackup\MasterKey'
    ENCRYPTION BY PASSWORD = 'MyP@$$w0rd'
GO

Once the Master Key has been created, the Server Certificate can be created. This certificate is stored in the master database.

USE master
GO
--Create the Server Certifiacate
CREATE CERTIFICATE MyServerCert WITH SUBJECT = 'My Certificate'
GO
--Backup the certificate
BACKUP CERTIFICATE MyServerCert TO FILE = N'C:\SQLCertBackup\MyServerCert'
GO

With the Master Key and the Certificate created, the database is ready to be secured through the creation of the database encryption key. This key is secured by the certificate created above.

--Create the Database Encryption Key
USE AdventureWorks2012
GO
CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_256 ENCRYPTION BY SERVER
    CERTIFICATE MyServerCert
GO

The final step is to actually enable encryption of the database.

--Enable encryption on the database
ALTER DATABASE AdventureWorks2012
SET ENCRYPTION ON
GO

TDE and Performance

Understanding that TDE works by encrypting and decrypting in realtime naturally leads to questions regarding performance. Microsoft BOL claims that it will only increase CPU utilization by 3-5%. Some independent testing by Rob Garrison seems to support Microsoft’s claim. You can check out his testing here.

Additional items to consider when implementing TDE:

  • During the initial implementation of TDE, the entire database and log files will need to be encrypted. How long this will take is dependent upon many factors including size of the database and server specifications.
  • Enabling TDE on an instance will encrypt the tempdb for the entire instance.
  • Backup compression will not be as effective because encrypted data does not compress well.
  • FILESTREAM data is not encrypted using TDE.

Conclusions

TDE gives the DBA a way to secure the database without having to alter applications connecting to it. It is important to understand the effects before implementing. If applications connecting to the database already cause a heavy load on the CPU it is important to test how TDE will effect performance.

If you are using TDE in production, I would love to hear about your experience in the comments below.

Tagged SQL SQL Server SQLServerPedia Syndication Security TSQL

T-SQL Tuesday: DBA Ethics

TSQL Tuesday Logo

This month’s T-SQL Tuesday is hosted by my friend Chris Shaw (Blog | Twitter) and covers DBA’s Ethics. He posed some interesting questions on the topic.

Should we have an ethics statement?

As a certified project manager from the Project Management Institute, I am already bound by a code of ethics. This code applies to all PMI members.

I think a code of ethics would be a great but how it would be implemented? It would need to be tied to an organization like PASS and then required for all PASS members to be bound to. This gives people and understanding that if the person I am talking to is a member of PASS they are bound by this code.

Have ethics issues impacted you? What did you do about it?

In Chris' article, he mentions encountering an ethical dilemma. I have faced a similar issue in the past.

At one of my clients when I was given charge of the company’s ERP database. Upon conducting an initial audit of the system I found that every user that was connecting to the company’s financials had dbo access. Some users were even encouraged to connect to the system using Microsoft Access or event SSMS to conduct their daily duties. The justification was that customizing the system cost too much because they were going to upgrade and correct access then.

I had to have a deep discussion with the CxOs about the risks of this security flaw. Even after my pleading, they were not willing to make the security changes necessary. They were not willing to make a change, citing that they were going to upgrade the system and correct the issue when they did.

While I had their response in writing, it was not enough. Working with a version of SQL Server 2008 R2 Enterprise so I enabled Auditing on the database. There was now at least an audit trail of who was accessing or making changes to the system. In the end, we were never faced with a worst case scenario but the system was not upgraded for almost 2 years.

Security Audits: how do you police what you and others are doing in the database?

There is a multi-tier approach to this question. The main response is the most obvious, implementation of the principle of least privilege.

What happens when the principle of least privilege gives a user, like a vendor, more access to the data than we are comfortable with? This is an unfortunate but realistic scenario. The only thing left here is to audit what these users are doing. This should hold true for all people with dbo or sysadmin membership.

The final tier that should be implemented is a strong change management process. This requires that changes made to the system are documented. This makes others aware of changes in the system.

Does a Code of Ethics mean anything to anyone? How do we as a community enforce a Code of Ethics?

A Code of Ethics does matter, to me at least. It establishes an expectation of how a person bound to them will act. It frames a conversation or relationship.

Do you have an issue with this Code of Ethics?

I am not sure what Chris was after with this question, and I forgot to ask him at dinner on Monday night. If he is talking about the SANS: IT Code of ethics he mentions in his article, I do have issue with the same statement he did.

I will not advance private interests at the expense of end users, colleagues, or my employer.

This does not sit well with me. Just do what is right.

What do you believe out Code of Ethics should say if we the SQL Server Community have one?

There are a couple of things I like about the PMI Code of Ethics I think should be included in an SQL Community Code of Ethics. It includes sections about responsibility and honesty. I would like to see this in a Code of Ethics that is developed.

Tagged SQL SQLServerPedia Syndication TSQL2sDay

Auditing SQL Server

“An auditor is someone who arrives after the battle and bayonets all the wounded”

It is the time of year in the United States that the word “audit” conjures up images of the Internal Revenue Service dragging us across a bed of hot coals. But that is not the case when we talk about it in reference to SQL Server. In SQL Server 2005 and earlier auditing was done through a combination of tools such as triggers, Windows logs, and SQL Trace. With the release of SQL Server 2008, Microsoft introduced auditing as a feature in the database engine to satisfy requirements around regulatory compliance including HIPPA, Sarbanes-Oxley, and PCI.

Auditors

Flash forward to SQL Server 2012, auditing is a valuable addition to a DBA’s toolset. It gives us a very granular way to audit activity on a server, all the way down to specific database objects.

Auditing is made up of three components: Server Audit, Server Audit Specification, and Database Audit Specification. We will break these down and set up auditing on our “new” old friend, AdventureWorks2012.

Server Audit

The SQL Server Audit tells us where we store the audit data. This location can be either the Windows Application log, Windows Security log, or a log file. A Server Audit is specific to a single instance of SQL Server but you can have more than one Server Audit per instance. This allows administrators the granularity to store different audit information in different locations if required.

--Create a server audit called Corp_Audit in the folder C:\AuditLogs\.
CREATE SERVER AUDIT Corp_Audit
TO FILE (FILEPATH = 'C:\AuditLogs\'

The audit option ON_FAILURE dictates what the server should do if the file cannot be written to. While shutting down the server if the audit file cannot be reached may sound extreme, it is required by some standards or companies.

By default the Server Audit is disabled.

--Enable the Server Audit
ALTER SERVER AUDIT Corp_Audit
WITH (STATE = ON)
GO

At this point, the Server Audit is turned on but it is not auditing anything. With the location of the audit set we can now define Server Level events to audit and database level events. We will start with Server Level events.

Server Audit Specification

Server level events like Backup, Restores, Failed Logins, etc can be audited through the Server Audit Specification. The Server Audit Specification can be created and turned on in the same command.

--Create and enable the Server Audit Specification
CREATE SERVER AUDIT SPECIFICATION Corp_Server_Audit_Spec
FOR SERVER AUDIT Corp_Audit
  ADD (BACKUP_RESTORE_GROUP),
  ADD (DATABASE_OBJECT_CHANGE_GROUP),
  ADD (DATABASE_PRINCIPAL_CHANGE_GROUP),
  ADD (DATABASE_ROLE_MEMBER_CHANGE_GROUP),
  ADD (FAILED_LOGIN_GROUP)
WITH (STATE = ON)
GO

Database Audit Specifications

Database level events like SELECT, UPDATE, INSERT, DELETE are tracked through the Database Audit Specification. The Database Audit Specification can also be created and enabled in the same command. The following code will create a database audit on the EmployeePayHistory table so we can find out when someone with dbo privileges queries or modifies the table.

--Create and enable the Database Audit Specification
USE AdventureWorks2012
GO  
CREATE DATABASE AUDIT SPECIFICATION Corp_AdventureWorks2012_Database_Audit_Spec
FOR SERVER AUDIT Corp_Audit
    ADD (SELECT, UPDATE, INSERT, DELETE ON HumanResources.EmployeePayHistory BY dbo)
    WITH (STATE = ON)

Now that we have the audit file set up we can perform tasks on the database. As we perform tasks the information is stored in the audit file.

Query the Audit File

We have set the audit to store information in a file instead of the Windows logs. To query the file the fn_get_audit_file function is used to query it.

--Query the audit file
USE master
GO
SELECT * FROM   sys.fn_get_audit_file('C:\AuditLogs\Corp_Audit_*.sqlaudit',DEFAULT,DEFAULT )
GO

We have coved how to set up auditing and have used some examples of audit actions. A full list of the options on both server and database level audit actions and groups can be found here. Do you have a specific auditing question? We would love to hear from you in the comments below.

References

Tagged SQL SQL Server

SQL Saturday #107, Houston

SQL Saturday Houston Logo

This weekend we will be hosting SQL Saturday in Houston. SQL Saturday is an opportunity to gain some SQL knowledge, meet people in the SQL Community and eat some Texas BBQ. I am not sure what could make a weekend any better.

The speaker lineup is set and it has some big names on Who’s Who of SQL Server experts on it. I hope you will join us. More information about the event including registration and location can be found on the SQLSaturday Houston event page.

I look forward to seeing everyone there.

Tagged SQL SQLSaturday Training

Developing Microsoft SQL Server 2012 Databases (71-464): Afterthoughts and Study Notes

SQL Server Logo

I have just completed my final SQL Server 2012 beta exam. I have blogged about my experiences with the exams and this is my final one. For more information regarding my other exam experiences you can see the links below.

Querying Microsoft SQL Server 2012 (71-461)

Administering Microsoft SQL Server 2012 Databases (71-462)

Developing Microsoft SQL Server 2012 Databases (71-464) – This article

Designing Database Solutions for Microsoft SQL Server 2012 (71-465)

As I have mentioned before, I am not a developer. This test only proved even more that development is an area I need to continue to work and grow.

I created some study notes based off of the Microsoft Training Catalog. Taking 4 test in two weeks was a difficult experience to get all of this information together. This is intended to augment what you are already working on to study for the exam. It is no way complete.

I also use Evernote to take all of my notes. I have set up a shared notebook where you can see all of the notes I have taken.

Implement Database Objects

Tagged SQL SQL Server 2012 Training

Administering Microsoft SQL Server 2012 Databases (71-462): Afterthoughts and Study Guide

Inline image 1

So this is the third of of the four SQL Server 2012 beta exams that I am taking.  I have blogged about my experiences with the other exams and shared the study notes that I have used.  This post is no different.  For more information no the other exams I have taken to date, see the links below. 

Querying Microsoft SQL Server 2012 (71-461)
Designing Database Solutions for Microsoft SQL Server 2012 (71-465)

The exam was pretty good.  I have nit picky issues with the way some of the questions were worded but overall I felt the test did a good job of covering the material. 

My study notes listed below are based off of the Microsoft Training Catalog.  You will not that I did not covey everything listed in the catalog.  I didn't have time to get it all listed out. 

Install and Configure SQL Server (19%)
   * Plan installation
      * Evaluate Installation Requirements
      * Drive best practices
         * Disk configuration primer: http://www.mssqltips.com/sqlservertip/1328/hard-drive-configurations-for-sql-server/
      * Service Accounts
         * These should be Managed Service Accounts
   * Install SQL Server and related services
   * Implement a migration strategy
   * Configure additional SQL Server Components
      * Configure full-text indexing
         * allows for full-text queries against character based data
         * More information about configuring full-text indexing can be found here: http://msdn.microsoft.com/en-us/library/cc879306.aspx
      * Configure FILESTREAM
         * This can be done through the GUI or through TSQL and the sp_configure command
         * More information on FILESTREAM can be found here: http://msdn.microsoft.com/en-us/library/cc645923.aspx
      * Configure FileTable
         * FILESTREAM must be enabled to use FileTable
         * Enable Non-Transaction Access at the Database Level
         * Specify a directory for FileTables at the Database Level
         * More information on FileTable: http://msdn.microsoft.com/en-us/library/ff929068(v=sql.110).aspx
   * Manage SQL Server Agent
      * Create, maintain, and monitor jobs
         * More information on creating jobs: http://msdn.microsoft.com/en-us/library/ms190268.aspx
      * Monitor Jobs
         * Job activity can be viewed in the Job Activity Monitor
         * Job activity can also be queried by running the sp_help_jobactivity
         * More information can be found here: http://msdn.microsoft.com/en-us/library/ms187449.aspx
      * Administer jobs and alerts
         * An alert  is an automated response to an event
         * Alerts can respond to
            * SQL Server events
            * Performance conditions
            * Windows Management Instrumentation (WMI) events
            * More information on alerts can be found here: http://www.simple-talk.com/sql/database-administration/sql-server-alerts-soup-to-nuts/

Maintain Instances and Database (17%)
   * Manage and configure databases
      * Filegroups
         * named collections of files and are used to help with data placement and administrative tasks such as backup and restore operations.
         * Log files are never part of a file group
         * More information regarding Filegroups can be found here: http://msdn.microsoft.com/en-us/library/ms179316.aspx
      * Database configuration
         * Five categories
            * Auto Options
            * Cursor Options
            * Recovery Options
            * SQL options
            * State options
         * More information on Database configuration options can be found here:http://msdn.microsoft.com/en-us/library/aa933082(v=sql.80).aspx
      * Transparent Data Encryption (TDE)
         * real-time I/O encryption and decryption of the data and log files
         * It does not provide encryption across communication channels
         * Encryption is performed at the page level.
         * More information regarding TDE can be found here: http://msdn.microsoft.com/en-us/library/bb934049.aspx
      * Database Console Commands DBCC
         * More information can be found here: http://msdn.microsoft.com/en-us/library/ms188796.aspx
      * Manage Log file growth
         * Information regarding managing the size of Transaction Log files can be found here: http://msdn.microsoft.com/en-us/library/ms365418.aspx
   * Configure SQL Server Instances
   * Implement a SQL Server clustered instance
      * More Information can be found here: http://msdn.microsoft.com/en-us/library/ms179530.aspx


Optimize and Troubleshoot SQL Server (14%)
   * Identify and resolve concurrency problems
      * Deadlock Trace Flags
         * Profiler Trace Flags 1204 and 1222 return information that is captured in the error log
         * More information regarding Deadlocks can be found here: http://msdn.microsoft.com/en-us/library/ms178104.aspx
      * Reporting database infrastructure (replicated databases)
         * Transactional replication is typically the form used for data warehousing and reporting
         * More information can be found here: http://technet.microsoft.com/en-us/library/ms151198.aspx
      * Monitor via Dynamic Management Views
         * DMVs and DM Functions return server state information
         * More information regarding DMVs can be found here: http://technet.microsoft.com/en-us/library/ms188754.aspx
      * Diagnose Blocking
         * Information regarding blocking can be found here: http://sqlblog.com/blogs/adam_machanic/archive/2011/04/14/blocking-blockers-and-other-b-words-a-month-of-activity-monitoring-part-14-of-30.aspx
   * Collect and analyze troubleshooting data
      * Monitor using profiler
         * Profiler manages traces and allows for the replay of trace results
         * More Information on Profiler can be found here: http://msdn.microsoft.com/en-us/library/ms181091.aspx

Tagged SQL SQL Server 2012 SQLServerPedia Syndication Training

Designing Database Solutions for Microsoft SQL Server 2012 (71-465) Afterthoughts and Study Notes

Inline image 1

I continue to take the SQL Server 2012 beta exams.  I have already taken Querying Microsoft SQL Server 2012.  I took the Designing Database Solutions for Microsoft SQL Server 2012 beta exam today.  My thought after finishing the exam is that I did well and the exam needs some work.  I started taking notes for the comments section and got to three pages of comments.

I was frustrated quite a few questions that referenced SQL Azure when it was not mentioned at all in the skills measured.  While I understand that most of the fundamentals are the same, it needs to at least be mentioned in the info for the exam.

You can still take the exams for free by following this link.

I have kept my information in Evernote and you can see my notebook here.

The notes below and in my notebook are based off of the study guide posted in the Microsoft Training Catalog.  You will note that I did not cover everything in the catalog.  I ran out of time studying.  So while incomplete, I hope it helps anyone looking for info on the exam. 

 This exam is intended for database professionals who design and build database solutions in an organization.  They are responsible for the creation of plans and designs for database structure, storage, objects, and servers.  They create the plan for the environment in which the database solution runs.  Primary responsibilities may include but are not limited to:

Design Database Structure (29%)

Design Database and Database Objectives (32%)

  • Design a database model
    • Design a logical schema
    • Design a normalized database
    • Design data access and data layer architecture
    • Relational Model
    • Normalized data model
    • Database schema
    • EAV modeling
    • Star-Schema
    • Collation
      • These are the rules that govern the use of characters for a language or alphabet.
    • ANSI NULLS
    • QUOTED IDENTIFIER
  • Design Tables

Design Database Security (15%)

  • Design an application strategy to support security
    • Design security
    • Schemas and schema security
    • SQL Server vs. Integrated Authentication
      • Integrated authentication leverages the Windows principal token in the operating system.
        • This uses Kerberos security protocol
        • Complexity requirements and account management is in a central location
      • SQL Server Authentication cannot use Kerberos security protocol
        • Is good for mixed environments that don't support windows auth.
      • More information regarding SQL Server authentication can be found here: http://msdn.microsoft.com/en-us/library/ms144284.aspx
    • Permissions and mirroring issues
      • If both SQL servers in a mirroring scenario do not run under the same service account the service account for each server will need to be manually added to all the servers in the scenario.
      • More information regarding logins and mirroring can be found here: http://technet.microsoft.com/en-us/library/ms366346.aspx
    • Encryption
Tagged SQL SQL Server 2012 SQLServerPedia Syndication Training

Querying Microsoft SQL Server 2012 (71-461) Afterthoughts and Study Notes

6835658072_1e5c03b78a

I have just finished the first of the Microsoft SQL Server 2012 Beta exams, Querying Microsoft SQL Server 2012 (71-461).  I took them for a couple of different reasons, I feel that certifications are important and it was an opportunity for me to upgrade my current certifications.  

My thoughts after finishing the exam, You don't want me to be your developer.  It was a good exam by I know my strengths are in database administration and not development.  There were some questions that were unclear, and some that I flat didn't know the answer of but they seemed positioned simlar to the tests from last year.  

If you are intersted in taking these exams you can register for them for free here.

I have mentioned before that use Evernote for a host of things.  Studying for these exams has been no different.  I have created a notebook that has my links to study notes.  I am going to post them here but I will share the notebook that will update as I update them.  You can see the notebook here.

The notes below and in my notebook are based off of the study guide posted in the Microsoft Training Catalog.

This exam is intended for SQL Server database administrators, implementers, system engineers, and developers with two or more years of experience who are seeking to prove their skills and knowledge in writing queries. Primary responsibilities may include but are not limited to:

Create database objects (24%)

Work with Data (27%)

  • Query and manage XML data

Modify Data (24%)

  • Create and alter stored procedures
  • Modify data by using INSERT, UPDATE, and DELETE statement
  • Combine Datasets
    • Datasets can be combined by UNION, EXCEPT, and INTERSECT
    • ORDER BY is only allowed at the end of the statement and cannot be used within the individual queries
    • GROUP BY and HAVING clauses can be used only within individual queries not on the final result set.
    • The FOR BROWSE clause cannot be used.
    • MSDN Library Reference: http://msdn.microsoft.com/en-us/library/ms191523.aspx
  • Work with functions

Troubleshoot and Optimize Queries (25%)

 

 

 

 

Create and alter indexes

  • Index allows specific data to be located quicker.
  • Indexes are on-disk structure associated with a table or view.
  • There are two types of indexes: Clustered and Nonclustered
    • Clustered
      • Sort and store the data rows in the table. 
      • Like 'The Highlander', there can be only one
    • Nonclustered
      • Contains key values and a pointer to the data roy that contains the key
      • Can have more than one.
  • Indexes, if properly designed, can reduce disk I/O and improve system performance by reducing the use of system resources. 
  • CREATE INDEX TSQL can be found here: http://msdn.microsoft.com/en-us/library/ms188783.aspx

Create and alter stored procedures

Create and alter user-defined functions (UDFs)

 

Enhanced by Zemanta
Tagged SQL SQL Server 2012 SQLServerPedia Syndication Training

SQLRally Dallas General Session Voting

Pass_sqlrally_2012_dallas__register

SQLRally is going to be in Dallas on May 8th and 9th. It is going to be a great opportunity for training with 40 fantastic general sessions already selected. There are 20 general sessions slots still open and PASS has given the community the opportunity to shape what sessions are going to fill them. Voting has officially opened through Friday, February 24th at 3:00pm CT.

Reviewing the list, there are some amazing speakers on it. I am truly honored to have made the list. I have submitted my session, Adventures in Project Management under the Professional Development track. I delivered this session at SQL Saturday Austin and it was a hit.

Whether I am speaking in Dallas or not, I am looking forward to seeing everyone in the SQL Community there. Below is the link to vote for sessions, as well as some other links for SQLRally.

SQLRally General Session Voting

SQLRally General Sessions

SQLRally Registration

See you in Dallas!

Tagged SQL Training

SQL Saturday #97, Austin Wrap Up

Media_httpwwwjonathan_gahbk

Last weekend I presented Adventures in Project Management at SQL Saturday #97, Austin. This was the first time I gave this presentation and it went really well. The talk was well attended and seemed to be well received. I think the fact that no one threw any fruit at me means they liked it. You can get the slides from my presentation below.

SQLSaturday#97AustinPresentation

Wes and the SQL Saturday #97 team did a fantastic job putting the event together. From this humble speaker's perspective the event ran smoothly without a hitch. This is no easy task for a team putting on their first event. I know this from our my first hand experience putting on SQL Saturday #57, Houston. I shared our lessons learned with the Austin team and they took all of them to heart. The event was made even sweeter by the fact that Wes Brown (Blog | Twitter) was named a Microsoft MVP the morning of the event. It is hard to believe this had not happened before now. This is long overdue for everything Wes has done for the SQL Server community.

]

Media_httpwwwjonathan_hkfar

Tagged SQL SQL Saturday SQL Server Slides Training
Sites I Like