20764C-ENU-Handbook-Module 04
20764C-ENU-Handbook-Module 04
Module Overview
When configuring security for your Microsoft® SQL Server® systems, you should ensure that you meet
any of your organization’s compliance requirements for data protection. Organizations often need to
adhere to industry-specific compliance policies, which mandate auditing of all data access. To address this
requirement, SQL Server provides a range of options for implementing auditing.
Another common compliance requirement is the encryption of data to protect against unauthorized
access in the event that access to the database files is compromised. SQL Server supports this requirement
by providing transparent data encryption (TDE). To reduce the risk of information leakage by users with
administrative access to a database, columns containing sensitive data—such as credit card numbers or
national identity numbers—can be encrypted using the Always Encrypted feature.
This module describes the available options for auditing in SQL Server, how to use and manage the SQL
Server Audit feature, and how to implement encryption.
Objectives
After completing this module, you will be able to:
Describe the options for auditing data access.
Implement SQL Server Audit.
Manage SQL Server Audit.
Describe and implement methods of encrypting data in SQL Server.
MOC 20764C | Administering a SQL Database Infrastructure | Module 04 – Protecting Data with Encryption and Auditing | 2 / 15
Note: SQL Server 2016 and previous versions also support the C2 audit mode; however, you
should update any applications using C2 audit mode to use the Common Criteria certification.
Note: Azure® SQL Database cannot currently be configured to comply with the Common
Criteria.
Enabling Common Criteria Compliance in SQL Server
SQL Server provides the common criteria compliance enabled option, which can be set by using the
sp_configure system stored procedure. The option is available in the Enterprise edition for use in
production systems (it is also available in the Developer and Evaluation editions for nonproduction use).
When the option is enabled, three changes occur to how SQL Server operates:
Residual Information Protection (RIP). Memory is always overwritten with a known bit pattern
before being reused.
Ability to view login statistics. Auditing of logins is automatically enabled.
Column GRANT does not override table DENY. This changes the default behavior of the
permission system.
Note: The implementation of RIP increases security, but can negatively impact the
performance of the system.
To comply with Common Criteria Evaluation Assurance Level 4+ (EAL4+), in addition to enabling the
common criteria compliance enabled option, you must also download and run a script that makes
further configuration changes to SQL Server. You can download this script from the Microsoft SQL Server
Common Compliance website.
For more information on SQL Server’s compliance with the Common Criteria, see:
For more information on the common criteria compliance enabled server option, see:
IF UPDATE(Salary) BEGIN
INSERT dbo.EmployeeSalaryAudit (EmployeeID, OldSalary, NewSalary, UpdatedBy,
UpdatedAt)
SELECT i.EmployeeID, d.Salary, i.Salary, SUSER_NAME(), GETDATE()
FROM inserted AS i
JOIN deleted AS d
ON i.EmployeeID = d.EmployeeID;
END;
END;
GO
Logon Triggers
A logon trigger fires in response to a login that is authenticated but before a session is established. Logon
triggers can be used to record the logon, either to a table or to the SQL Server error log.
DDL Triggers
A DDL trigger fires in response to a DDL event that creates, drops, and/or alters either a specific class of
database object or all database objects. In an auditing context, DDL triggers are commonly used to track
changes to the schema of a database by recording DDL statements to a table.
Limitations
Triggers have some limitations as an audit tool:
System performance can be significantly impacted by DML triggers running alongside the usual load
on the server.
Users with appropriate permissions can disable triggers. This can be a significant issue for auditing
requirements.
DML triggers cannot be used to audit data access through SELECT statements.
Only limited ability to control trigger firing order is provided. To make sure that it captures all the
changes made by other triggers, auditing would normally need to be the last DML trigger that fires—
which you can only specify by using the sp_settriggerorder system procedure.
For more information on working with temporal tables, see Temporal Tables http://aka.ms/ft8fc2
MOC 20764C | Administering a SQL Database Infrastructure | Module 04 – Protecting Data with Encryption and Auditing | 5 / 15
Lesson Objectives
At the end of this lesson, you will be able to:
Describe Extended Events.
Describe SQL Server Audit.
Create audits.
Explain audit actions and action groups.
Create server audit specifications.
Create database audit specifications.
Monitor audits using audit-related dynamic management objects and system views.
Use custom audit events.
Enable auditing in SQL Azure Database.
Introduction to Extended Events
SQL Server Audit is based on an event-driven monitoring
engine called Extended Events.
Extended Events is an event-driven activity monitoring tool
which follows a loose-coupled design pattern. Events and their
targets are not tightly coupled; any event can be bound to any
target. This means that data processing and filtering can be
carried out independently of data capture, reducing the
performance overhead of other auditing solutions.
Extended Events allows sophisticated filters to be defined on captured data. In addition to value filters,
events may be filtered by sampling. Data may be aggregated at the point it is captured. Extended Events
can be managed either through a GUI in SQL Server Management Studio or through Transact-SQL
statements.
Extended Events can be integrated with the Event Tracing for Windows (ETW) framework, meaning SQL
Server activity can be monitored alongside other Windows® components.
Extended Events is important because SQL Server Audit is based on the Extended Events infrastructure.
The Extended Events engine is not tied to particular types of events—the engine is written in such a way
that it can process any type of event.
Additional Reading: Because Extended Events is the basis for SQL Server Audit, you could opt to
write your own auditing system based on Extended Events. See Module 12 of this course Tracing Access to
SQL Server with Extended Events for more information on working with Extended Events.
Executables and executable modules can expose one or more Extended Events packages at run time.
Packages act as containers for the Extended Events objects and their definitions; a package may expose
any of the following object types:
Events. Points of interest reached during code execution.
Targets. Logging targets, such as files in the file system.
Actions. Additional data that can be collected when an event is triggered.
Predicates. Filters used to restrict which events are captured.
Types and Maps. Reference data; data type and lookup value definitions.
Sessions. Links events and actions, filtered by predicates, to one or more targets. Typically, sessions
are user-defined.
SQL Server Audit is a special package within Extended Events; you cannot change its internal
configuration.
For more, see: Extended Events http://aka.ms/b8p2e9
MOC 20764C | Administering a SQL Database Infrastructure | Module 04 – Protecting Data with Encryption and Auditing | 6 / 15
Object Description
Server Audit Defines where to store the audit data.
Server Audit Specification Collects many server-level action groups raised by Extended Events.
One per audit.
Database Audit Specification Collects database-level audit actions raised by Extended Events. One
per database per audit.
Actions Specific actions that can raise events and be added to the audit. For
example, SELECT operations on a table.
Audit Targets
Audits can be sent to one of the following three targets:
Binary file. File output provides the highest performance and is the easiest option to configure.
Windows Application Event Log. Avoid sending too much detail to this log as network
administrators tend to dislike applications that write too much content to any of the event logs. Do
not use this target for sensitive data because any authenticated user can view the log.
Windows Security Event Log. This is the most secure option for auditing data, but you need to add
the SQL Server service account to the Generate Security Audits policy before using it.
You should review the contents of the target that you use and archive its contents periodically.
The following code example creates and enables a server audit that uses a binary file as the target:
Creating a Server Audit
CREATE SERVER AUDIT HR_Audit
TO FILE (FILEPATH='\\MIA-SQL\Audit\')
WITH (QUEUE_DELAY = 1000);
GO
The following example creates and enables a server audit specification to track failed and successful login
attempts. This code assumes that the server audit SecurityAudit has already been created.
For more information see: Get started with SQL database auditing http://aka.ms/bnbvzb
MOC 20764C | Administering a SQL Database Infrastructure | Module 04 – Protecting Data with Encryption and Auditing | 10 / 15
The sys.fn_get_audit_file function takes three parameters—the file pattern, the initial file name, and the
audit record offset. The file pattern can be in one of three formats:
<path>\* that collects audit files in the specified location. The asterisk character is a wildcard.
<path>\<audit name>_{GUID} that collects all audit files that have the specified name and GUID
pair.
<path>\<file name> that collects a specific audit file.
This example shows how to use sys.fn_get_audit_file to read all the audit files in a specific directory:
sys.fn_get_audit_file—basic usage
SELECT *
FROM sys.fn_get_audit_file('X:\AuditFiles\*',default,default);
You should consider the performance impact of audit writes and whether you need to minimize your
audit list to maximize performance.
If insufficient disk space is available to hold audit files and you have configured an audit to shut down
the server on failure, SQL Server might not start. In this situation, you may need to force entry to it by
starting SQL Server in minimal configuration mode with the -f startup parameter.
Note: TDE protects data at rest in database files. Data pages in the buffer pool or returned to client
applications are not encrypted by TDE.
Transparent Data Encryption Keys
TDE uses the following hierarchy of keys to encrypt and decrypt data:
Service master key (SMK). The SMK is created at the time of the installation of the SQL Server
instance by Setup. The SMK encrypts and protects the Database Master Key for the master database.
The SMK is itself encrypted by the Windows operating system Data Protection Application
Programming Interface (DPAPI).
Database master key (DMK). The DMK for the master database is used to generate a certificate in
the master database. SQL Server uses the SMK and a password that you specify to generate the DMK,
and stores it in the master database.
Note: You can use a password without the SMK to generate a DMK, although this is less secure.
Server certificate. A server certificate is generated in the master database, and is used to encrypt an
encryption key in each TDE-enabled database.
Database encryption key (DEK). A DEK in the user database is used to encrypt the entire database.
Note: When a database is configured to use TDE, CPU utilization for SQL Server mayincrease
due to the overhead of encrypting and decrypting data pages.
MOC 20764C | Administering a SQL Database Infrastructure | Module 04 – Protecting Data with Encryption and Auditing | 13 / 15
Enabling TDE
TDE is only available for production use in SQL Server Enterprise edition. To enable TDE, you must
perform the following steps:
1. Create a service master key in the master database.
2. Create a server certificate in the master database.
3. Create a database encryption key in the user database you want to encrypt.
4. Enable encryption for the user database.
Additional Reading: TDE is available in Azure SQL Database; for more information, see
Encryption with Azure SQL Database later in this lesson.
For more information about TDE, see Transparent Data Encryption (TDE) in Microsoft Docs:
For more information on moving a TDE encrypted database, see Move a TDE Protected Database to
Another SQL Server in Microsoft Docs:
For information:
Calculated columns
Dynamic Data Masking Example
bank_account varchar(50) MASKED WITH (FUNCTION = 'default()') NULL