Extend
upCheckSecurityConfiguration
One neat feature of upCheckSecurityConfiguration is that you can add test cases for
any number of configuration settings you
want to check. Once you have a test suite
that meets your needs, you can fold the
corresponding test cases into upCheckSecurityConfiguration. From there, you’re free
to run—and update—your entire test suite
whenever you want.
Say you’d like to audit your configuration
at the beginning and close of every business
day. Or maybe launch your audit procedure
whenever some suspicious event—such as
an illegal login attempt—occurs. Simply fold
the desired security checks into upCheckSecurityConfiguration and then create a SQL
Agent job (or alert) that fires when you need
it. In fact, while you’re at it, why not create
a separate procedure for each security audit
you want to run—each custom designed to
the specific security checks you need?
Whichever strategy you choose, you’ll
need to adapt upCheckSecurityConfiguration to fit your specific needs. To demonstrate how you might do that, I’ve extended
upCheckSecurityConfiguration to include
15 commonly audited security settings from
the Microsoft security checklist. Listing 1 shows the upCheckSecurity-Configuration checks. You can download
the complete upCheckSecurityConfiguration procedure and the other code in this
article by clicking the 94185.zip link.
The nice thing about upCheckSecurity-Configuration is that all your tests are centrally located. Need to modify one of your
checks or add a new security test? Just edit
upCheckSecurityConfiguration, recompile,
and away you go. It doesn’t get much easier
than that.
If you don’t already have a test database,
I suggest you create one to host upCheck-SecurityConfiguration and its support tables
along with trgLogBug. You’ll also want to
consider who should be given access to
these resources and set access privileges
accordingly.
Audit Smartly
This article has shown you how to automate
your security audits and do away with the
drudgery of manually verifying that your
databases are correctly configured. The key
is to treat your audits as configuration tests
and verify each security checkpoint just as
you would if you were looking for other
kinds of bugs in your database.
To monitor security vulnerabilities in this
way, you need an up-to-date security testing
document detailing your auditing schedule,
the settings you’ll check, and the reporting
procedures you’ll follow. If your organization
currently has no security plan, then you should
do what you can to get one created. Start with
the Microsoft security checklist to see which
security requirements make sense in your
organization. Then convince your teammates
to commit to a standard set of security auditing
procedures. Most of all, be sure to document
your results so everyone can see the difference
audit automation can make.
Audit automation is an invaluable addition to any DBA professional’s toolkit. But
before arbitrarily automating every security
check you make, be sure the payoff is worth
the setup involved. Your guiding rule here
should be to focus on those mission-critical
checks you find yourself regularly repeating.
You’ll rest easy at night knowing your
time has been well spent protecting your
organization’s most vital data assets.
End of Article
Prev. page
1
[2]
next page -->
