Database auditing is an essential part of protecting corporate data and ensuring compliance with the relevant mandates. SQL Server auditing involves determining who will perform the audit, what the focus and acceptable results should be, tracking and recording events on the server, and analyzing and reporting on these events. Microsoft offers SQL Server Audit, a tool integrated into SQL Server, which can read transaction logs to provide information about important changes. This tool allows for the creation of audits at the server and database level, with different auditing levels suitable for different compliance standards. It should also be noted that there are dedicated propitiatory solutions that can audit your SQL Server environment and provide real-time notifications via an intuitive dashboard, but more about that later.
SQL Server Auditing Best Practices
Below are some of the most notable best practices for SQL Server auditing.
1. Define the goal and scope of your audit
When designing a SQL Server Audit strategy, it is important to carefully consider the purpose of the audit. This could include the need to monitor and record changes to databases and SQL Server instances to protect sensitive data. It could also be necessary for regulatory compliance or to gain customer trust. By clearly defining the reasons for the audit, the design process can be smoother, reducing the need for significant modifications later on.
To determine the scope of the audit, it is recommended to specify the level of depth needed, which will depend on operational and regulatory requirements. Based on the goals of the audit, it can be decided whether to audit all SQL Servers or just specific instances, and whether to include all databases or focus on specific ones with important information. It is crucial for the audit trail to cover all stages of transactions involving sensitive data.
Once you have determined what to audit, you should narrow the audit scope by specifying the events to track and log. Such events may include:
- Failed login attempts
- Changes to SQL Server logins such as creating or dropping users and granting or revoking permissions
- Changes to database users such as creating or dropping users and granting or revoking their permissions, as well as database and table schema changes
- Changes made to the SQL Server Audit solution itself
By narrowing down the SQL audit scope in this manner, your logs will contain more relevant information. This subset of data can be easily used to identify any issues, requires less storage space, and has minimal performance overhead.
2. Regularly review your audit data
Instead of waiting for a disaster to strike, it is advisable to review the collected SQL Server Audit data periodically, at least once a week. This ensures that any actions that violate the company’s security policies are identified and addressed in a timely manner, preventing potential threats.
Many SQL Server database administrators and security team members often use the excuse of having a large number of logs to avoid reviewing them. However, this issue can be overcome by properly specifying the scope of the SQL audit. By including only the database tables containing critical data and tracking only critical actions performed by non-service accounts, the SQL Server Audit repository will only contain relevant and useful information.
A recommended best practice is to create a simple dashboard or report that extracts data from the SQL audit repository. This allows for easy filtering of actions of interest and presents the information in a user-friendly format that is easy to track. Furthermore, setting up real-time alerts ensures that the database administrator or security team is promptly notified when an action fails to meet corporate data usage standards.
3. Define audit roles
Auditors typically hold the key responsibility of monitoring and reviewing the SQL Server audit logs to identify any irregularities or potential security breaches. Managers may have the role of overseeing the auditing process and ensuring compliance with regulatory requirements. On the other hand, system administrators play a crucial role in configuring and maintaining the SQL Server audit, ensuring that all necessary auditing mechanisms are in place and functioning effectively. Defining audit roles is essential for promoting accountability, maintaining data integrity, and enhancing the security of SQL Server environments.
4. Review the integrity of the audit
You will need to keep a close eye on your SQL Server auditing solution to ensure that no unauthorized changes have been made by users who may have disabled auditing before engaging in illicit actions. It also serves as a reminder if the database administrator disabled the auditing solution due to poor performance of the SQL Server but forgot to re-enable it, thereby increasing the risk of potential vulnerabilities.
5. Archive your audit data
The volume of data in the SQL Server audit will likely increase over time, making it more challenging to review and identify potential risks. Storing both active and archived audit data in a central database makes it easier to access and review audit information as needed.
Creating an effective SQL Server audit strategy involves understanding the overall goals and scope of the audit, selecting the appropriate auditing solution(s), and consistently reviewing audit logs. Adhering to these best practices will help to protect the business from both internal and external risks without disrupting normal operations.
6. Choose a comprehensive SQL auditing solution
Your choice of SQL Server Audit solution will depend on factors such as the audit objective, target, and budget. For instance, if the goal is to audit Login and Logout actions only, one can refer to the SQL Server error logs or opt for methods like Extended Events or SQL Triggers. However, if the requirement is to audit DML changes, options like Change Data Capture, Change Tracking, or System-versioned Temporal Table can be utilized. In case there are critical systems and a comprehensive audit solution is needed to track and audit actions at both the SQL Server instance and database levels, one can consider purchasing a SQL Enterprise edition and configure the SQL Server Audit feature. However, this option requires additional administration and reporting efforts. Alternatively, a third-party solution like Lepide Auditor can be employed, which is simple to deploy and maintain, and comes with a wide range of features/benefits.
How Lepide Helps Audit SQL Server
Lepide SQL Server Auditor offers a straightforward solution for tracking changes made to your SQL servers. It automatically notifies you with real-time alerts and is able to quickly generate detailed reports. The solution also helps you keep tabs on the overall health of your SQL Servers. Below are some of the most notable features/benefits of Lepide Auditor for SQL Server.
Intuitive dashboard for monitoring SQL Server environment: Monitor your SQL Server environment easily with Lepide’s intuitive dashboard. This graphical user interface provides a complete overview of all configuration and permission changes, allowing you to quickly identify modifications made to SQL Server. You can easily see the total number of changes per administrator and per source, as well as changes over time.
Ensure compliance with the relevant mandates: Ensure compliance with regulatory requirements such as FISMA, GLBA, SOX, HIPAA, PCI, and GDPR with our predefined audit reports. These reports can be scheduled to be sent via email or saved to a shared location.
Real-time alerts for critical SQL Server changes: Our library of audit reports includes granular details on login changes, top users, active databases, object and table changes, replication, and roles, among others. Each report provides information on who made the change, what was changed, when it occurred, and where it originated from.
Track changes in SQL Server permissions: Lepide SQL Server Auditor audits all SQL server configuration changes, including users, permissions, logins, and databases. The audit logs are aggregated into meaningful data and saved long-term in a SQL Server database. This data can be presented in predefined reports that can be customized to create a detailed audit trail and track specific critical changes.
Monitor SQL user modifications: Protect your critical assets by tracking changes made in SQL Server permissions. Lepide’s SQL Server Auditor will track all SQL user modifications, including user creation, deletion, and modification, to ensure the normal functioning of your organization.
Track changes to SQL logins: Monitoring changes made to SQL logins is crucial for maintaining IT security. Lepide’s SQL Server Auditor audits every change made to logins and provides real-time alerts to keep administrators informed.
Monitor the health of your SQL Server with HealthCheck feature: Monitor the health of your SQL Server with the built-in HealthCheck feature. This feature provides continuous monitoring and real-time alerting for important elements such as services, CPU usage, connections, error rates, and usage.
Delegate access to SQL audit reports via the console: Securely delegate access to SQL audit reports using the web-based console. Grant specific users access to only selected reports, ensuring that only authorized individuals can view sensitive information.
If you’d like to see how Lepide SQL Server Auditor can help you track changes in your SQL server environment, schedule a demo with one of our engineers.