Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

Best way to monitor or audit SQL Expand / Collapse
Author
Message
Posted Monday, January 28, 2013 12:44 PM
Grasshopper

GrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopper

Group: General Forum Members
Last Login: Friday, October 17, 2014 7:16 AM
Points: 24, Visits: 149
Hello,

I'm looking for any thoughts on a good monitoring tool for SQL server 2005. Although the users are safely locked out and using the front end application as they should be the auditors are still asking what I'm doing to monitor the back-end SQL accounts such as "sa" even though this account is not handed out to anyone.

Without breaking the bank what can you suggest that might meet my needs to make the auditors happy?

Thank you for the help.
Post #1412612
Posted Monday, January 28, 2013 2:30 PM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: 2 days ago @ 8:51 PM
Points: 7,140, Visits: 12,763
On SQL 2005 Trace should work just fine. Most third-party tools will likely leverage Trace anyway. You can filter on SessionLoginName to capture all SQL text issued to the instance by any member of the sysadmin Role, but that needs to be defined when the Trace is started. Of course there are ways to circumvent that Trace, namely creating a new login, adding it to the sysadmin Role, then logging in as that login to carry out an attack. The creation of the login will be logged though, however server/service reboots could afford someone a chance to get in unnoticed if they can prevent the Trace from starting. The bottom line is that a skilled person that can enter using a login in the sysadmin Role will know how to circumvent all of this type of auditing but it will catch the lesser skilled ones and make the more skilled ones time a little harder if they want to avoid detection.

__________________________________________________________________________________________________
There are no special teachers of virtue, because virtue is taught by the whole community. --Plato
Post #1412661
Posted Tuesday, January 29, 2013 6:40 AM
Grasshopper

GrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopper

Group: General Forum Members
Last Login: Friday, October 17, 2014 7:16 AM
Points: 24, Visits: 149
OK.. So to satisfy auditors and myself would you have a recommendation for a 3rd party app that I could use to monitor this? I was hoping to find a server based app with clients on the SQL server(s) so I'm able to catch the type of activity you're referring to. We already have our system locked down for the average user but how or what would you recommend to monitor the gate keeper (me).

In the end that's what the auditors are asking for, a report on the gate keeper and the fact that he/she has used their powers for good and not evil.
Post #1413010
Posted Tuesday, January 29, 2013 7:03 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: 2 days ago @ 8:51 PM
Points: 7,140, Visits: 12,763
Trace is going to be your best option on 2005. You could also look into C2 or Common Criteria auditing (which both use Trace by the way) as those are already setup for you and are enabled with a simple server config. As I said, on 2005 your options are limited. I am not familiar with any third-party apps that can give you something to satisfy your auditors because it depends on what they want to see out of the audit. It's also worth mentioning that if you are one of the people the auditors need to account for with a custom auditing solution then you probably shouldn't be the only one involved in designing it

__________________________________________________________________________________________________
There are no special teachers of virtue, because virtue is taught by the whole community. --Plato
Post #1413029
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse