Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 

Security Audit

Of late I have seen a lot of questions on how to audit the logins and users on each SQL Server.  I had the same questions for myself when I went through the same exercise some time ago.  My first step was to peruse the internet and see what I could find to get me started.  I found that to be quite helpful.  I found a lot of different scripts that were beneficial.  I, like most, did find one though that I preferred above the rest.  That script can be found here.

Why do I like this script?  I like the format.  It also generates a nice output that can be passed along to auditors.  The output is saved into an html format and seems more presentable to me.  Besides those facets, it meets the base requirements – I can find what roles and users have what permissions in each database on a SQL Server Instance.

The script didn’t quite suit all of my needs.  I think that is frequently the case.  The trick is being able to take the script and make necessary adjustments to suit whatever needs you may encounter.  The changes that I made to this script were in favor of progressing toward an automated inventory solution that I could run from a central location.  The script as it stood required manual intervention.  Granted, I have not yet completed my inventory solution, I have modified the script to work well with 2000 and 2005 and output the results to a properly consumable html file.  Since 2000 and 2005 behave differently in certain regards, I had to add some logic for the script to also behave differently if depending on the version of SQL Server it was run against.  This was necessary since I have SQL 2000 – SQl 2008 in my environment.

Scripts of Change

So, starting from the top.  I decided to use several more variables and create a bunch of temp tables.  The variables will help in the decision making, and the temp tables will help in Data storage for processing as the script runs.  Thus we have this block of code at the top in place of the old Variable block from the original script.

DECLARE @i					INT
		,@rc				INT
		,@dbname			VARCHAR(400)
		,@MajorProdVers		TINYINT
		,@DMViewExists		TINYINT
		,@ServerName		VARCHAR(64)
		,@ConfigValueAdv	CHAR(1)
		,@ConfigValueX		CHAR(1)
		,@ConNameX			VARCHAR(100)
		,@ConNameAdv		VARCHAR(100)
		,@SQL				VARCHAR(1500)
 
-----------------Create Temp Tables-------------------- 
 
CREATE TABLE #SysLogins (RowNumber INT PRIMARY KEY IDENTITY(1,1),Name VARCHAR(128),DBName VARCHAR(128),LANGUAGE VARCHAR(128)
	,IsDenied CHAR(10),IsWinAuthentication CHAR(10),IsWinGroup CHAR(10),CreateDate DATETIME,UpdateDate DATETIME,ServerRoles VARCHAR(128))
 
CREATE TABLE #LoginMap (LoginName VARCHAR(200), UserName VARCHAR(200) NULL) 
 
CREATE TABLE #RoleUser (RoleName VARCHAR(200), UserName VARCHAR(200) NULL) 
 
CREATE TABLE #ObjectPerms (RowNumber INT PRIMARY KEY IDENTITY(1,1), UserName VARCHAR(50), PerType VARCHAR(10),PermName VARCHAR(30), SchemaName VARCHAR(50)
	,ObjectName VARCHAR(100), ObjectType VARCHAR(20), ColName VARCHAR(50), IsGrantOption VARCHAR(10)) 
 
CREATE TABLE #DatabasePerms (RowNumber INT PRIMARY KEY IDENTITY(1,1),UserName VARCHAR(50),PermType VARCHAR(20),PermName VARCHAR(50),IsGrantOption VARCHAR(5)) 
 
CREATE TABLE TBLHTML (RowNumber INT PRIMARY KEY IDENTITY(1,1),HTML VARCHAR(2000))
 
CREATE TABLE #Config (RowNumber INT PRIMARY KEY IDENTITY(1,1),CName VARCHAR(50),Minimum TINYINT,Maximum TINYINT
					,ConfigValue TINYINT,RunValue TINYINT)

That is the prep setup so we can now begin the true work of the script.  As, I said there was some decision logic added to the script.  I needed to find a way to determine SQL Server version and based on version execute a different script.  And now we have the decision block.

SELECT @MajorProdVers = @@MICROSOFTVERSION / 0x01000000, @ServerName = @@SERVERNAME
 
IF @MajorProdVers < 9
	BEGIN
		SET @DMViewExists = 0
	END
ELSE
	BEGIN
		SET @DMViewExists = 1
		INSERT INTO #Config (CName,Minimum,Maximum,ConfigValue,RunValue)
			EXEC SP_CONFIGURE 'show advanced options'
		INSERT INTO #Config (CName,Minimum,Maximum,ConfigValue,RunValue)
			EXEC SP_CONFIGURE 'xp_cmdshell'
	END

Basically, I am checking the version and determining if I should use the SQL 2000 objects or if I can use the SQL 2005 objects since the 2000 objects are scheduled for deprecation.  Also, since xp_cmdshell is disabled by default in SQL 2005, I am prepping to enable that just for the final piece of this script.  Due to the nature of xp_cmdshell, it is advisable that you understand the security risk involved and revert it back to disabled – if you enabled it to run this script.  There are other methods for doing this, I am sure, but I chose this since I got consistent results and have not had time to revisit it.

After that decision tree, I have changed the main body of the script to also use a decision tree in building the dynamic sql.  That tree is built like the following snippet.

----------------Database level Permissions-------------------------
	IF @DMViewExists = 0
		BEGIN
			EXEC ('INSERT INTO #DatabasePerms (UserName,PermType,PermName,IsGrantOption)
				SELECT usr.Name
				,CASE perm.protecttype
					WHEN 204
						THEN ''With Grant''
					WHEN 205
						Then ''Grant''
					ELSE
						''Deny''
					END As PermType
				,CASE perm.action
					WHEN 26
						THEN ''References''
					WHEN 178
						THEN ''Create Function''
					WHEN 193
						THEN ''SELECT''
					WHEN 195
						THEN ''INSERT''
					WHEN 196
						THEN ''DELETE''
					WHEN 197
						THEN ''UPDATE''
					WHEN 198
						THEN ''Create Table''
					WHEN 203
						THEN ''Create Database''
					WHEN 207
						THEN ''Create View''
					WHEN 222
						THEN ''Create Procedure''
					WHEN 224
						THEN ''Execute''
					WHEN 228
						THEN ''Backup Database''
					WHEN 233
						THEN ''Create Default''
					WHEN 235
						THEN ''Backup Log''
					WHEN 236
						THEN ''Create Rule''
					END As PermName
				,CASE perm.action
					WHEN 204
						THEN ''X''
					ELSE
						''--''
					END AS IsGrantOption
				FROM ['+@dbname+'].dbo.sysprotects AS perm
				INNER JOIN ['+@dbname+'].dbo.sysusers AS usr
					ON perm.uid = usr.uid
				WHERE perm.id = 0
				ORDER BY usr.name, perm.action ASC, perm.protecttype ASC'
			)
		END
	ELSE
		BEGIN
			EXEC ('INSERT INTO #DatabasePerms (UserName,PermType,PermName,IsGrantOption)
			SELECT usr.name
				,CASE
					WHEN perm.state <> ''W''
						THEN perm.state_desc
						ELSE ''GRANT''
				END As PermType
				,perm.permission_name
				,CASE
					WHEN perm.state <> ''W''
						THEN ''--''
						ELSE ''X''
				END AS IsGrantOption
			FROM ['+@dbname+'].sys.database_permissions AS perm
			INNER JOIN ['+@dbname+'].sys.database_principals AS usr
				ON perm.grantee_principal_id = usr.principal_id
			WHERE perm.major_id = 0
			ORDER BY usr.name, perm.permission_name ASC, perm.state_desc ASC'
			)
		END

I think you can see at this point some of the differences and why I chose to do it this way.  The final section of code change comes at the end of the script.  This is where the html file is finally built, and then saved out to the file-system.

SELECT @ConfigValueX = IsNull(ConfigValue,0),@ConNameX = CName
	FROM #Config
		WHERE CName = 'xp_cmdshell'
SELECT @ConfigValueAdv = IsNull(ConfigValue,0),@ConNameAdv = CName
	FROM #Config
		WHERE CName = 'show advanced options'
 
--Enable xp_cmdshell, if disabled, for the duration of this process only.
IF @ConfigValueAdv = 0 And @DMViewExists = 1
	BEGIN
		-- To allow advanced options to be changed.
		SET @SQL = 'EXEC sp_configure ' + '''' + @ConNameADV + '''' +  ',' + '''1''' + ';'
		PRINT (@SQL)
		EXEC(@SQL)
		-- To update the currently configured value for advanced options.
		SET @SQL = 'RECONFIGURE With OVERRIDE;'
		PRINT (@SQL)
		EXEC (@SQL)
		SET @SQL = ''
	END
IF @ConfigValueX = 0 And @DMViewExists = 1
	BEGIN
		-- To enable the feature.
		SET @SQL = 'EXEC sp_configure ' + '''' + @ConNameX + '''' +  ',' + '''1''' + ';'
		PRINT (@SQL)
		EXEC (@SQL)
		-- To update the currently configured value for this feature.
		SET @SQL = 'RECONFIGURE With OVERRIDE;'
		PRINT (@SQL)
		EXEC (@SQL)
		SET @SQL = ''
	END
 
-- Clean out the DNS Cache, just in case there is residual bad information.
EXEC master..xp_cmdshell "ipconfig /flushdns"
EXEC master..xp_cmdshell "ping hostname"

In this section, I am enabling xp_cmdshell if necessary.  I am also performing one more necessary trick.  I am using xp_cmdshell to flush bad dns records and ping a remote host.  I will be saving the file off to a central repository and found some bad dns records on my servers while doing this process.  By adding this step, I saved myself quite a bit of frustration in the long-haul.  After that, I use xp_cmdshell to bcp the results out to file.

SET @SQL = 'bcp "Select HTML From TBLHTML Order By RowNumber Asc" queryout "\\YourComputer\PermsAudit\'
	 + replace(@ServerName,'\','.') + '.htm" -T -c -q -S' + @ServerName
 
EXEC master..xp_cmdshell @SQL

This took some work to get the ” ‘ ” all lined up correctly and working properly with BCP.  It was somewhat satisfying when it finally came together.

Now, remember I said you should reset xp_cmdshell back to disabled once completed?  Well, I built that into the script as a part of the cleanup.  I perform this action right before dropping all of those tables that I created.

IF @ConfigValueX = 0 And @DMViewExists = 1
	BEGIN
		-- To enable the feature.
		SET @SQL = 'EXEC sp_configure ' + '''' + @ConNameX + '''' +  ',' + '''' + @ConfigValueX + '''' + ';'
		PRINT (@SQL)
		EXEC (@SQL)
		-- To update the currently configured value for this feature.
		SET @SQL = 'RECONFIGURE With OVERRIDE;'
		PRINT (@SQL)
		EXEC (@SQL)
		SET @SQL = ''
		IF @ConfigValueAdv = 0
			BEGIN
				-- To allow advanced options to be changed.
				SET @SQL = 'EXEC sp_configure ' + '''' + @ConNameADV + '''' +  ',' + '''' + @ConfigValueADV + '''' + ';'
				PRINT (@SQL)
				EXEC(@SQL)
				-- To update the currently configured value for advanced options.
				SET @SQL = 'RECONFIGURE With OVERRIDE;'
				PRINT (@SQL)
				EXEC (@SQL)
				SET @SQL = ''
			END
	END

Conclusion

I effectively took a well working script and made it suit my needs / wants just a little better.  The initial code was just over 300 lines and I nearly doubled that with this script.  Is it worth the extra effort?  Yes!  Though it took some time and effort to make these modifications, I was able to finish auditing the servers well ahead of pace of doing it by hand.  Furthermore, I can still use this script and continue to reap the benefits of having taken the time to modify it.  Can the script be improved?  Sure it can.  I have a few things in line for it currently.  The biggest piece of it will be modifying it to be run from the inventory package I am still trying to finish in my spare time.

You can download the script in its entirety here.

Edit: Fixed some WP formatting issues.

Comments

Posted by amandix on 21 March 2010

Sory, but may you can help me here:

Do you known a method of object tampering within SQL Server 2008?

The goal is to use an attached copy of mssqlsystemresource db and alter some system stored procedures, and then replace this database with the original one. This operation was possible in SQL 2005... and saved me many hours of work.

Posted by Anonymous on 23 March 2010

Pingback from  CREATE TABLE `%sgdsr_data_article` ( | attractionmarketingpro.net

Posted by Anonymous on 20 May 2010

Pingback from  Parts Volkswagen Passat Accessories Brake Rotors Fuel Injector, 1999 Volkswagen Passat Recall Heat Shields

Posted by Anonymous on 20 May 2010

Pingback from  265 Beaters, Volvo 265 Substitute Beck Arnley

Posted by Anonymous on 20 May 2010

Pingback from  D100 Grill Save, Dodge D100 Delivery Aftermarket Truck Parts

Posted by Anonymous on 20 May 2010

Pingback from  Cj7 Stephen Chow Movie, Buy Used Sale 1978 Jeep Cj7

Posted by Anonymous on 20 May 2010

Pingback from  300sl Watch, 300sl Headlight Cheap Fog Light

Posted by Anonymous on 20 May 2010

Pingback from  760i Wamp, 760i Dual

Posted by Anonymous on 20 May 2010

Pingback from  Windsor Accommodation Uk, Windsor Tornado Video

Posted by Anonymous on 20 May 2010

Pingback from  Dodge Spirit Transmission Cost, 2007 Honda Shadow Spirit 750 Handlebars

Posted by Jeff Moden on 6 April 2013

I have a question, please.  If someone breaks into the server as SA, will it help if xp_CmdShell is disabled?

My thought is, "No", it won't.  What is the purpose of disabling xp_CmdShell if only SAs can use it and those same folks can turn it back on at the drop of a hat... any hat?

Leave a Comment

Please register or log in to leave a comment.