Customers that holds certificates such as the ISO and many others, normally having bad fights with auditors on security audits and database monitoring tools, normally I gets allot of requests on how to monitor this up and get rid of those auditors!
Few months back, I created a script that generates database triggers on all database tables and sends all the activities to a transactions log table that in return will hold all transactions.
Lets think about it again, what users should I monitor? Dynamics GP users does cannot access the SQL Databases using any other application as all the passwords are encrypted and only Dynamics GP application and Mariano Gomez can decrypt it! I mean only Dynamics GP!
So users that need to be monitored are listed below:
1. Users that does not have access to Dynamics GP but have direct access to the SQL.
2. Users that has access to both Dynamics GP and SQL Databases and does not have their passwords encrypted, which are only two “sa” and “DYNSA”.
3. Users that’s login using windows authentication.
Now using SQL 2008, you can audit all above using the Database Audit feature, go to “SQL Server –> Security Folder –> Audits” and follow steps below to activate this:
Create new Audit:
Go to the database you wish to monitor, navigate to its security folder –> Database Audit –> Create new:
Now you need to specify actions you wish to audit, personally I wanted to monitor “Insert, Update, Delete and Execute” for non-GP users, “dbo” represents any user with sysadmin permissions, which includes “sa” and “DYNSA” and “SYSTEM” users represents any user logged in using windows authentication.
Set back and relax watching any unwanted modifications done on the database monitored, and view what does this recorded from time to time by right clicking your audit and selecting “View Audit Log”:
For CFO’s and top management reporting, you cannot ask them to go to your SQL and view the report! So you will have to setup another solution:
1. Create a new view on your Master database with the following command:
SELECT *
FROM dbo.fn_get_audit_file('C:\Database Modifications Audit\*', DEFAULT, DEFAULT)Where “Database Modifications Audit” is the folder I created on the C:\ Drive to save all my logs.
2. Create a new SQL Login that has permissions only on this view.
3. Create an excel file that reads directly from this view using Data Source.
4. Send this excel file to the top management and ask them to refresh.
Regards,
--
Mohammad R. Daoud - CTO
MVP, MCT, MCP, MCBMSP, MCTS, MCBMSS
+962 - 79 - 999 65 85
mohdaoud@gmail.com
mohdaoud.blogspot.com
No comments:
Post a Comment