Separation of Duties for DBA’s

Someone recently asked me about the principle of separation of duties (aka segregation of duties) as it applies to SQL Server DBA’s, and I thought that would make a good topic for this blog, so here goes… The idea of separating duties in general is to prevent a single person from being able to complete…


How To STIG a Database System

This post is to provide a little enlightenment to folks who have never STIG’d a database system before and assume that the process is a one-time configuration. It’s not. It’s not even close. STIG compliance requires: One or more named Database Administrators (DBA) A named Information Assurance Officer (IAO) An initial system evaluation A Plan…

Summary of Audit-Specific STIG ID’s

The DoD Database Security Technical Implementation Guide (STIG) has quite a few requirements in the area of auditing, but they’re scattered throughout the document. Here’s a list of all the audit-related STIG ID’s that I found. From the Security Readiness Review: “The majority of Microsoft SQL Server security auditing is provided by the trace facility….

Primary DBA Responsibilities

SQL Server is so well-behaved it’s often installed by 3rd party applications in an organization or department without a professional Database administrator (DBA). When such implementations need attention (e.g. backups), system administrators often get involved as acting-DBAs, and some of them discover they enjoy it and start spending more and more time with SQL Server….


List of SQL Server Service Names

In the tables below, services that can have multiple instances on the same server have the default instance name listed first and then a named instance – “Contoso1.” These services names are without any service packs being applied. I haven’t checked to see if there are any changes to service names after installing service packs….


Public Not Granted Server Permissions

The pre-defined policies that come with SQL Server 2008 include one called “Public Not Granted Server Permissions”. Running this policy in evaluation mode on a default installation will show a non-compliance failure due to 5 server-level permissions that are assigned to the public role during installation. Removal of these 5 permissions will make your server…


Custom Auditing

If auditing had no cost, we’d always audit everything, but it can have major performance costs, so the principle is: Audit only what you have to audit for each system, depending on how much protection is necessary for the data in each system.  SQL Server Profiler can be great to use for a little while to capture data for troubleshooting, but…


SQL Server 2005, List of Events Captured by the Default Trace

Looking for a quick list of the events monitored/captured by SQL Server 2005’s default trace? Here ya go:   Database: Data File Auto GrowDatabase: Data File Auto ShrinkDatabase: Database Mirroring State ChangeDatabase: Log File Auto GrowDatabase: Log File Auto ShrinkErrors and Warnings: ErrorLogErrors and Warnings: Hash WarningErrors and Warnings: Missing Column StatisticsErrors and Warnings: Missing Join…

Making STIG Compliance Much Easier, Part II

Securing a system requires efforts that can be dropped into 3 buckets: Configuration, Alerting, and Auditing. (Am I missing any? Post a comment if you think of any others…) Securing a system’s configuration means its run-time configuration. Design-time is irrelevant except in how it impacts the run-time configuration, as it is only the actual run-time…