Logging for security compliance in SQL Server

What's right for your business?
The word "reasonable" is tricky too because everyone has their own definition of what should be logged and how logs should be managed. In the end, reasonable logging will likely end up being defined by the courts. What you can do in the meantime though is to make sure you're in "the middle of the herd" and do not stand out. The first thing is to determine what servers and specific databases actually contain sensitive information that must be protected. This may be something you do on your own or something that has already been done in a recent information risk assessment. Keep in mind, you'll likely have some servers in development or testing that house sensitive information, and therefore, won't need any level of log.

Every environment is different and all businesses have varying levels of risk, but at least consider the following logs:

• SQL Server logs – enabled by default and accessible via Enterprise Manager C2 audit mode – for tracking permissions, access to database objects, and more via the sp_configure stored procedure with 'c2 audit mode' set to 1.
• Security logging of failed authentication attempts – via Enterprise Manager/Properties/Security tab
• IIS logging – via the IIS Services Manager
• General Windows audit logging – via Windows local policies or GPOs

When delving into ...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT SQL Server Database Compliance Understanding transparent data encryption in SQL Server 2008 The fine line between not encrypting your databases and breach notification Sarbanes-Oxley compliance checklist: IT security and SQL audits SQL Server 2008 security and compliance features reduce security risks Security testing for compliance – just how much do you need? Meet compliance with improved database security practices Wrangling the data behemoth Expert: Lengthy logs not always a good thing Licensing concerns when upgrading SQL Server Are you ready for a compliance audit of your SQL Server database? SQL Server Security Hardening the network and OS for SQL Server security Securing the server and database in SQL Server SQL Server security made simple and sensible Blog: Protect your databases from the internal threat Setting up SQL Server Service Broker for secure communication The keys to database backup protection for SQL Server Understanding transparent data encryption in SQL Server 2008 The fine line between not encrypting your databases and breach notification Securing SQL Server with access control, login monitoring and DDL triggers SQL Server security: Controlling access via database roles Database Management and Administration Hardening the network and OS for SQL Server security Securing the server and database in SQL Server How SQL Server 2008 components impact SharePoint implementations Troubleshooting Distributed Transaction Coordinator errors in SQL Server Achieving high availability and disaster recovery with SharePoint databases Clearing the Windows page file and its effect on server performance Deploying a SQL Server virtual appliance for Microsoft Hyper-V How to create SQL Server virtual appliances for Hyper-V Push vs. pull: Configuring SQL Server replication Protect virtual databases through SQL Server database mirroring

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data corruption  (SearchSQLServer.com) data hiding  (SearchSQLServer.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

audit logging and system monitoring, do yourself a huge favor and invest in a third-party logging and event management application such as GFI's EventsManager, or for plain SQL Server log auditing ApexSQL Log is an option. Visit LogAnalysis.org for a list of other commercial products. These tools will save you tons of time and effort. I also recommend guidance provided by NIST's Guide to Computer Security Log Management.

Proceed with caution
Any administrator that's enabled logging knows it can create a significant impact on system performance and storage requirements. I've heard legal experts, less-experienced administrators and others that don't understand the negative impacts of logging make logging recommendations. I've heard poor recommendations including: 'when in doubt more is better,' 'log everything' and 'keep your logs forever.' Certain database security auditing tools even recommend enabling various SQL Server logging features such as C2 audit mode to track misuse. All of this sounds good on paper and will obviously please regulators, auditors, and investigators, but at what cost?

The problem with blindly following these idealistic recommendations of vendors, auditors and the uninformed instead of planning out what you need based on business risk is that you'll create a situation where logging actually has a negative impact on your business. Whether it is eating up memory, requiring too many processor slices, or perhaps worst of all, gobbling up storage space faster than you can say petabyte. I've seen Windows and SQL Server logging enabled that has caused local system partitions to fill up in a matter of minutes and which have also created situations where the SQL Server stops responding altogether. Of all the servers on your network, your SQL Servers are likely the last ones you want to make hang or reboot. Talk about too much security getting in the way of business! Besides the technical issues, another thing to keep in mind is that logging everything and keeping the logs indefinitely can introduce legal liabilities and huge discovery expenses as well. Do I even need to mention the administrative burden and inability for the average human to get anything worthwhile out of too many logs?

Don't worry as much about what the privacy and security laws and regulations say. They certainly don't delve into logging specifics. By all means, don't try to manage audit logging and monitoring requirements for each law/regulation separately. Instead, perform a risk assessment and align your compliance initiatives with one of the information security frameworks or standards such as ISO/IEC 17799, CoBIT, or ITIL. If IT and compliance are managed at that level and done the right way, your organization should be able to meet all the compliance requirements across the board without having logs for HIPAA, logs for SOX, logs for PCI and so on.

Whatever you do, don't go at this alone. You don't want to bear the burden of making the critical business decisions associated with audit logging. This will be especially obvious when something bad happens and a regulator, auditor, or forensics investigator pins you down wanting to know your reasoning and business justification for logging what you did (or didn't do). If you and your IT colleagues are bearing a large part of the compliance burden (as is the case in most organizations), run your logging decisions by your organization's legal counsel or compliance manager. Ideally, determining what to log and how to manage logs should be mandated and supported by a compliance or IT governance committee. What I'm trying to say is get and keep others involved. You won't regret it.

ABOUT THE AUTHOR:   

Kevin Beaver is an independent information security consultant and expert witness with Atlanta-based Principle Logic, LLC and creator of Security On Wheels. He has more than 18 years of experience in IT and specializes in performing information security assessments. Kevin has written six books including Hacking For Dummies, Hacking Wireless Networks For Dummies,(Wiley), and The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at kbeaver ~at~ principlelogic.com.
Copyright 2006 TechTarget

Rate this Tip To rate tips, you must be a member of SearchSQLServer.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.