You are managing a SQL Server 2008 server instance which is use for running SQL Server
2008 Integration Services (SSIS) packages for Company.com.
You should make sure that the server runs normally.
Which is the correct answer?
A.
You should configure the package protection level to AdministrativeRestriction.
B.
You should configure the package protection level to SaveSensitive.
C.
You should configure the package protection level to EncryptSensitiveWithPassword.
D.
You should configure the BlockedSignatureStates registry enters to Block unsafe and
untrusted signs and unsigned instances.
Explanation:
Signing Packages with Certificates
A SQL Server 2005 Integration Services (SSIS) package can be signed with a certificate and
configured to require the runtime to check the signature before loading the package. The
properties of the package, CheckSignatureOnLoad and CertificateObject, indicate whether a
certificate must be checked, and specify the certificate that was used to sign the package.
The certificate used to sign the package must be enabled for code signing. Integration
Services provides a registry value that you can use to manage an organization’s policy for
loading signed and unsigned packages. The registry value can also manage untrusted
signatures of signed packages. With regard to the status of signatures used to sign
packages, the BlockedSignatureStates registry value uses the following definitions:
A valid signature is one that can be read successfully.
An invalid signature is one for which the decrypted checksum (the one-way hash of the
package code encrypted by a private key) does not match the decrypted checksum that is
calculated as part of the process of loading Integration Services packages.A trusted signature is one that is created by using a digital certificate signed by a Trusted
Root Certification Authority. This setting does not require the signer to be found in the user’s
list of Trusted Publishers. An untrusted signature is one that cannot be verified as issued by
a Trusted Root Certification Authority, or a signature that is not current. To use the registry
value to prevent packages from loading if the packages are unsigned, or have invalid or
untrusted signatures, you must add the BlockedSignatureStates DWORD value to the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTS registry key and specify the value
0, 1, 2, or 3. The following table lists the valid values of the DWORD data and their
associated policies.