You administer an instance of a SQL Server 2008 server.
The server is used to execute SQL Server 2008 Integration Services (SSIS) packages.
You need to ensure that the server executes only correctly signed packages.
What should you do?
A.
Set the BlockedSignatureStates registry entry to NoAdministrativeRestriction.
B.
Set the package protection level on all packages to EncryptSensitiveWithPassword.
C.
Set the BlockedSignatureStates registry entry to Block invalid and untrusted signatures
and unsigned packages.
D.
Set the package protection level on all packages to DontSaveSensitive.
Explanation:
A SQL Server 2008 Integration Services (SSIS) package can be signed with a certificate and
configured to require the runtime to check the signature before loading the package. he
properties of the package, CheckSignatureOnLoad and CertificateObject, indicate whether a
certificate must be checked, and specify the certificate that was used to sign the package.
The certificate used to sign the package must be enabled for code signing. Integration
Services provides a registry value that you can use to manage an organization’s policy for
loading signed and unsigned packages. The registry value can also manage untrusted
signatures of signed packages. With regard to the status of signatures used to sign
packages, the BlockedSignatureStates registry value uses the following definitions: A valid
signature is one that can be read successfully. An invalid signature is one for which the
decrypted checksum (the one-way hash of the package code encrypted by a private key)
does not match the decrypted checksum that is calculated as part of the process of loading
Integration Services packages. A trusted signature is one that is created by using a digital
certificate signed by a Trusted Root Certification Authority. This setting does not require the
signer to be found in the user’s list of Trusted Publishers. An untrusted signature is one that
cannot be verified as issued by a Trusted Root Certification Authority, or a signature that is
not current. To use the registry value to prevent packages from loading if the packages areunsigned, or have invalid or untrusted signatures, you must add the BlockedSignatureStates
DWORD value to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTS registry key
and specify the value 0, 1, 2, or 3.
The following table lists the valid values of the DWORD data and their associated policies.