You are managing a SQL Server 2008 server instance which is use for running SQL Server 2008 Integration Services (SSIS) packages for Company.com.
You should make sure that the server runs normally.
Which is the correct answer?
A.
You should configure the package protection level to AdministrativeRestriction.
B.
You should configure the package protection level to SaveSensitive.
C.
You should configure the package protection level to EncryptSensitiveWithPassword.
D.
You should configure the BlockedSignatureStates registry enters to Block unsafe and untrusted signs and unsigned instances.
Explanation:
Signing Packages with Certificates
A SQL Server 2005 Integration Services (SSIS) package can be signed with a certificate and configured to require the runtime to check the signature before loading the package. The properties of the package, CheckSignatureOnLoad and CertificateObject, indicate whether a certificate must be checked, and specify the certificate that was used to sign the package. The certificate used to sign the package must be enabled for code signing.
Integration Services provides a registry value that you can use to manage an organization’s policy for loading signed and unsigned packages. The registry value can also manage untrusted signatures of signed packages. With regard to the status of signatures used to sign packages, the BlockedSignatureStates registry value uses the following definitions:
A valid signature is one that can be read successfully.
An invalid signature is one for which the decrypted checksum (the one-way hash of the package code encrypted by a private key) does not match the decrypted checksum that is calculated as part of the process of loading Integration Services packages.
A trusted signature is one that is created by using a digital certificate signed by a Trusted Root Certification Authority. This setting does not require the signer to be found in the user’s list of Trusted Publishers.
An untrusted signature is one that cannot be verified as issued by a Trusted Root Certification Authority, or a signature that is not current.
To use the registry value to prevent packages from loading if the packages are unsigned, or have invalid or untrusted signatures, you must add the BlockedSignatureStates DWORD value to the HKEY_LOCAL_MACHINESOFTWAREMicrosoftMSDTS registry key and specify the value 0, 1, 2, or 3.
The following table lists the valid values of the DWORD data and their associated policies.