###BeginCaseStudy###
Case Study 4
A Datum
Overview
General Overview
A Datum Corporation has offices in Miami and Montreal.
The network contains a single Active Directory forest named adatum.com. The offices
connect to each other by using a WAN link that has a 5-ms latency.
A Datum standardizes its database platform by using SQL Server 2014 Standard edition.
Databases
Each office contains databases named Sales. Inventory, Customers, Products, Personnel, and Dev.
Servers and databases are managed by a team of database administrators. Currently, all of the
database administrators have the same level of permissions on all of the servers and all of the
databases.
The Customers database contains two tables named Customers and Classifications. The
following graphic shows the relevant portions of the tables:
The following table shows the current data in the Classifications table:
The Inventory database is used mainly for reports. The database is recreated every day. A full
backup of the database currently takes three hours to complete.
Stored Procedures
A stored procedure named USP_1 generates millions of rows of data for multiple reports.
USP_1 combines data from five different tables from the Sales and Customers databases in a
table named Table1.
After Table1 is created, the reporting process reads data from a table in the Products database
and searches for information in Table1 based on input from the Products table. After the
process is complete, Table1 is deleted.
A stored procedure named USP_2 is used to generate a product list. USP_2 takes several
minutes to run due to locks on the tables the procedure accesses.
A stored procedure named USP_3 is used to update prices. USP_3 is composed of several
UPDATE statements called in sequence from within a transaction. Currently, if one of the
UPDATE statements fails, the stored procedure continues to execute.
A stored procedure named USP_4 calls stored procedures in the Sales, Customers, and
Inventory databases. The nested stored procedures read tables from the Sales, Customers, and
Inventory databases. USP_4 uses an EXECUTE AS clause.
A stored procedure named USP_5 changes data in multiple databases. Security checks are
performed each time USP_5 accesses a database.
You suspect that the security checks are slowing down the performance of USP_5.
All stored procedures accessed by user applications call nested stored procedures. The nested
stored procedures are never called directly.
Design Requirements
Data Recovery
You must be able to recover data from the Inventory database if a storage failure occurs. You
have a Recovery Point Objective (RPO) of one hour.
You must be able to recover data from the Dev database if data is lost accidentally. You have
a Recovery Point Objective (RPO) of one day.
Classification Changes
You plan to change the way customers are classified. The new classifications will have four
levels based on the number of orders. Classifications may be removed or added in the future.
Management requests that historical data be maintained for the previous classifications.
Security
A group of junior database administrators must be able to view the server state of the SQL
Server instance that hosts the Sales database. The junior database administrators will not have
any other administrative rights.
A Datum wants to track which users run each stored procedure.
Storage
A Datum has limited storage. Whenever possible, all storage space should be minimized for
all databases and all backups.
Error Handling
There is currently no error handling code in any stored procedure. You plan to log errors in
called stored procedures and nested stored procedures. Nested stored procedures are never
called directly.
###EndCaseStudy###
You need to recommend a solution to ensure that USP_4 adheres to the security
requirements.
What should you include in the recommendation?
A.
Enable SQL Server Audit.
B.
Enable trace flags.
C.
Configure data manipulation language (DML) triggers.
D.
Enable C2 audit tracing.
Explanation:
* Scenario: A stored procedure named USP_4 calls stored procedures in the Sales,
Customers, and Inventory databases. The nested stored procedures read tables from the
Sales, Customers, and Inventory databases. USP_4 uses an EXECUTE AS clause.
* Beginning in SQL Server 2008 Enterprise, you can set up automatic auditing by using SQL
Server Audit.
It’s a standard edition. SQL Server Audit is out of scope. I think that D is correct. Although it will be removed in future version of sql.
All editions of SQL Server support server level audits. Database level auditing is limited to Enterprise, Developer, and Evaluation editions.
Agree. Must be C2 audit tracing due to the version of SQL Server
Database Audit is not available for Standard edition, but SQL Server Audit is. As the stored procedure USP_4 uses an EXECUTE AS and the security requirement is about knowing who executed the stored procedure it seems that auditing successful logon is what is needed and this is provided by Server Audit. So I think A is the correct answer
+1
See:
– https://msdn.microsoft.com/en-us/library/cc280386.aspx
The Case Study [In Design Requirements, Security] says “a Datum wants to track which users run each stored procedure.”, and [In Stored Procedures] says “USP_4 uses an EXECUTE AD clause”, SQL Server Audit has an event just for “EXECUTE AS” clause called “DATABASE_PRINCIPAL_IMPERSONATION_GROUP”.
SQL Server Audit:
All editions of SQL Server support server level audits.
SQL Server Audit – DATABASE_PRINCIPAL_IMPERSONATION_GROUP [Event]:
This event is raised when there is an impersonation operation in the database scope such as EXECUTE AS or SETPRINCIPAL. This event is raised for impersonations done in any database. Equivalent to the Audit Database Principal Impersonation Event Class.
https://technet.microsoft.com/en-us/library/cc280386(v=sql.120).aspx
https://msdn.microsoft.com/en-us/library/cc280663(v=sql.120).aspx
https://msdn.microsoft.com/en-us/library/cc280386(v=sql.120).aspx
———————————————————————-