SQL SERVER AUDIT PROGRAM

NOTE: The tests can be implemented through MS SQL SERVER MANAGEMENT

STUDIO
1. Ask for configuration policy, part of the policy check the existence of the following:
a. Server settings; right click on the server’s name to view the settings details. Make sure
that settings are consistent with the configuration policy.
b. Logins authentication should be part of Windows or the SQL server.
c. How server roles are granted to each login.
d. How databases are mapped with each login.
2. Configuration management:
 Make sure configuration is documented.
 Make sure configuration is backed up.
 Make sure changes in configuration go through formal change management process.
 Review the configuration and make it is in consistent with the approved configuration. Use
the following statement to retrieve configurations:
SELECT * FROM sys.configurations;

3. Inquire about all the databases:

SELECT name AS DatabaseName,
database_id AS DatabaseID,
state_desc AS State,
compatibility_level AS CompatibilityLevel
FROM sys.databases;
 The results will show all the databases and its state.
 The following databases are created by default and can’t be disabled as it is needed for
the performance of SQL SERVER, and its state should be OPEN:
1. Master.
2. Temdb.
3. Model
4. Msdb

4. Retrieve database admins:

 Make sure there are documented approval for the DBAs, and SoD exists.
 Use the following statement:
 SELECT createdate,accdate, name FROM sys.syslogins WHERE sysadmin = 1

5. Retrieve all logins and its status, and make sure of the following:
1. The log in: ‘sa’, is disabled.
2. Each log in belongs to a specific person, and the log in role consistent with their job
descriptions.
3. All logins are granted based on documented approvals.
4. Any log in belongs to terminated employees are disabled.
 Use the following statement:
SELECT name AS LoginName,
type_desc AS LoginType,
is_disabled AS Status
FROM sys.server_principals
WHERE type IN ('S', 'U', 'G') -- S: SQL Login, U: Windows Login, G: Windows Group

 Note: status 1, indicates login is disabled, while status 0, indicates that login is enabled.
5. Password policy is enforced for all logins.
 For SQL server authentication, use the following statement to retrieve logins with
password policy NOT enforced (the flag is 0):
SELECT name AS LoginName,
type_desc AS LoginType,
is_policy_checked AS IsPasswordPolicyEnforced
FROM sys.sql_logins
WHERE is_policy_checked = 0;

 For windows authentication, check the password policy in the local security policy.
Use the following command in CMD:
Net accounts

6. List the logins with its mapped database, and make sure that there is a documented
approval for each login specifies its mapped database(s). 1
 Use the following statement:
ELECT SP.name AS UserName,
SP.type_desc AS UserType,
SD.name AS DatabaseName
FROM sys.server_principals SP
LEFT JOIN sys.server_role_members SRM ON SP.principal_id = SRM.member_principal_id
LEFT JOIN sys.server_principals SR ON SRM.role_principal_id = SR.principal_id
LEFT JOIN sys.databases SD ON SD.owner_sid = SP.sid

1
‘sa’ login is mapped by default with system databases.
 WHERE SP.type IN ('U', 'S', 'G') -- U: SQL Login, S: Windows Login, G: Windows Group
ORDER BY SP.name;

6. Inquire about server roles granted to different logins:

Use the following statement:
select r.name as Role, m.name as Principal
from
master.sys.server_role_members rm
inner join
master.sys.server_principals r on r.principal_id = rm.role_principal_id and r.type = 'R'
inner join
master.sys.server_principals m on m.principal_id = rm.member_principal_id

 Make sure that roles are consistent with job descriptions and evaluate SoD.
 Make sure the roles are granted based on documented approvals.
 Make sue “Public” role is granted to users who only need it.
7. Inquire about logins with ANY permissions:
 Use the following statement:
SELECT SP.name AS LoginName,
SP.type_desc AS LoginType,
P.permission_name AS Permission
FROM sys.server_permissions P
JOIN sys.server_principals SP ON P.grantee_principal_id = SP.principal_id
WHERE P.permission_name LIKE '%any%';
 ANY permission shouldn’t be granted unless there are a justification with a clearly
stated and documented approval.
 Make sure “Public role” is not granted the “ANY” permission (except for view). Use
the following statement to retrieve permissions granted to the “public role”:
SELECT
p.class_desc AS [Securable Class],
OBJECT_NAME(p.major_id) AS [Securable],
p.permission_name AS [Permission],
p.state_desc AS [Permission State],
u.name AS [Grantee]
FROM
sys.database_permissions AS p
INNER JOIN
sys.database_principals AS u
ON
p.grantee_principal_id = u.principal_id
 WHERE
u.name = 'public';

8. Inquire about all users:

 Use the following statement:
SELECT * FROM sysusers

 Check that there is a documented approval for each user.

 Make sure no users belong to terminated employees.
 For terminated employees, make sure the user status has been changed once the
employee has lift with no delays (check the column: updatedate).
 Check for the roles and access permissions.
 Make sure there is a periodic and formal process for reviewing the users and logins.
9. Audit roles and permissions for users:
Use the following statement in database engine query:

USE tempdb

IF EXISTS (SELECT * FROM sys.objects WHERE object_id = OBJECT_ID(N'[dbo].[##DBLogin]')

AND type in (N'U'))
DROP TABLE [dbo].[##DBLogin]

SET NOCOUNT ON;

SELECT DB_NAME() AS [DBLogin_Database], name AS DBLogin_Name, type_desc AS DBLogin_Type,
0 AS DBLogin_Owner
INTO ##DBLogin
FROM sys.database_principals WHERE 1 = 2;

DECLARE @Query AS NVARCHAR(MAX) = 'USE ? INSERT INTO ##DBLogin SELECT ''?'' AS

[DBLogin_Database], name AS DBLogin_Name, type_desc AS DBLogin_Type, 0 AS DBLogin_Owner
FROM sys.database_principals WHERE type != ''R'';'
EXEC sp_MSforeachdb @Query;

INSERT INTO ##DBLogin

SELECT DB.name AS DBLogin_Database, SUSER_SNAME(DB.owner_sid) AS DBLoginName, type_desc
AS DBLogin_Type, 1 AS DBLogin_Owner
FROM sys.databases DB
LEFT OUTER JOIN sys.server_principals SP ON SUSER_SNAME(DB.owner_sid) = SP.name

-- Do some guess-work for the owner's login type (comment out if you prefere to have NULL
instead of guess-work)
UPDATE A SET A.DBLogin_Type = (SELECT TOP(1) B.DBLogin_Type FROM ##DBLogin B WHERE
B.DBLogin_Name = A.DBLogin_Name AND B.DBLogin_Type IS NOT NULL) FROM ##DBLogin A WHERE
(A.DBLogin_Type IS NULL) AND (A.DBLogin_Owner = 1);
UPDATE ##DBLogin SET DBLogin_Type = 'WINDOWS_USER' WHERE (DBLogin_Type IS NULL) AND
(DBLogin_Owner = 1) AND (DBLogin_Name LIKE '%_\_%');
UPDATE ##DBLogin SET DBLogin_Type = 'SQL_USER' WHERE (DBLogin_Type IS NULL) AND
(DBLogin_Owner = 1) AND (DBLogin_Name NOT LIKE '%_\_%');
 SELECT DBLogin_Database, DBLogin_Name, MAX(DBLogin_Type) AS DBLogin_Type,
CAST(MAX(DBLogin_Owner) AS BIT) AS DBLogin_Owner FROM ##DBLogin
GROUP BY DBLogin_Database, DBLogin_Name
ORDER BY DBLogin_Database, DBLogin_Owner DESC, DBLogin_Name, DBLogin_Type

DROP TABLE [dbo].[##DBLogin]

10. Check SQL SERVER version:

 Make sure the used version is approved, licensed, and supported.
 Use the following statement to inquire about the version:
SELECT @@VERSION;

11. Auditing triggers:

 Make sure the following triggers are created:
triggers to log changes to critical data, such as user login/logout events, changes to
sensitive tables, or modifications to financial transactions.
 Use the following statemen to retrieve triggers:
SELECT
OBJECT_NAME(object_id) AS TriggerName,
parent_class_desc AS TriggerParentClass,
type_desc AS TriggerType,
create_date AS TriggerCreatedDate,
modify_date AS TriggerModifiedDate
FROM
sys.triggers;

12. Auditing the log:

Make sure the log is maintained as per the record retention policy.
Make sure that log can’t be deleted.
13. Auditing Backup:
Make sure DB backup is performed as per the policy. Review the log to check backup
transactions.