Saturday, June 4, 2011

Common Criteria (CC) and SQL Login Auditing

SQL login auditing and other security features is implemented as a part of Common Criteria (CC).  The Common Criteria for Information Technology Security Evaluation's Common Criteria Certification supersedes several older evaluation schemes including the U.S. Trusted Computer Systems Evaluation Criteria (TCSEC) which specified the well-known Class C2 rating.  Microsoft discusses the Common Criteria Certification, and explains the implementation of that standard as a configuration item in SQL 2008 R2.
When the configuration item is set to on or 1,
  • residual information protection (RIP) is turned on
    • RIP requires a memory allocation to be overwritten with a known pattern of bits before memory is reallocated to a new resource.
  • login auditing is enabled
    • Information about the last successful login time, the last unsuccessful login time, and the number of attempts between the last successful and current login times is made available. These login statistics can be viewed by querying the sys.dm_exec_sessions dynamic management view.
  • table-level DENY takes precedence over a column-level GRANT
    • this is a change in the default behaviour
To implement (only in SQL2005/2008 Developer/Enterprise):

sp_configure 'show advanced options', 1
go
reconfigure
go
sp_configure 'common criteria compliance enabled', 1
go
reconfigure
go
Restart the server.

No comments:

Post a Comment