How SQL Server Audit is Your Secret Security Weapon

By John Gates

February 19th, 2024

SQL Server Audit

The SQL Server Audit object gathers individual occurrences of server or database-level actions and sets of actions for monitoring purposes. This audit operates at the SQL Server instance level, allowing for multiple audits per instance. Upon defining an audit, you designate the destination for result output.

How does SQL Server audit work?

Before beginning a SQL Server audit pay attention to the limitations and restrictions associated with database audit specifications. These specifications are non-securable objects housed within a specific database. Upon creation, a database audit specification defaults to a disabled state, requiring activation to commence auditing activities.

SQL Server Auditing

Auditing a SQL Server instance or database involves monitoring and logging system events. The SQL Server Audit object consolidates server-level or database-level actions and action groups for monitoring purposes, operating at the SQL Server instance level. Multiple audits can be configured for a single SQL Server instance. Within an audit, the Database-Level Audit Specification object is associated, enabling the creation of one database audit specification per SQL Server database per audit.

To create a server audit using SQL Server Management Studio:

In Object Explorer, expand the Security folder.
Right-click the Audits folder and select New Audit. For more information, see Create a server audit and server audit specification.
When you finish selecting options, select OK.

Auditing object: Ensure ‘SQL Server Audit’ is set to capture both ‘failed’ and ‘successful logins’

For AWS RDS Instances, if RDS has not been configured to write to an S3 bucket, this is a fail. Run the following T-SQL command:

SELECT

S.name AS ‘Audit Name’

, CASE S.is_state_enabled

WHEN 1 THEN ‘Y’

WHEN 0 THEN ‘N’ END AS ‘Audit Enabled’

, S.type_desc AS ‘Write Location’

, SA.name AS ‘Audit Specification Name’

, CASE SA.is_state_enabled

WHEN 1 THEN ‘Y’

WHEN 0 THEN ‘N’ END AS ‘Audit Specification Enabled’

, SAD.audit_action_name

, SAD.audited_result

FROM sys.server_audit_specification_details AS SAD

JOIN sys.server_audit_specifications AS SA

ON SAD.server_specification_id = SA.server_specification_id

JOIN sys.server_audits AS S

ON SA.audit_guid = S.audit_guid

WHERE SAD.audit_action_id IN (‘CNAU’, ‘LGFL’, ‘LGSD’) or (SAD.audit_action_id

IN (‘DAGS’, ‘DAGF’) and (select count(*) from sys.databases where containment=1) > 0);

The result set should contain 5 rows, one for each of the following audit_action_names:

AUDIT_CHANGE_GROUP
FAILED_LOGIN_GROUP
SUCCESSFUL_LOGIN_GROUP
SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP
FAILED_DATABASE_AUTHENTICATION_GROUP

Both the Audit and Audit specification should be enabled and the audited_result should include both success and failure.

To create a database-level audit specification or to to create a database-level audit specification, see HERE

View a SQL Server Audit Log

Permissions: Requires the CONTROL SERVER permission.

To view a SQL Server audit log

In Object Explorer, expand the Security
Expand the Audits
Right-click the audit log that you want to view and select View Audit Logs. This opens the Log File Viewer –server_namedialog box. For more information, see Log File Viewer F1 Help.
When finished, click Close.

Microsoft suggests accessing the audit log through the Log File Viewer.

Benefits of SQL Server Auditing

By opting for Audit instead of the conventional configuration within the Security tab to capture successful logins, we diminish the clutter in the ERRORLOG. This results in a more concise and manageable log for DBAs tasked with troubleshooting SQL Server issues. Moreover, the Audit object offers the capability to record to the security event log, although this requires operating system adjustments. This provides an extra avenue for storing login events, particularly when integrated with an SIEM solution.

SQL server attacks: mechanisms you must know

SQL Server Audit Vulnerabilities

Improper configuration of the audit feature can leave gaps in monitoring or expose sensitive information. For instance, failure to audit critical events or inadequate security measures for audit logs may leave systems vulnerable to exploitation.

Furthermore, misconfigured auditing settings might inadvertently capture sensitive application data or personally identifiable information (PII), introducing potential security and compliance risks if exposed.

SQL Server Audit Remediation

SQL Server Audit Remediation involves the systematic process of addressing and resolving identified issues within SQL Server audit configurations. However, manually addressing these concerns across multiple servers can be exceedingly time-consuming and prone to human error. Automated hardening solutions streamline the remediation process, enabling efficient identification and resolution of vulnerabilities at scale.

GUI Method

1. Expand the SQL Server in Object Explorer.
2. Expand the Security Folder
3. Right-click on the Audits folder and choose New Audit…
4. Specify a name for the Server Audit.
5. Specify the audit destination details and then click OK to save the Server Audit.
6. Right-click on Server Audit Specifications and choose New Server Audit Specification…
7. Name the Server Audit Specification
8. Select the just created Server Audit in the Audit drop-down selection.
9. Click the drop-down under Audit Action Type and select AUDIT_CHANGE_GROUP.

10. Click the new drop-down Audit Action Type and select FAILED_LOGIN_GROUP.

11. Click the new drop-down under Audit Action Type and select SUCCESSFUL_LOGIN_GROUP.

12. Click the new drop-down under Audit Action Type and select SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP.

13. Click the new drop-down under Audit Action Type and select FAILED_DATABASE_AUTHENTICATION_GROUP.

14. Click OK to save the Server Audit Specification.

15. Right-click on the new Server Audit Specification and select Enable Server Audit Specification.

16. Right-click on the new Server Audit and select Enable Server Audit.

T-SQL Method Execute code similar to:

CREATE SERVER AUDIT TrackLogins

TO APPLICATION_LOG;

CREATE SERVER AUDIT SPECIFICATION TrackAllLogins

FOR SERVER AUDIT TrackLogins

ADD (FAILED_LOGIN_GROUP),

ADD (SUCCESSFUL_LOGIN_GROUP),

ADD (AUDIT_CHANGE_GROUP),

ADD (SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP),

ADD (FAILED_DATABASE_AUTHENTICATION_GROUP) WITH (STATE = ON); GO

ALTER SERVER AUDIT TrackLogins

WITH (STATE = ON);

NOTE: If the write destination for the Audit object is to be the security event log, see the Books Online topic "Write SQL Server Audit Events to the Security Log" and follow the appropriate steps.

SQL Server Audit Best Practices

Here are some best practices to follow when using SQL Server Audit:

Be selective with auditing. Balance auditing requirements with resource usage by only auditing critical events and accessing important data. Auditing everything can lead to excessive log sizes and performance impact.
Determine data retention policies upfront. Decide how long audit logs need to be kept to meet compliance needs. Set up a process to backup and purge logs.
Restrict access to audit logs and data. Audit data can contain sensitive information. Use database roles and permissions to allow access on a need-to-know basis.
Setup alerts and monitoring. Establish processes to collect, monitor, and review audit logs regularly. Alerts can notify on specific high risk events.
Follow principle of least privilege. Only enable auditing for necessary users and events. Minimize surface area for malicious actions.
Maintain audit integrity with SQL server Enable checksums to detect log tampering or unauthorized changes.
Backup the audit configuration. Keep regular backups of audit settings in case the audit system itself is compromised.
Segregate duties over audit data. Have separate teams own audit capture vs. audit review for checks and balances.
Test auditing regularly. Validate auditing is working as expected by injecting sample events and monitoring data.
Tuning and optimization. Tune SQL Server to balance auditing I/O and disk usage with instance performance needs.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
_GRECAPTCHA	5 months 27 days	This cookie is set by Google. In addition to certain standard Google cookies, reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis.
__cfduid	1 month	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.

Cookie	Duration	Description
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
__stidv	1 year	This cookie is used by ShareThis. This cookie is used for sharing the content from the website to social networks.

Cookie	Duration	Description
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.
_gat	1 minute	This cookies is installed by Google Universal Analytics to throttle the request rate to limit the colllection of data on high traffic sites.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
__stid	1 year	The cookie is set by ShareThis. The cookie is used for site analytics to determine the pages visited, the amount of time spent, etc.

Cookie	Duration	Description
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.