Sarbanes, anyone?

From: Shelley (anonymous_at_discussions.microsoft.com)
Date: 05/04/04

  • Next message: Wendy: "RE: SQL Force Encryption problem" 
    Date: Tue, 4 May 2004 14:26:46 -0700

    I'm surprised nobody's talking about this! Anyone else
    out there working with the IT controls section of the
    Sarbanes-Oxley requirements? I'm focused on what can be
    done from a database security perspective and am trying to
    figure out how best to architect security such that only
    the DBA has system administrator rights and the DBA can be
    monitored.

    I know that we can monitor schema changes through SQL
    Server audit traces, but it seems that is an expensive
    operation for the server. We've been looking at external
    tools. We already have a tool called LogExplorer, which
    does not put a load on Production because it reads
    transaction logs. It allows you to drill into the logs to
    see what happened to the data, who touched it, etc.
    However, you have to know what you're looking for and the
    date/time range you want to search - so not an automated
    monitoring tool.

    We've been considering another related tool, Entegra (both
    tools are by Lumigent), since it to reads trans logs and
    provides alerts on changes to schema and security and also
    archives the data for easier searching. However, it does
    not provide alerts on changes to data or by a particular
    account, which is one of our big concerns, and the problem
    that I see with both of these tools is that the logging
    data is stored on SQL Server and thus at risk itself for
    tampering.

    I'm interested in how other people are handling the
    monitoring requirements or if there are other options I'm
    overlooking. One idea I'm toying with is changing the
    security from Mixed mode to SQL Security only, so as to
    eliminate all but the DBA from having SA rights (right
    now, in mixed mode, the NT administrator could always get
    in there by resetting the DBA password and then
    impersonating her). I'm also interested in how other
    people have assigned DBA privileges (i.e. just plopped
    into the SA role or assigned to specific fixed server
    roles?).

  • Next message: Wendy: "RE: SQL Force Encryption problem"

    Relevant Pages

    • Multiple Vulnerabilities Sybase Anywhere 9
      ... NGSSoftware Insight Security Research Advisory ... Multiple Vulnerabilities in Adaptive Server Anywhere Network Server ... attack allowing an authenticated user to escalate privileges to 'dba' within ...
      (NT-Bugtraq)
    • Re: centralization vs decentralization
      ... > have one server with many services OR to split this ... by a hole in one of these programs. ... patching, monitoring etc.), from the other ... > Looks like some kind of cornerstone:) - security vs. efficiency. ...
      (Security-Basics)
    • Re: Security Monitors
      ... Generally I don't tend to rely much on host-based security monitoring. ... I prefer the NIDS approach. ... Every server here has some host based monitoring - logcheck, ...
      (FreeBSD-Security)
    • Re: Features for a monitoring tool
      ... if one had a bug that could lead to a security problem regardless ... > of the flawed program's role (client or server). ... imagine you have 20 servers (monitoring ...
      (comp.os.linux.security)
    • security-basics Digest of: get.123_145
      ... VPN to ASP a security risk? ... Re: Multiple IPSec tunnels? ... Subject: Security NT Server ... VPN to ASP a security risk? ...
      (Security-Basics)