SQL SERVER – Identifying guest User using Policy Based Management

If you are following my recent blog posts, you may have noticed that I’ve been writing a lot about Guest User in SQL Server. Here are all the blog posts which I have written on this subject:

One of the requests I received was whether we could create a policy that would prevent users unable guest user in user databases. Well, here is a quick tutorial to answer this. Let us see how quickly we can do it.

Requirements

  1. Check if the guest user is disabled in all the user-created databases.
  2. Exclude master, tempdb and msdb database for guest user validation.

We will create the following conditions based on the above two requirements:

  1. If the name of the user is ‘guest’
  2. If the user has connect (@hasDBAccess) permission in the database
  3. Check in All user databases, except: master, tempDB and msdb

Once we create two conditions, we will create a policy which will validate the conditions.

Condition 1: Is the User Guest?

Expand the Database >> Management >> Policy Management >> Conditions

Right click on the Conditions, and click on “New Condition…”. First we will create a condition where we will validate if the user name is ‘guest’, and if it’s so, then we will further validate if it has DB access.

Check the image for the necessary configuration for condition:
Facet: User
Expression:
@Name = ‘guest’

Condition 2: Does the User have DBAccess?

Expand the Database >> Management >> Policy Management >> Conditions

Right click on Conditions and click on “New Condition…”. Now we will validate if the user has DB access.

Check the image for necessary configuration for condition:
Facet: User
Expression:
@hasDBAccess = False

Condition 3: Exclude Databases

Expand the Database >> Management >> Policy Management >> Conditions

Write click on Conditions and click on “New Condition…” Now we will create condition where we will validate if database name is master, tempdb or msdb and if database name is any of them, we will not validate our first one condition with them.

Check the image for necessary configuration for condition:
Facet: Database
Expression:
@Name != ‘msdb’
AND @Name != ‘tempdb’
AND @Name != ‘master’

The next step will be creating a policy which will enforce these conditions.

Creating a Policy

Right click on Policies and click “New Policy…”

Here, we justify what condition we want to validate against what the target is.

Condition: Has User DBAccess
Target Database: Every Database except (master, tempdb and MSDB)
Target User: Every User in Target Database with name ‘guest’

Now we have options for two evaluation modes: 1) On Demand and 2) On Schedule

We will select On Demand in this example; however, you can change the mode to On Schedule through the drop down menu, and select the interval of the evaluation of the policy.

Evaluate the Policies

We have selected OnDemand as our policy evaluation mode. We will now evaluate by means of executing Evaluate policy. Click on Evaluate and it will give the following result:

The result demonstrates that one of the databases has a policy violation. Username guest is enabled in AdventureWorks database. You can disable the guest user by running the following code in AdventureWorks database.

USE AdventureWorks;
REVOKE CONNECT FROM guest;

Once you run above query, you can already evaluate the policy again. Notice that the policy violation is fixed now.

You can change the method of the evaluation policy to On Schedule and validate policy on interval. You can check the history of the policy and detect the violation.

Quiz

I have created three conditions to check if the guest user has database access or not. Now I want to ask you: Is it possible to do the same with 2 conditions? If yes, HOW? If no, WHY NOT?

Reference: Pinal Dave (http://blog.sqlauthority.com)

About these ads

SQL SERVER – Policy Based Management – Create, Evaluate and Fix Policies

Introduction

This article will cover the most spectacular feature of SQL 2008 – Policy-based management and how the configuration of SQL Server with policy-based management architecture can make a powerful difference. Policy based management is loaded with several advantages. It can help you implement various policies for reliable configuration of the system. It also provides additional administration assistance to DBAs and helps them effortlessly manage various tasks of SQL Server across the enterprise.

Basics of Policy Management

SQL server 2008 has introduced policy management framework, which is the latest technique for SQL server database engine. SQL policy administrator uses SQL Server Management Studio to create policies that can handle entities on the server side like the SQL Server objects and the instance of SQL Server databases. It consists of three components: policy administrators (who create policies), policy management, and explicit administration. Policy-based management in SQL Server assists the database administrators in defining and enforcing policies that tie to database objects and instances. These policies allow the administrator to configure and manage SQL server across the enterprise.

The following advantages can be achieved by appropriate administration of policy management system.

  • It interacts with various policies for successful system configuration.
  • It handles the changes in the systems that are the result of configuration against authoring policies.
  • It reduces the cost of ownership with simple elaboration of administration tasks.
  • It detects various compliance issues in SQL Server Management Studio.

Policy Management Terms

To have a better grip on the concept of Policy-based management there are some key terms you need to understand.

  • Target – A type of entity that is appropriately managed by Policy-based management. For example, a table, database and index, to name a few.
  • Facet -A property that can be managed in policy-based management. A clear example of facet is the name of Trigger or the Auto Shrink Property of database.
  • Conditions – Criteria that specifies the state of facet to true or false. For example, you can adjust the state of a facet that gives you clear specifications of all stored procedures in the Schema “Banking”.
  • Policy – A set of rules specified for the server objects or the properties of database.

Practical Example of Policy Management

Exploring of Facets

Facets are database objects and each of them is a container of one or more database object. First, you need to navigate the object explorer and expand the policy-based management node and the management node. You will see conditions, policies and facets nodes. SQL Server 2008 has many different facets available to use.

To view the list of facets, expand the facet node

Double click on each of these facets to the list of the facet properties.

Let us understand the two next elements of creating condition and creating policy with real life example of Statistics. We will try to create statistic property of the database. We have property of statistic IsAutoCreated. We can set that using database property window under option tab. This property takes two values True or False.

We will follow up on this property in different steps. We will first create condition and right after we will use the same condition in a policy. That policy will be evaluated by user. User will have to two options either let us evaluated by scheduled task or fix non complaining policy manually.

Create a Condition

Creation of condition in Policy-based management is the next thing after identifying the problem. In our case, we want to make sure that everywhere IsAutoCreate is set to True everywhere.

Each facet displays different kinds of properties. As we are interested in the IsAutoCreated property of the statistics we have to select facet as Statistic.

Create a Policy

Creating a policy is the next important task after creating a condition. The condition has to be created to select the proper property of the object. However, a policy is created to specify the location where the condition has to be applied.

Please follow the instructions given in the above image. Make sure to select all target databases. In given example I have two database installed on my server that brings up two different targets servers.

This brings up an interesting concept of targets. Targets are database objects. They can be whole database or single parts of the database. It may be possible that they are different kind of objects but have same kind of properties.

While creating a policy we have kept the evaluation mode as “on demand”, which means that we will be running this policy manually, instead of scheduled job. Scheduled job is good idea to run policy.

Evaluate a Policy

As in the previous step, we have selected to evaluate the policy manually; we will evaluate that using SSMS. Right click on policy brings up with lots of options. Select Evaluate from the menu, this will bring up the following image.

On the screen of Evaluate Policies there is a button which suggests evaluating the policies. Once clicked it will give the following kind of screen with a status.

You will see a green icon in the image. This icon indicates the policy evaluated the status to True. If you notice you will find that in our example all the policies are complied with.

Fix Non-complying Policy

Now, let us change the IsAutoCreate policy of one of test databases to true and run the evaluation all over again. If you observe you will notice that one of the statuses is marked as false with a little red image on the left.

Furthermore, once you select the checkbox and clicked on the Apply button you will find an additional checkbox on the side. This Apply button will raise a popup confirming that the property of the target has been changed to comply with the policy. Next, click Ok to confirm. This will change the properties of the Test database to comply with the new policy on all of our targets specified earlier.

In our example, we have manually evaluated the policy and fixed its noncompliance. With powershell you can perform the same using SQL Server Agent.

Summary

Policy-Based Management empowers you with greater control over the procedures of database as a Database Administrator. It provides you the ability to enforce paper policies at database level. Paper polices are used as guidelines for understanding database standards. However, it necessitates some skills, time and efforts to enforce these polices. You need to go with a fine toothed comb to enforce these policies. Policy-based management system helps you define these polices and ensure that they will be enforced appropriately.

Reference : Pinal Dave (http://blog.SQLAuthority.com), DNS

SQL SERVER – 2008 – Policy-Based Management – Create, Evaluate and Fix Policies

This article will cover the most spectacular feature of SQL 2008 – Policy-based management and how the configuration of SQL Server with policy-based management architecture can make a powerful difference. Policy based management is loaded with several advantages. It can help you implement various policies for reliable configuration of the system. It also provides additional administration assistance to DBAs and helps them effortlessly manage various tasks of SQL Server across the enterprise.

1 Introduction
2 Basics of Policy Management
3 Policy Management Terms
4 Practical Example of Policy Management
4.1 Exploring of Facets
4.2 Create a Condition
4.3 Create a Policy
4.4 Evaluate a Policy
4.5 Fix Non-complying Policy
5 Summary

Read complete article here.

Reference : Pinal Dave (http://blog.SQLAuthority.com)

SQL SERVER – 2008 – Introduction to Policy Management – Enforcing Rules on SQL Server

I have previous written article about SQL SERVER Database Coding Standards and Guidelines Complete List Download. I just received question from one of the blog reader is there any way we can just prevent violation of company policy. Well Policy Management can come into handy in this scenario.

If our company policy is to create all the Stored Procedure with prefix ‘usp’ that developers should be just prevented to create Stored Procedure with any other prefix. Let us see small tutorial how to create conditions and policy which will prevent any future SP to be created with any other prefix.

Let us first create condition which defines that name of the database object should start with ‘usp’.

Now create policy for all the Stored Procedure of the database and assign previously created condition of naming convention to all the Stored Procedure of the database.

Make sure that Policy is enabled.

Now try to create Stored Procedure with incorrect name. It will not let you create it but will create error.

If you try to create Stored Procedure prefixed with ‘usp’ it will create it successfully.

Policy Management is very detailed subject and I will write more tutorial about this subject in future.

Reference : Pinal Dave (http://blog.SQLAuthority.com)