1. Enforcing Compliance With Policy-Based Management Ken Simmons, DBA

2. Contact Info Blog: http://cybersql.blogspot.com/ Email: kensimmonsii@gmail.com Twitter: @KenSimmons LinkedIN: http://www.linkedin.com/in/kensimmons

3. What is Compliance? “Conformity in fulfilling official requirements”* External Regulations HIPAA SOX PCI Internal Standards Naming Conventions http://www.flickr.com/photos/dunechaser/220636504/ *http://www.merriam-webster.com/dictionary/compliance

4. More than 494 million records have been breached since 2005* Unintended Disclosure Payment Card Fraud Physical Loss (Non-Electronic) Insider Hacking or Malware Portable Device Loss Stationary Device Loss Why Does Compliance Matter? 474 million http://www.flickr.com/photos/bheathr/2253526798 *http://www.privacyrights.org/data-breach/

5. What’s The Process? Identify Risks Develop Policies To Mitigate Risks Ensure Policies Are Being Enforced Risk Management Governance Compliance

6. Policy-Based Management Can Help! Gives you the ability to define and enforce standards Auditors Love Policies It is NOT and Enterprise Edition Feature http://www.flickr.com/photos/dunechaser/489467800/

7. The BIG Picture Servers CMS SQL 2008

8. EPMFramework http://epmframework.codeplex.com

9. PBM L33T Speak Targets are objects such as a Instances, Databases, Tables, etc. Facets expose logical groupings of properties for those objects. Conditions are made up of expressions exposed by the properties from a single Facet. A Policy evaluates a Condition against one or more Targets.

10. Creating Policies Export the Current State of an Object Import Predefined Policies Create Custom Policies Based on Facets Create Custom Policies using Advanced Conditions

11. Evaluating Policies On Demand Can “Auto Fix” Certain Violations OnSchedule Uses SQL Agent Job On Change – Log Only Writes Violations to SQL and Windows Log On Change – Prevent Uses DDL Triggers to Rollback Changes

12. Demo http://www.flickr.com/photos/winterhalter/2883847843/

13. Alerts Error Number by Evaluation Mode On change: prevent (automatic), 34050 On change: prevent (on demand), 34051 On schedule, 34052 On change, 34053 Prerequisites Configure Database Mail Create Operator Configure SQL Agent

15. SAC for Database Engine 2008 FeaturesService Account Server Facet: Service Account != 'LocalSystem' Log Retention Server Facet: NumberOfLogFiles = 99

17. SELECT COUNT(*) FROM sysloginsWHERE name = 'Builtindministrators'

18. SA Account Disabled

19. SELECT COUNT(*)FROM sysloginsWHERE name = 'sa' ANDis_disabled = 0Note: Using syslogins instead of sys.server_principals allows you to evaluate SQL 2000 Instances

20. Encryption Predefined Best Practice Policies Asymmetric Key Encryption Algorithm Symmetric Key Encryption for User Databases Symmetric Key for master Database Symmetric Key for System Databases Transparent Data Encryption Database Facet: EncryptionEnabled = True Extensible Key Management Server Configuration Facet: ExtensibleKeyManagementEnabled = True

21. Audit Predefined Best Practice Policies SQL Server Default Trace Login Auditing Server Audit Facet: LoginAuditLevel = All SQL Server Audit Server Facet: AuditLevel = All Audit Facet: Enabled = True & OnFailure = Shutdown Database Audit Specification Facet: Enabled = True Server Audit Specification Facet: Enabled = True

22. Resources Pro SQL Server 2008 Policy-Based Management http://www.apress.com/book/view/9781430229100 MSDN Policy-Based Management Blog http://blogs.msdn.com/sqlpbm/ SQL Server 2008 Compliance Guide http://www.microsoft.com/downloads/details.aspx?FamilyId=6E1021DD-65B9-41C2-8385-438028F5ACC2&displaylang=en Deploying SQL Server 2008 Based on PCI DSS http://www.parentebeard.com/Uploads/Files/Deploying_SQL_Server_2008_Based_on_PCI_DSS.PDF

23. Questions?