Quantcast
Viewing all articles
Browse latest Browse all 2

Security vs. Monitoring – Solution by using module signing

In this post, I provide my solution for the Security vs. Monitoring puzzle. I will use module signing.

First, let’s think a little bit proactive and I assume that there will be more special request in the future when we need to create some further code for monitoring, so I create a separate database called ‘Monitoring’. The ‘monitoring’ user will have rights only in this database, and just as much as it really needed.

USE [master]
GO
CREATE DATABASE [monitoring]
GO
CREATE LOGIN [monitoring] WITH PASSWORD=N'M0n!t0r!ng$tr0ngP@$$w0rd', DEFAULT_DATABASE=[monitoring], CHECK_EXPIRATION=OFF, CHECK_POLICY=ON
GO
GRANT VIEW SERVER STATE TO [monitoring]
GO

USE [monitoring]
GO
ALTER AUTHORIZATION ON DATABASE::[Monitoring] TO [sa]
GO
CREATE USER [monitoring] FOR LOGIN [monitoring]
GO

After that I create a stored procedure called ‘usp_monitor’ with EXECUTE AS clause and in this user defined stored procedure the sp_monitor is called. I grant execute permission to the ‘monitoring’ user.

USE [monitoring]
GO
SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO

CREATE PROCEDURE [dbo].[usp_monitor]
WITH EXECUTE AS 'dbo'
AS
BEGIN
	EXECUTE sp_monitor
END
GO

GRANT EXECUTE ON [dbo].[usp_monitor] TO [monitoring]
GO

Nothing special so far. As I mentioned before, I use module signing to provide all the necessary permissions. For this I create a certificate in the ‘monitoring’ database then I sign the usp_monitoring with this certificate. After that I backup this certificate and then delete the primary key part so no-one can sign again the stored procedure in case of any modification without the primary key.

USE [monitoring]
GO
CREATE CERTIFICATE monitoring_cert ENCRYPTION BY PASSWORD = '$trong!P@ssWD' WITH SUBJECT = 'Signing cert for Monitoring'
GO
ADD SIGNATURE TO usp_monitor BY CERTIFICATE monitoring_cert WITH PASSWORD = '$trong!P@ssWD'
GO

BACKUP CERTIFICATE monitoring_cert TO FILE = 'monitoring.cer'
WITH PRIVATE KEY ( DECRYPTION BY PASSWORD = '$trong!P@ssWD',
	FILE = 'monitoring_cer.pvk' ,
    ENCRYPTION BY PASSWORD = '$trong!P@ssWD' );
GO
ALTER CERTIFICATE monitoring_cert REMOVE PRIVATE KEY
GO

In the end, I restore the public part of the certificate to the master database, and I create a login from it, and grant authenticate server privilege to this login.

USE [master]
GO
CREATE CERTIFICATE monitoring_cert FROM FILE = 'monitoring.cer'
GO
CREATE LOGIN monitoring_cert_login FROM CERTIFICATE monitoring_cert
GO
GRANT AUTHENTICATE SERVER TO monitoring_cert_login
GO

We are done. Only one thing left. Move the certificate (especially the private key part) to secure place. If you have any question feel free to contact me, leave a comment or drop me a mail /robertATsqlapprenticeDOTnet/.

Further on I will provide some very useful links/articles about this topic.


Viewing all articles
Browse latest Browse all 2

Trending Articles