In this post, I provide my solution for the Security vs. Monitoring puzzle. I will use module signing.
First, let’s think a little bit proactive and I assume that there will be more special request in the future when we need to create some further code for monitoring, so I create a separate database called ‘Monitoring’. The ‘monitoring’ user will have rights only in this database, and just as much as it really needed.
USE [master] GO CREATE DATABASE [monitoring] GO CREATE LOGIN [monitoring] WITH PASSWORD=N'M0n!t0r!ng$tr0ngP@$$w0rd', DEFAULT_DATABASE=[monitoring], CHECK_EXPIRATION=OFF, CHECK_POLICY=ON GO GRANT VIEW SERVER STATE TO [monitoring] GO USE [monitoring] GO ALTER AUTHORIZATION ON DATABASE::[Monitoring] TO [sa] GO CREATE USER [monitoring] FOR LOGIN [monitoring] GO
After that I create a stored procedure called ‘usp_monitor’ with EXECUTE AS clause and in this user defined stored procedure the sp_monitor is called. I grant execute permission to the ‘monitoring’ user.
USE [monitoring] GO SET ANSI_NULLS ON GO SET QUOTED_IDENTIFIER ON GO CREATE PROCEDURE [dbo].[usp_monitor] WITH EXECUTE AS 'dbo' AS BEGIN EXECUTE sp_monitor END GO GRANT EXECUTE ON [dbo].[usp_monitor] TO [monitoring] GO
Nothing special so far. As I mentioned before, I use module signing to provide all the necessary permissions. For this I create a certificate in the ‘monitoring’ database then I sign the usp_monitoring with this certificate. After that I backup this certificate and then delete the primary key part so no-one can sign again the stored procedure in case of any modification without the primary key.
USE [monitoring] GO CREATE CERTIFICATE monitoring_cert ENCRYPTION BY PASSWORD = '$trong!P@ssWD' WITH SUBJECT = 'Signing cert for Monitoring' GO ADD SIGNATURE TO usp_monitor BY CERTIFICATE monitoring_cert WITH PASSWORD = '$trong!P@ssWD' GO BACKUP CERTIFICATE monitoring_cert TO FILE = 'monitoring.cer' WITH PRIVATE KEY ( DECRYPTION BY PASSWORD = '$trong!P@ssWD', FILE = 'monitoring_cer.pvk' , ENCRYPTION BY PASSWORD = '$trong!P@ssWD' ); GO ALTER CERTIFICATE monitoring_cert REMOVE PRIVATE KEY GO
In the end, I restore the public part of the certificate to the master database, and I create a login from it, and grant authenticate server privilege to this login.
USE [master] GO CREATE CERTIFICATE monitoring_cert FROM FILE = 'monitoring.cer' GO CREATE LOGIN monitoring_cert_login FROM CERTIFICATE monitoring_cert GO GRANT AUTHENTICATE SERVER TO monitoring_cert_login GO
We are done. Only one thing left. Move the certificate (especially the private key part) to secure place. If you have any question feel free to contact me, leave a comment or drop me a mail /robertATsqlapprenticeDOTnet/.
Further on I will provide some very useful links/articles about this topic.