In this article on SQL Server Auditing Best practices, we will show the best practices that should be followed to have a successful auditing strategy that complies the company audit policies and requirements.

在有关SQL Server审核最佳做法的本文中，我们将介绍为使成功的审核策略符合公司审核策略和要求而应遵循的最佳做法。

In the previous articles of this SQL Server Audit series (see TOC below), we discussed the main concepts of a SQL Audit, why we need to audit our SQL Server instances and the different techniques that can be used to track and log the changes, performed on a SQL Server instances. It may make sense to go back and review those first, if you have just arrived at this article. at various levels.

在本系列SQL Server审核系列的前几篇文章（请参见下面的目录 ）中，我们讨论了SQL审核的主要概念，为何需要审核SQL Server实例以及可用于跟踪和记录更改的各种技术，在SQL Server实例上执行。 如果您刚读完本文，那么最好先回顾一下这些内容。 在各个层次上。

SQL Server审核最佳实践1：设置审核目标 (SQL Server Auditing Best Practices 1: Set an Audit Goal)

Before drawing the SQL Server Audit strategy that you will use, it is recommended to ask yourself an important question, on which all other steps will be built on, principally why you need to have an audit solution?

建议您在拟定将要使用SQL Server审计策略之前，先问自己一个重要的问题，在此之上还要执行所有其他步骤，主要是为什么您需要一个审计解决方案？

Some companies require an audit solution to track and log the changes that are performed on their databases and SQL Server instances to keep the critical data, such as personal, financial and customers information, secured from illegal access or being fallen in competitor’s hands. On the other hand, you will find international companies that require an audit solution to meet specific compliance requirements, such as PCI, HIPAA, SOX, etc and be trusted to provide services, such as online payments.

一些公司需要审计解决方案来跟踪和记录在其数据库和SQL Server实例上执行的更改，以保护重要数据（例如个人，财务和客户信息）免受非法访问或落入竞争对手的手中。 另一方面，您会发现需要审核解决方案以满足特定合规性要求的国际公司，例如PCI，HIPAA，SOX等，并被信任提供诸如在线支付之类的服务。

When you specify why you need an audit solution, you can easily proceed with designing a proper SQL Server Audit solution, without the need for major changes after being deployed and running.

当您指定为什么需要审核解决方案时，可以轻松地设计适当SQL Server审核解决方案，而无需在部署和运行后进行重大更改。

SQL Server审核最佳实践2：设置审核范围 (SQL Server Auditing Best Practices 2: Set an Audit Scope)

It is highly recommended to specify how deep you will dive into your audit solution. A Server audit scope depends mainly on the business compliance requirements and organization regulations. From the goal of your audit, you can decide if you will audit all your SQL Servers or only a specific SQL Server instance, to include all the user databases in the audit strategy or one database that contains the financial data or the customers information and within the selected database, if you will audit all the database tables or only the tables that contain critical information. In all cases, it is recommended also to make sure that the SQL audit trail will cover the complete phases of the transaction that processes the sensitive data in your database.

强烈建议您指定将深入审核解决方案的深度。 服务器审核范围主要取决于业务合规性要求和组织法规。 从审核的目标出发，您可以决定是否要审核所有SQL Server还是仅审核特定SQL Server实例，以将所有用户数据库包括在审核策略中，还是将一个包含财务数据或客户信息并包含在其中的数据库如果要审核所有数据库表或仅审核包含关键信息的表，则为选定的数据库。 在所有情况下，还建议确保SQL审核跟踪将覆盖处理数据库中敏感数据的事务的整个阶段。

After specifying what to audit, you need to narrow down the audit scope by specifying the list of events that should be tracked and logged. But this does not mean that you need to miss tracking and logging the most important actions that characterize any optimal SQL Audit solution. These actions include auditing:

在指定要审核的内容之后，您需要通过指定应跟踪和记录的事件列表来缩小审核范围。 但这并不意味着您不必错过跟踪和记录表征任何最佳SQL Audit解决方案的最重要操作的操作。 这些操作包括审核：

• Failed logins 登录失败
• SQL Server login changes such as creating new login, drop login and grant or revoke permission from that user SQL Server登录更改，例如创建新登录，删除登录以及授予或撤销该用户的权限
• SQL Server database users changes such as creating or dropping database users and granting permission to or revoking permission from that database user, database and table SQL Server数据库用户更改，例如创建或删除数据库用户以及授予或撤消该数据库用户的权限，数据库和表schema changes 架构更改
• changes that are performed on the SQL Server 审核解决方案执行的Audit solution 更改

Take that into consideration, narrowing down your SQL Audit scope, will result in smaller amount of data amount that contains the useful information that is really required. This subset of data can be easily used to identify any issue, requires smaller storage space, has the least possible performance overhead on the audited servers and achieve the SQL audit main goal of having only the right authorized users are accessing the data to perform the valid required actions.

考虑到这一点，缩小SQL审核范围将导致包含真正需要的有用信息的数据量更少。 该数据子集可轻松用于识别任何问题，需要较小的存储空间，在经过审核的服务器上具有最低的性能开销，并达到SQL审核的主要目标，即只有正确的授权用户才能访问数据以执行有效的操作。必需的操作。

SQL Server审核最佳实践3：选择审核工具或技术 (SQL Server Auditing Best Practices 3: Pick an Audit Tool or Technology)

The SQL Server Audit technology and/or tool of choice depends on the audit goal, audit target, and your budget.

选择SQL Server审核技术和/或工具取决于审核目标，审核目标和您的预算。

• Extended Events or SQL Triggers methods 扩展事件或SQL触发器方法。
• Change Data Capture更改数据捕获” , Change Tracking or ，“更改跟踪”或“ System-versioned Temporal Table methods 系统版本的临时表”方法中的优势
• SQL Server Audit feature, that requires extra administration and reporting efforts SQL Server Audit功能 ，这需要额外的管理和报告工作
• ^rd party audit tool, such as ^第三方审计工具，如ApexSQL Audit, that requires one-minute configuration effort and zero administration effort with built-in reports ApexSQL审计 ，这需要一分钟的配置工作和零管理的努力与内置报告

Reflecting the audit scope and objective on the SQL audit tool will help in designing the proper audit solution that will function properly and achieve the goal behind that audit solution.

在SQL审核工具上反映审核范围和目标将有助于设计适当的审核解决方案，该解决方案将正常运行并实现该审核解决方案背后的目标。

SQL Server审核最佳实践4：查看审核数据 (SQL Server Auditing Best Practices 4: Review your Audit Data)

After collecting the SQL Server Audit data, it is not a best practice to leave this information in the repository until the disaster occurred then review it. Reviewing the SQL audit data should be performed periodically, minimally once a week, by checking the most critical actions and research for any action that breaks the company security policies. In this case, you will be proactive and prevent the occurrence of any threat or minimum catch it at the beginning.

收集SQL Server审核数据之后，最好不要将此信息保留在存储库中，直到灾难发生后再进行检查。 应定期检查SQL审核数据，至少每周一次，方法是检查最关键的操作并研究是否有违反公司安全策略的操作。 在这种情况下，您将保持主动并防止任何威胁的发生或在开始时将其最小限度地捕获。

The excuse that most SQL Server database administrators or security team members provide as to why they are not to review these traces, is that there is an excessive number of logs available for review. You can overcome that issue, from the beginning, by specifying the scope of the SQL audit properly. In this case, only the database tables that contain the critical data will be involved in the SQL audit solution. In addition, only the critical actions on the involved tables performed by non-service accounts will be tracked and logged. In this way, you will have only useful and meaningful information in the SQL Server Audit repository.

大多数SQL Server数据库管理员或安全团队成员提供的理由是，为什么他们不审阅这些跟踪，是因为有过多的日志可供审阅。 您可以从一开始就通过适当指定SQL审核的范围来解决该问题。 在这种情况下，只有包含关键数据的数据库表才会参与SQL审核解决方案。 此外，将仅跟踪和记录非服务帐户对所涉及表执行的关键操作。 这样，您将在SQL Server审核存储库中仅获得有用且有意义的信息。

Another best practice here is creating a simple dashboard, or simply a report, that reads from the SQL audit repository, provides you with the ability to filter only the actions that you are interested in currently and view it in user-friendly and easy to track format. In addition, real-time alerts should be configured proactively to notify the database administrator or the security team when a specific action does not meet the corporate data usage standards, to catch such activity from the beginning and prevent any compliance risks.

这里的另一种最佳实践是创建一个简单的仪表板或一个报表，该报表从SQL审计存储库中读取，使您能够仅过滤当前感兴趣的操作，并以用户友好且易于跟踪的方式对其进行查看格式。 此外，应将主动警报配置为在特定操作不符合公司数据使用标准时通知数据库管理员或安全团队，以便从一开始就捕获此类活动并防止任何合规风险。

SQL Server审核最佳实践5：定义审核策略角色 (SQL Server Auditing Best Practices 5: Define your Audit Strategy Roles)

When designing a SQL audit strategy, make sure to assign the roles within the audit strategy in an isolated secure way. For example, it makes no sense that the audited user is responsible for reviewing the audit report or administrating the audit repository database.

在设计SQL审核策略时，请确保以隔离的安全方式在审核策略中分配角色。 例如，被审核的用户负责审核审核报告或管理审核存储库数据库是没有意义的。

SQL Server审核最佳实践6：审核您的审核 (SQL Server Auditing Best Practices 6: Audit your Audit)

Monitoring the changes that are performed on the SQL Server audit solution itself is considered to be a best practice, to ensure that no one has tampered with what is being audited. Although your audit trail may show that it is in compliance, most of the auditors will not trust audit log information without an integrity check of the audit itself as evidence for covering all eventualities.

监视SQL Server审核解决方案本身执行的更改被认为是最佳做法，以确保没有人篡改被审核的内容。 尽管您的审核记录可能表明它符合要求，但是如果没有对审核本身进行完整性检查作为涵盖所有事件的证据，大多数审核员将不会信任审核日志信息。

Auditing your audit can secure your audit solution from two action types. The first thing that it will catch any activities performed by authorized users who had the forethought to disable auditing before performing their illegal activity. On the other hand, it will act as a reminder if the database administrator disabled the auditing solution when the SQL Server starts performing poorly but forget to re-enable the audit tool again, that may increase the possibility of vulnerability occurrence.

审核您的审核可以使您的审核解决方案免受两种操作类型的影响。 首先，它会捕获授权用户执行的任何活动，这些用户在进行非法活动之前会先考虑禁用审核。 另一方面，如果SQL Server开始性能不佳时数据库管理员禁用了审核解决方案，但又忘记重新启用审核工具，则会提醒您，这可能增加出现漏洞的可能性。

SQL Server审核最佳实践7：存档审核数据 (SQL Server Auditing Best Practices 7: Archive your Audit Data)

SQL Server audit data volume will increase potentially with time, that makes it harder to be reviewed and used to identify the risky issue. It is considered as best practice also to archive the old audit data, based on the standard data archiving and retention policies of your company, and put the active and archive audit databases in a central SQL Server instance server, that makes it easier to identify the audit information and review the past audits again when required.

SQL Server审核数据量可能会随着时间的推移而增加，这使得更难对其进行检查和用于识别风险问题。 最好的做法是，根据公司的标准数据归档和保留策略来归档旧的审计数据，并将活动的和归档的审计数据库放在中央SQL Server实例服务器中，这样可以更轻松地识别审核信息，并在需要时再次查看以前的审核。

Building the proper SQL Server audit strategy, that achieves your auditing goals, requires understanding of the main goal and scope of your audit, choosing the suitable auditing tool or technology and reviewing the audit logs continuously. Following the mentioned best practices will transform a SQL audit process into a “data bodyguard” that works in the shadows without affecting the business flow but protecting it from any external or internal risks.

建立正确SQL Server审核策略以实现您的审核目标，需要了解审核的主要目标和范围，选择合适的审核工具或技术，并不断查看审核日志。 遵循上述最佳做法，可以将SQL审核过程转变为“数据保镖”，该保镖可以在不影响业务流程的情况下工作，但可以保护其免受任何外部或内部风险。

目录 (Table of contents)

翻译自: https://www.sqlshack.com/sql-server-auditing-best-practices/