SQL Server Security Audit (Part 3) – Operating System Level Audit
Operating system level audits
Typically, most DBAs have remote access privilege to the Windows machine hosting the database server. If you have administrator privilege in the Windows box (or VM), you can take some time to try the following:
Windows security log
This should be actually a part of the DBA’s daily checks. However, as part of your initial audit, check the Windows security log. The security log in the Event Viewer can show you the unsuccessful login attempts to your SQL Server.
You can filter the security log with various options. For example, you may be only interested in failed login attempts.
If there are a large number of unsuccessful login attempts – either from same or multiple sources – pay attention, note it down; this needs to be looked at. However, this does not necessarily mean somebody is trying to hack into your server: it may be due to a service account’s being locked out.
Local administrator group
Members of the Local Administrators group are also by default members of the sysadmin fixed server role. Even if the role privilege has been explicitly revoked, local administrators still have full access to the Windows environment.
If you have administrator privilege in the Windows machine hosting the SQL Server, you may be interested to know who else has that privilege. To find out, start the “Computer Management” applet from the “Administrative Tools” program group and then browse to the “Local Users and Groups” node.
If you double click on the “Administrators” group, it will show you a list of local administrators of the machine.
By default, only the built-in administrator account and the “Domain Admins” group should be listed here. You may also find your account (as the DBA) or a Windows group for DBAs listed here. However, if you see accounts or groups that you know should not have this privilege –note it down.