PASS SQL SATURDAY

I am always amazed at how many people have still not heard of SQL Saturday a series of events put on by the Professional Association of SQL Server. At the presentation Jeff Szastak and I gave at VMworld on Virtualizing SQL Server: Doing IT RIght, we had an audience of about 800 people each time we spoke. At each presentation I asked the question how many people in the audience had heard of SQL Saturday’s and only about 50 people out of 800 raised their hands each time. 

These events are run all over the world. They cost very little and are packed with a whole lot of great Technical content taught by people working with SQL Server in the trenches.

Want to meet a real life Microsoft MVP, attend a SQL Saturday. At every SQL Saturday event I have attended I have met a number of Microsoft MVP’s.  Want to feel part of the SQL Server community; this is a great way to become part of it. At these events, I have met some great people and made a lot of good friends.

On December 8^th in Washington DC, I will be presenting at SQL Saturday #173. There will be 5 sessions running every hour from 7:30 am to 5:00 pm.

Sample of Sessions at SQL Saturday 173, Washington DC

5 Common SQL Server Performance Issues, Jason Hall

A Complete BI Solution in About an Hour! , Aaron King

DBA Worst Practices, Disasters and Horror Stories, Mike Walsh

Designing an SSIS Framework , Andy Leonard

Minimally Invasive - Tools to Doctor Up Your Code, Wayne Sheffield (Ntirety)

Much Ado About Indexes - Tips, Tricks and TSQL, Robert Perl

Reporting Services for Mere DBAs, Jason Brimhall (Ntirety)

SQL Azure - What is it and why do you need it?, Scott Klein

Tax, Finance, and Money Tips for consultants, Brian Moran

Virtualizing SQL 2012: Doing It Right, Michael Corey (Ntirety)

More About SQL Saturday 173

SQLSaturday is a training event for SQL Server professionals and those wanting to learn about SQL Server. This event will be held Dec 8 2012 at the Microsoft MTC , 5404 Wisconsin Ave Suite 700, Chevy Chase, MD 20815. Admittance to this event is free, but we do charge a lunch fee of 10.00 so that we can provide a lunch - not pizza! 

To learn more about  SQL Saturday 173 Click Here

Future SQL Saturday Events

Michael Corey

Founder & CEO, Ntirety

www.ntirety.com 

My Personal Twitter Account: Michael_Corey

Ntirety Corporate Twitter Account: Ntirety

Database Administration As A Service® is a registered trademark of Ntirety, Inc

SQLSaturday #158 - NYC

The NYC SQL Saturday event #158 will be taking place on Saturday August 4th in the Microsoft NYC Office at 1290 Avenue of the Americas.  This much anticipated event features many prominent SQL Server community speakers, MVP’s and vendors, so this is a must-attend event for anyone who works with or is interested in learning more about SQL Server. 

To Quote another Blog I recently read "48 amazing sessions by some of the most respected people in the SQL Server community.  I have my ticket, hope to see you there"

More information on the event and the link to register can be found off of the SQL Saturday website located here. 

SQLSaturday Event Schedule NYC

Track    Starts    Session Title    Speaker
Track 1    08:30 AM    Kickoff / Keynote    SQL Saturday SQL Saturday
Track 1    09:00 AM    Microsoft's Big Play for Big Data    Andrew Brust
Track 1    10:15 AM    SQL Server Internals & Architecture    Kevin Kline
Track 1    11:30 AM    Lunch Break    SQLSaturday 158
Track 1    12:30 PM    SQL Azure - What is it and why do I need it?    Scott Klein
Track 1    01:45 PM    SQL Azure Scalability with Federations    Scott Klein
Track 1    03:00 PM    Designing an SSIS Framework    Andy Leonard
Track 1    04:15 PM    Loading the Cloud    Andy Leonard
Track 1    5:30 PM    Closing / Prizes    SQL Saturday SQL Saturday
Track 2    08:30 AM    Kickoff / Keynote    SQL Saturday SQL Saturday
Track 2    09:00 AM    Performance Tuning SQL Server Integration Services    Brian Knight
Track 2    10:15 AM    Data Cleansing with SSIS 2012    Brian Knight
Track 2    11:30 AM    Lunch Break    SQLSaturday 158
Track 2    12:30 PM    Building Faster SQL Servers    Brent Ozar
Track 2    01:45 PM    Real-Life SQL 2012 Availability Group Deployments    Brent Ozar
Track 2    03:00 PM    What's new in SQL Server 2012 - from A to Z    Kevin Goff
Track 2    04:15 PM    SQL Server 2012 Columnstore index    Kevin Goff
Track 2    5:30 PM    Closing / Prizes    SQL Saturday SQL Saturday
Track 3    08:30 AM    Kickoff / Keynote    SQL Saturday SQL Saturday
Track 3    09:00 AM    Programming T-SQL Enhancements in SQL Server 2012    Leonard Lobel
Track 3    10:15 AM    Introducing SQL Server Data Tools    Leonard Lobel
Track 3    11:30 AM    Lunch Break    SQLSaturday 158
Track 3    12:30 PM    Much Ado about Indexes - Tips, Tricks and Tuning..    Robert Pearl
Track 3    01:45 PM    Alright,WHY is the server REALLY running so slow!    Steve Simon
Track 3    03:00 PM    But it worked great in Dev! Perfomance for Devs    Randy Knight
Track 3    04:15 PM    What's Buried in the Plan Cache?    Christina Leo
Track 3    5:30 PM    Closing / Prizes    SQL Saturday SQL Saturday
Track 4    08:30 AM    Kickoff / Keynote    SQL Saturday SQL Saturday
Track 4    09:00 AM    Virtualizing Tier-1 SQL Server Databases On VMware    Michael Corey
Track 4    10:15 AM    Hadoop and its Ecosystem Components in Action    Andrew Brust
Track 4    11:30 AM    Lunch Break    SQLSaturday 158
Track 4    12:30 PM    Moves like Jagger - Upgrading to SQL Server 2012    Mark Broadbent
Track 4    01:45 PM    READPAST & Furious-Transactions.Locking.Isolation.    Mark Broadbent
Track 4    03:00 PM    How Not to Be a Cranky DBA    Mike Hillwig
Track 4    04:15 PM    SQL Server Dos and Don'ts: Keys to DBA Nirvana    Allan Hirt
Track 4    5:30 PM    Closing / Prizes    SQL Saturday SQL Saturday
Track 5    08:30 AM    Kickoff / Keynote    SQL Saturday SQL Saturday
Track 5    09:00 AM    Replicaton Technologies    Hilary Cotter
Track 5    10:15 AM    Temporal Fact Tables: The Road Less Traveled    Martin Schoombee
Track 5    11:30 AM    Lunch Break    SQLSaturday 158
Track 5    12:30 PM    Get-PowerShell | Get-SQLServer    SB Chatterjee
Track 5    01:45 PM    Real World Integration Services: Excel Spreadsheet    Todd McDermid
Track 5    03:00 PM    Mastering Date-Time Based Analysis in DAX    Dan Clark
Track 5    04:15 PM    Full Text Indexing Basics    John Miner
Track 5    5:30 PM    Closing / Prizes    SQL Saturday SQL Saturday
Track 6    08:30 AM    Kickoff / Keynote    SQL Saturday SQL Saturday
Track 6    09:00 AM    Without A SQLTrace - Getting To Know Extended Even    AJ Mendo
Track 6    10:15 AM    Seven SQL Agent Jobs You Should be Running    Mike Hillwig
Track 6    11:30 AM    Lunch Break    SQLSaturday 158
Track 6    12:30 PM    Introduction to Data Quality Services    Marc Jellinek
Track 6    01:45 PM    Shred SQL Server XML.    Alex Grinberg
Track 6    03:00 PM    Running SQL Server on Solid State Drives    Linchi Shea
Track 6    04:15 PM    Enriching Applications with SSAS Data Mining    Peter Myers
Track 6    5:30 PM    Closing / Prizes    SQL Saturday SQL Saturday
Track 7    08:30 AM    Kickoff / Keynote    SQL Saturday SQL Saturday
Track 7    09:00 AM    Writing Faster Stored Procedures and Functions    Andy Novick
Track 7    10:15 AM    I Got Your Back (Up)...    Mark Swofford
Track 7    11:30 AM    Lunch Break    SQLSaturday 158
Track 7    12:30 PM    Team Management Fundamentals    Kevin Kline
Track 7    01:45 PM    Advanced Charting Techniques in SSRS    Jason Thomas
Track 7    03:00 PM    Slowly changing dimensions- an integrated approach    Mark Stacey
Track 7    04:15 PM    SSAS 2012 Tabular vs. Multidimensional    William E. Pearson III
Track 7    5:30 PM    Closing / Prizes    SQL Saturday SQL Saturday
Track 8    08:30 AM    Kickoff / Keynote    SQL Saturday SQL Saturday
Track 8    09:00 AM    SQL 2012 Error Handling. Pick your Destiny    Rick Morelan
Track 8    10:15 AM    (SQL,SSIS,MDS) Adv Fuzzy Matching Roll Your Own    Ira Whiteside
Track 8    11:30 AM    Lunch Break    SQLSaturday 158
Track 8    12:30 PM    Creating a Performance Baseline for SQL Server    Ron Johnson
Track 8    01:45 PM    Surviving Your Peak Database Load    Ben DeBow
Track 8    03:00 PM    Know Backups and Know Recovery    Tim Radney
Track 8    04:15 PM    Deploying SQL Server 2012 Multi-site Clusters    Edwin Sarmiento
Track 8    5:30 PM    Closing / Prizes    SQL Saturday SQL Saturday

My Soap Box

These events are a must attend for anyone who is serious about there careers in the SQL Server Community. They feature a full day of free training taught my some of the best in the industry. I have attended a number of these over the years. They are awesome.  My own talk is being co-presented by Jeff Szastak from VMware. One of the true experts on SQL Server within VMware. 

Not only do you get some great tech talk you get to go to one of the greatest cities in the world. On top of that all the speakers are very approachable. I have made a number of good friends at these events over the years. I wish when I was active on the PASS board I had thought of this. I don’t know who did, but who ever did, it’s a truly awesome event.

If you had to pay for this training, it would be priceless. Yet the price of admission is giving up a Saturday.  A very fair tradeoff if you asked my opinion.  Look forward to seeing you there.

My presentation with Jeff Szastak will be on SQLServer and doing it right on VMware.

Michael Corey

Founder & CEO, Ntirety

www.ntirety.com 

My Personal Twitter Account: Michael_Corey

Ntirety Corporate Twitter Account: Ntirety

Database Administration As A Service® is a registered trademark of Ntirety, Inc

SQLpeople was truly Unique and inspiring 

For over 20 years I have been very active in the Technology community. At this point in time I thought I had seen it all. Yet an event comes along like no other SQLPeople in New Your City.

This event was all about the people. To quote the  SQLPeople site 

SQLPeople is about inspiring database professionals to challenge “Why?” with “Why not?”

It’s about the context of what has been done, understanding what can be done, and focusing the vision for what will be done.

It’s about thinking and engineering, imagination and innovation. Most of all, it’s about community.

The event accomplished this and a lot more. I came away from the event thinking about a lot of things in a completely different way. I am not surprised by this fact as I got to know the many people active behind the scenes. People like Matt Velic, Brian Moran, Andy Leonard, Melissa Demsak and Robert Perl to name a few. They really care and that carries through the whole event. They have created a sense of community. A community I am proud to be part of.

As I sat through the Many presentations...

Telecommuting and the Virtual Office: Making the Case to Convince your Boss, Robert Perl

SQL Someday, Thomas Larock

Navigating the New Job Market, Michael Coles

Professional Services 2.0, Brian Moran

Finding Balance, Steve Jones

Big Data, BI, Big Deal!, Andrew Brust 

DBA to CEO, Myself.

Each one of the presenters were excellent and more importantly made you think. The Master of Ceremonies was Andy Leonard and he was able to bring it all together. Add to the fact that everyone there was giving up a saturday made this a very special event. 

My hat goes off to the Vendors who help sponsor this event. 

Link to Redgate

Link to Embarcadero

Link to Confio

I for one will be watching for more great things from SQLPeople. An event like no other. 

Michael Corey

Founder & CEO, Ntirety

www.ntirety.com 

My Personal Twitter Account: Michael_Corey

Ntirety Corporate Twitter Account: Ntirety

Database Administration As A Service@ is a registered trademark of Ntirety, Inc.

CALLING ALL SQL Server PROFESSIONALS:

Microsoft has created a really fun event for the launch of SQL server 2012. Read Below...

SQL Server 2012 is the most important release ever of SQL Server with its’ mission critical, breakthrough insight and cloud on your terms features. Do your part to bring the SQL Server 2012 roadshows to your city and get on stage with Microsoft! This March, Microsoft is teaming with PASS to bring you the SQL Server 2012 Special Ops Tour – a cross-country roadshowthat will take us to 12 cities across America. This is your tour, and we want to highlight you –the SQL Serveroperative, your company, and the great work you are doing through opportunities to be featured on our media channels, stage time at roadshow events, and exclusive networking session.

Here is a really neat video on the event...

http://youtu.be/jdN69o8DlbA

So Take the Time to Vote......

www.specialopstour.com

Calling All Database Administrators - SQL OPS DBA Contest

In the coming weeks, you'll have the opportunity to enter a high-profile contest where we'll identify 12 SQL Professionals with the best solutions on SQL Server 2012. Winners will enjoy the Tour spotlight, the accolades of fellow agents, and more. So get ready to share your killer SQL Server 2012 skills.

So Keep Checking back at the site for more details...

www.specialopstour.com

Michael Corey

Founder & CEO, Ntirety

www.ntirety.com 

My Personal Twitter Account: Michael_Corey

Ntirety Corporate Twitter Account: Ntirety

Database Administration As A Service@ is a registered trademark of Ntirety, Inc.

Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution

Version: 1.0

Microsoft is releasing this security advisory to provide information about our ongoing investigation into vulnerabilities in the public and private versions of Microsoft's Active Template Library (ATL). This advisory also provides guidance as to what developers can do to help ensure that the controls and components they have built are not vulnerable to the ATL issues; what IT Professionals and consumers can do to mitigate potential attacks that use the vulnerabilities; and what Microsoft is doing as part of its ongoing investigation into the issue described in this advisory. This security advisory will also provide a comprehensive listing of all Microsoft Security Bulletins and Security Updates related to the vulnerabilities in ATL. Microsoft's investigation into the private and public versions of ATL is ongoing, and we will release security updates and guidance as appropriate as part of the investigation process.

Microsoft is aware of security vulnerabilities in the public and private versions of ATL. The Microsoft ATL is used by software developers to create controls or components for the Windows platform. The vulnerabilities described in this Security Advisory and Microsoft Security Bulletin MS09-035 could result in information disclosure or remote code execution attacks for controls and components built using vulnerable versions of the ATL. Components and controls created with the vulnerable version of ATL may be exposed to a vulnerable condition due to how ATL is used or due to issues in the ATL code itself.

Developer Guidance: Microsoft has corrected the issues in the public headers of ATL and released updates to the libraries in bulletin MS09-035 "Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution." Microsoft strongly recommends that developers who have built controls or components with ATL take immediate action to evaluate their controls for exposure to a vulnerable condition and follow the guidance provided to create controls and components that are not vulnerable. For more information on the vulnerabilities and guidance to address issues in ATL, see MS09-035, "Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution."

IT Professional and Consumer Guidance: To help better protect customers while developers update their components and controls, Microsoft has developed a new defense-in-depth technology. This new defense-in-depth technology built into Internet Explorer helps to protect customers from future attacks using the Microsoft Active Template Library vulnerabilities described in this Advisory and Microsoft Security Bulletin MS09-035. To benefit from this new defense-in-depth technology, IT Professionals and consumers should immediately deploy the Internet Explorer Security Update offered in Microsoft Security Bulletin MS09-034, "Cumulative Security Update for Internet Explorer."

This security update includes a mitigation that prevents components and controls built using the vulnerable ATL from being exploited in Internet Explorer, as well as addressing multiple unrelated vulnerabilities. The new defense-in-depth protections offered in MS09-034 include updates to Internet Explorer 5.01, Internet Explorer 6 and Internet Explorer 6 Service Pack 1, Internet Explorer 7, and Internet Explorer 8. These defense-in-depth protections monitor and help prevent the successful exploitation of all known public and private ATL vulnerabilities, including the vulnerabilities that could lead to bypassing ActiveX's kill bit security feature. These protections are designed to help protect customers from Web-based attacks.

Home User Guidance: To help better protect customers while developers update their components and controls, Microsoft has developed a new defense-in-depth technology.This new defense-in-depth technology built into Internet Explorer with the new update helps to protect customers from future attacks using the Microsoft Active Template Library vulnerabilities described in this Advisory and Microsoft Security Bulletin MS09-035. Home users signed up for Automatic Updates will receive the new Internet Explorer update automatically and do not have to take any further action. Home Users will automatically be better protected from future attacks against the vulnerabilities addressed in this Security Advisory and in Microsoft Security Bulletin MS09-035.

Mitigating Factors for Controls and Components built using vulnerable version of Microsoft's Active Template Library (ATL):

Updates related to ATL:

Updates released on July 28, 2009

Update released on July 14, 2009

To read more about this security alert....... Microsoft Security Alert (973882)

Founder & CEO, Ntirety

www.ntirety.com

My Personal Twitter Account: Michael_Corey

Ntirety Corporate Twitter Account: Ntirety

I found a great article on The Register website from the UK. It had some great quotes from Steve Ballmer concerning the Oracle Sun deal.   Here is a small portion of the article.

Microsoft's DNA won't permit Oracle-Sun deal

Ballmer knows his knitting

By Gavin Clarke in San Francisco

Posted in Software, 22nd April 2009 21:53 GMT

Comment When Steve Ballmer tackled the inevitable question on a Microsoft hardware acquisition, in the wake or Oracle's planned purchase of Sun Microsystems, he was "sticking to the knitting."

"I have no idea why a software company would buy a hardware company," Microsoft's chief executive is reported to have said.

That's not to say Microsoft is impervious to one big trend working its way through the market for storing, serving, and understanding information that Oracle occupies: the trend for getting fast access to huge quantities of data on massive networks and making sense of it. Far from it.

Increasingly, a hardware and software stack tuned to the needs of a combined database, storage system, and processing unit - an appliance - is seen as the way to tackle this.

Oracle last year announced the HP Oracle Exadata Storage Server and HP Oracle Database Machine, a box from Hewlett-Packard featuring a stack of pre-configured Exadata Storage Servers all running Oracle's database and its Enterprise Linux.

It's possible that Oracle's purchase of Sun could help it turn out more such boxes. The only question is why Oracle would want to bother taking on the burden of running a global, hardware design and manufacturing operation when its core competence is software.

To read the entire article...

Microsoft's DNA won't permit Oracle-Sun deal 

I think this has a lot to do with Larry Ellison. He has tried on a number of occasions to get into the Hardware Business. I wonder what will happen with the HP relationship now that Oracle does not need them ?

I think Oracle getting access to MySql was a very smart move. They will very quicky develope a migration path from MySql to Oracle if they are smart. There is good reason Microsoft SQL Server is the fastest growing database in the Market. When you look at the total suite of develppment tools all built by one vendor, the Buisness Intelligence Capabilities, the tight integration, the price points. There is good reason people are choosing SQL Server now. 

Also getting there hands on JAVA was very good for Oracle. I think Microsoft is smart to stick to there knitting. 

Founder & CEO, Ntirety

www.ntirety.com

My Personal Twitter Account: Michael_Corey

Ntirety Corporate Twitter Account: Ntirety

I am a big fan of SQL Server. I feel it’s a great Database to run a business on. I love the tight integration with the tools and especially the Data Warehouse capabilities.  SQL Server 2008 Express is free and quite powerful.  At the end of this Blog entry is a link to get a free download.

Here are some of the key things about it:

Simple

• Support for LINQ, Entity Data Model and ADO.NET Entity Framework make it easy to create next generation data-enabled applications
• New Date and Time data types with time zone support and .NET compatibility provides full control over temporal data
• New T-SQL IntelliSense support in SQL Server Management Studio makes it easy to write accurate T-SQL code
• Access a vast community of other SQL Server enthusiasts from beginners to experts via the SQL Server Express forum

Powerful

Tight integration with Visual Studio 2008 with SP1
SQL Server 2008 Express provides high-end database features

• Support for new data types and features like spatial data, HierarchyID, and FileStream makes it easier to model complex data
  

• Support for MERGE, GROUPING SETS, sparse columns and table-valued parameters makes it easier to write T-SQL code
• New Import/Export wizard makes it easy to migrate data

SQL Server Compact makes it easy to create database applications

• Small 2MB footprint allows for easy distribution of Windows applications
• No database administration required or Windows services
• Support of a rich subset of T-SQL syntax and commands  

Easy to Learn

SQL Server Compact Edition and SQL Server Express were designed to be easy to learn so you can get up and running quickly

Deep integration with Visual Studio Express makes it easy to create database applications

Short learning curve means you can start creating applications today

A webcast tutorial is available for beginners title Understanding a Database Schema. 

Downloading SQL Server 2008 Express for Free

Please take the time to register with us. You'll receive:

• product update and release notifications specific to SQL Server Express
• access to developer resources, how-to articles and community forums and team blogs
• discounts on SQL Server e-learning courses 

Founder & CEO, Ntirety

www.ntirety.com

My Personal Twitter Account: Michael_Corey

Ntirety Corporate Twitter Account: Ntirety

Lets face it the role of the DBA keeps expanding. Its not just about the Database it also now includes things like security and compliancy.  Yes I agree the DBA was always worried about the protection or recoverability of the data but it goes way beyond that now. To take a line from a previous blog entry…

If you are publicly traded you fall under Sarbanes Oxley act,(Public Company Accounting Reform and Investor Protection Act of 2002). If you are in healthcare you fall under the healthcare Health Insurance Portability and Accountability Act (HIPPA). If you process credit cards you must meet the requirement of the Payment Card Industry (PCI) Compliance.  New compliancy requirements come up all the time.

Massachusetts just passed a law that could affect your business. This new 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth comes into effect in 2009.
To read the entire blog…..

SQL Server 2008 Compliance Guide (Sarbanes, Hippa)

well this blog is about Microsoft SQL Server 2008 Auditing. Microsoft just releases a new white paper on it. I have included a copy of it here. At the beginning & end will be a link back to the source. A place I would check for any updates or corrections.

Auditing in SQL Server 2008

SQL Server Technical Article

Writer: Il-Sung Lee, Art Rask

Technical Reviewer: Jack Richins, Rick Byham, Sameer Tejani, Al Comeau, JC Cannon

Published: February 2009

Applies to: SQL Server 2008

Summary: With SQL Server Audit, SQL Server 2008 introduces an important new feature that provides a true auditing solution for enterprise customers. While SQL Trace can be used to satisfy many auditing needs, SQL Server Audit offers a number of attractive advantages that may help DBAs more easily achieve their goals such as meeting regulatory compliance requirements. These include the ability to provide centralized storage of audit logs and integration with System Center, as well as noticeably better performance. Perhaps most significantly, SQL Server Audit permits fine-grained auditing whereby an audit can be targeted to specific actions by a principal against a particular object. This paper provides a comprehensive description of the new feature along with usage guidance and then provides some practical examples.

Introduction

A key part of any data security strategy is the ability to track who has accessed, or attempted to access, your data. This provides the ability to detect unauthorized access attempts or, if necessary, to piece together the actions of malicious insiders who misused their legitimate access. Furthermore, a rich and robust tracking capability can provide oversight of sensitive configuration changes made by administrators.

Such considerations are ever more relevant in today’s information economy. Data is collected, stored, used, and misused at an ever increasing rate. Governments and private sector organizations around the world are responding to this by establishing various compliance regimes to improve the stewardship of data by those who hold it. A few of the most widely known examples include:

• European Union Data Protection Directive, a strict data protection policy with implications across the EU and the global economy.
• HIPAA, or Health Insurance Portability and Accountability Act, part of United States law
• Sarbanes-Oxley, part of United States law governing corporations.
• Payment Card Industry Data Security Standard, mandated by major credit card companies, with worldwide implications.

These formal regulations affect organizations of all sizes, in all industries, around the world. They place significant pressure on organizations to ensure their IT platforms and practices are compliant. And ultimately, these requirements land at the feet of the DBAs, developers, and IT professionals who manage the data.

It is important that a data management platform provide the means to meet these requirements, and do so efficiently. To address these needs, SQL Server 2008 introduces a rich and deeply integrated auditing capability that offers major improvements over previous versions of the Microsoft® SQL Server® database software.

This paper will review the new audit features of SQL Server 2008, compare them to past versions, and walk through some implementation examples.

Auditing in SQL Server 2005

In SQL Server 2005 and earlier versions, auditing was implemented using a combination of tools. At the server level, options were available to log successful and/or failed logins to the Application log in the Windows® operating system and the SQL Server Error Log. Login triggers, server triggers, and DDL triggers were available to do custom auditing of specific types of events. The tool of choice for detailed activity audits, however, was SQL Trace. SQL Trace is a mechanism for monitoring a broad range of events internal to the SQL Server database engine. It is used for detecting deadlocks, monitoring application performance, debugging, and many other development or administrative purposes. It is useful as an audit tool because it can capture individual statements as they are executed, including the user id.

SQL Trace has limitations as an auditing tool, though. Configuring and managing traces requires the use of a separate tool, the SQL Server Profiler. This is a tool well-loved by many developers and administrators, but it is not integrated with SQL Server Management Studio, the primary SQL Server administrative interface. And, its interface is not focused on the specific task of creating and managing information audits. At the Transact-SQL level, traces are configured by a set of system stored procedures which take opaque numeric codes as arguments – not the most inviting of management APIs.

Trace functionality in SQL Server 2005 is also accessible programmatically via Server Management Objects (SMO). However, the SMO trace classes are dependent on binary trace definition files (.tdf) authored by SQL Server Profiler, so they do not really serve as a standalone API for managing server audits.

Finally, because SQL Trace is a multipurpose tool, it doesn’t always easily answer the questions an auditor would care about. When used as an audit tool, SQL Trace captures statements. But this does not necessarily expose at a glance what information a user read or modified. Statements might reference views, stored procedures, or user-defined functions, in which case further analysis is required when the real question is “who read data from this table?”

All the tools described above remain in SQL Server 2008, and they will continue to be useful for a wide array of needs. But SQL Server 2008 brings a new, more focused, and more deeply integrated auditing capability to the table.

Auditing in SQL Server 2008

SQL Server 2008 Enterprise enhances the auditing capabilities of the server by introducing native auditing functionality into the database engine. The new SQL Server Audit feature maintains all the capabilities of the SQL Server 2005 auditing solutions and provides enhancements such as flexibility in audit data targets and granular auditing.

Overview

The SQL Server Audit feature in SQL Server 2008 is intended to replace SQL Trace as the preferred auditing solution. SQL Server Audit is meant to provide full auditing capabilities and only auditing capabilities, unlike SQL Trace which also serves for performance debugging. As a result, SQL Server Audit was designed with the following primary goals in mind:

• Security – The audit feature, and its objects, must be truly secure.
• Performance - Performance impact must be minimized.
• Management – The audit feature must be easy to manage.
• Discoverability - Audit-centric questions must be easy to answer.

The subsequent sections discuss how each one of these design goals is realized.

As mentioned earlier, SQL Server Audit is now native to the server. Doing so affords the new SQL Server Audit feature performance benefits and allows the audit objects to be treated as first class database objects. Being a first class object means that the audit objects can be created and manipulated through Transact-SQL DDL statements (or through the SQL Server Management Studio if you prefer). Furthermore, the audit objects will be secured through the database’s familiar permission model.

When an audit object is created, the destination for audit events must be specified. The typical target is a file which is probably suitable for most cases. However, in SQL Server 2008, the audit events can also be written to the Windows Application log. This facilitates access to the audit information in some situations and can allow consolidation through management applications. In addition, the very security conscious will be pleased to learn that the Windows Security log can be specified as a target for Audit (starting with the Windows Server® 2003 operating system). This is significant in that the Windows Security log is considered to be resistant to tampering and nonrepudiation. Another benefit of using the Security log is that the Audit Collection Service (ACS) of the Microsoft System Center Operations Manager can be used to securely collect audit information from the security logs of multiple machines and generate consolidated reports.

A final, but important, point to mention about SQL Server Audit in SQL Server 2008 is the granularity at which the audit can be specified. The auditing of activity of users, roles, or groups on database objects can be restricted down to the table level. That is, you can target SQL Server Audit to track specific activities of a user or users down to the individual table level. For example, SQL Server Audit allows a record to be made of all the UPDATEs to the Payroll table by DBO.

Security

Auditing is a central component of a database security strategy and as such the SQL Server Audit feature itself must be highly secure and securable. Because it is a database object, the privilege to create, delete, or modify an audit object is controlled by the database engine’s permission model and enforcement control. The SQL Server Audit feature introduces a new server-level permission called ALTER ANY SERVER AUDIT to allow a principal to CREATE, ALTER, or DROP an Audit or Server Audit Specification object. Likewise, a database-level permission called ALTER ANY DATABASE AUDIT is introduced to allow a principal to CREATE, ALTER, or DROP a Database Audit Specification object. An audit specification can briefly be described as an object that describes the activity to capture in the audit (a more thorough description is found later in this paper).

The audit log is obviously another asset that needs protection. Careful consideration must be given regarding where to send the audit data. Ideally, the audit information should be sent to a location that cannot be modified or tampered with, even by a sysadmin. A simple strategy to accomplish this is to send the audit events to a file on a share to which the SQL Server service account only has write access. The person in the auditor capacity would obviously need read access to this file but no one else. Also, if the share is on a different computer, it’s possible to obtain protection from the Windows administrator (of the SQL Server computer) as well, although there are obviously some performance considerations and vulnerability to network outages. Another option is the Windows Security log. This is a good choice for someone who wants to store the SQL Server Audit log locally but wants protection from the sysadmin and even the local Windows administrator. One final point – SQL Server does not encrypt or otherwise protected the Audit log. Such additional layers of protection can be applied, of course, through a variety of means external to SQL Server, such as file system encryption.

If, for whatever reason, SQL Server Audit is unable to write its audit events to the audit target, you can configure the audit object to shut down the server instance. While shutting down the server instance may seem drastic, it is a necessity for certain scenarios, such as meeting the requirements of the Common Criteria to ensure that the server cannot operate without its activity being audited. To configure the audit to behave in such a manner, the person issuing the CREATE or ALTER AUDIT DDL must additionally have the SERVER SHUTDOWN server permission. If the server cannot start because of SQL Server Audit, it is possible to bring the server up by starting SQL Server with the -m trace flag; SQL Server Audit itself will not be deactivated and only the shutdown behavior will be disabled. Please note that -m starts SQL Server in single-user mode and is meant to allow a DBA to start the database and make changes to the SQL Server Audit configuration if necessary. Alternatively, the -f trace flag can be used to start SQL Server in minimal configuration mode, in which case Audit will be disabled but Audit DDL can still be issued. In practice, -m should be sufficient for most cases that require SQL Serve Audit reconfiguration.

If a failure to write the Audit event does not trigger the SQL Server instance to shut down, what happens with the audit records? The answer is that Audit events are buffered in memory until they can be flushed to the target. If the records fill the memory buffer and cannot be written to the Audit log, the server blocks any new activity that would result in an audit event being written until the buffer space is freed up or the audit is disabled. The size of the memory buffer varies, but it is around 4 MB per audit in the default case, which can accommodate at least 170 audit events (the exact number depends upon the amount of data contained in each event). If the problem is not correct before the operating system returns an error, such as a disk write failure, the Audit session is taken offline with a corresponding error written to the server’s error log; all buffered and new audit events are discarded. Upon correction of the problem, the audit object will need to be restarted in order for auditing to resume. If lost audit records are unacceptable, the audit should be configured to shut down rather than continue upon write failure. To ensure tight synchronicity between the events captured in the audit log and the activity on the server, SQL Server Audit can be configured to write the audit entries to the log in a synchronous fashion, meaning that transactions are blocked until the event is written to its destination. The tradeoff here is obviously that performance may be affected adversely. In most situations, asynchronous Audit log writing is recommended. As described below, the length of time before writes occur can be configured; increasing the time value from the default of one second can improve the performance of the server.

One last point to highlight is that any changes to the state of the server audit object itself are recorded in its audit log. This is a shortcoming of SQL Trace, and it is an important feature because it can potentially capture any attempts to circumvent the audit. Assuming that the audit events are sent to a target that cannot be modified by the SQL Server service account, this feature can effectively protect the audit log from the DBA. Furthermore, it is possible to configure SQL Server Audit to record changes to all audit objects defined within the instance, not just the immediate server audit object (this can accomplished by adding the AUDIT_CHANGE_GROUP to the server audit specification; this will become more clear later in this document).

Performance

SQL Server 2008 introduces a new high-performance eventing infrastructure called SQL Server Extended Events. The SQL Server Audit feature is built on top of Extended Events to leverage the performance benefits and provide both asynchronous and synchronous write capabilities (by default, SQL Server Audit uses the asynchronous eventing model). One thing to note is that the Audit event is a protected type of Extended Event so the CREATE/ALTER/DROP SESSION EVENT commands cannot be used to manipulate SQL Server Audit directly. For more information about Extended Events, see SQL Server Books Online.

By default, the audit events are written to the audit target in an asynchronous fashion for performance reasons. When tighter guarantees of audit records being written to the audit log are required, you can select synchronous write, with the understanding that some amount of performance degradation should be expected (the exact amount depends on the amount and type of audit records generated). The choice of asynchronous or synchronous is controlled by the QUEUE_DELAY option of the CREATE AUDIT DDL (explained below); by default, the value is 1000, which indicates that SQL Server Audit will queue the audit record for up to one second before writing to the target. If tolerances allow, you can set this value to a larger number, which can increase performance; the tradeoff is that activity recorded in the log might be increasingly out of sync with the actual database activity, and there is more potential for lost records if a fatal error occurs on the server. To enable synchronous logging of SQL Server Audit, set the QUEUE_DELAY to the value 0 (zero).

Targeted auditing can also aid in minimizing the performance impact. The obvious strategy is to limit auditing to the exact set of actions of interest and nothing more. The fine-grained auditing capabilities of SQL Server Audit allow auditing to be configured so that it targets specific actions, principals, and objects (down to the individual table level). As a result, resources are not wasted generating unwanted audit information. This is in contrast to SQL Trace, which typically generates a lot of records and relies upon post-filtering to provide targeted auditing.

Because of the architecture of SQL Server Audit, the best performance is generally achieved by using a file as the audit target. However, the performance difference between the different audit targets is highly dependent upon the audit configuration, among other things.

Management

The audit features of SQL Server 2008 are fully manageable using the main management interfaces of the product, specifically SQL Server Management Studio, Server Management Objects (SMO), and Transact-SQL DDL.

In SQL Server Management Studio, server level audit configuration is available in the user interface under the Security folder. The two relevant subfolders are Audits and Server Audit Specifications. Database-level audit configuration is available under the Security folder of each database, in the Database Audit Specification subfolder.

In contrast to previous versions, the audit configuration can be fully managed programmatically via SMO, using objects in the Microsoft.SqlServer.Management.SMO namespace.

Finally, rather than the system stored procedures used to configure SQL Trace, SQL Server Audit uses clear SQL DDL syntax to create, manage, and secure audits.

Discoverability

Audit data can be written to a binary file or to the Windows Event log (Application or Security). When written to a file, the audit data is accessible through a built-in table-valued function, which allows the use of regular SELECT syntax to query the audit trail. Events written to the Event log can be accessed with Event Viewer or with specialized Event log management software, such as Microsoft Systems Center Operations Manager. Accessing and analyzing audit data is discussed in more detail later in this paper.

Audit Value of Data

Besides providing a robust infrastructure for collecting audit data, SQL Server 2008 makes it easier to meet specific audit requirements. Audit records are captured based on permission checks on database objects. This means, for example, that a SELECT on table A is recorded as such, regardless of whether the actual SQL statement referenced table A, a view, a stored procedure, or another object.

Also, SQL Server 2008 allows granular definition of audit criteria. Audits can be scoped to individual tables, to specific DML actions (for example, DELETE vs. SELECT) and to specific principals. This granularity can reduce the volume of audit data that must be stored and analyzed to meet a specific set of requirements.

Technical Overview of Auditing

To understand the setup and management of auditing in SQL Server 2008, it is best to start with the three main objects which describe audits.

The Server Audit object describes the target for audit data, plus some top-level configuration settings. Think of a Server Audit object as the declaration of the audit sink, or destination. This destination can be a file, the Windows Application log, or the Windows Security log. The allowable delay for writing events to the destination can also be configured on this object. Note that the Server Audit object contains no information about what is being audited – just where the audit data is going. Multiple Server Audit objects can be defined with each object being specified and operational independent from one another.

The Server Audit Specification object describes what to audit. As its name suggests, this object is focused on server instance-wide actions. A server audit specification is associated with a server audit in order to define where the audit data is written. There is a one-to-one relationship between the Server Audit Specification object and the Server Audit object.

The Database Audit Specification also describes what to audit. But, as its name suggests, this object is focused on actions which occur in a specific database. Where the audit data is written is defined by the association of a database audit specification with a Server Audit object. Each database audit specification can be associated with only one server audit. A server audit, for its part, can be associated with only one database audit specification per database.

The interaction of these objects to define an overall audit regime is depicted in Figure 1 below.

All the relationships between objects in Figure 1 are optional. Of course, without a minimum of one server audit and one specification (server or database), an audit cannot produce any data. All of these objects – Server Audit, Server Audit Specification, and Database Audit Specification – can be fully managed with DDL, the SQL Server Management Studio administrative interface, or SMO.

Let’s drill down on the details of each of these parts of an audit definition.

Figure 1: Audit object layout

Server Audit

Server audits are created with the CREATE SERVER AUDIT statement. Besides a name, the most important thing specified when the server audit is created is the destination for the audit data. In SQL Server 2008, the available destinations are a binary file, the Windows Application log, and the Windows Security log (specific permissions – discussed later – are required of the SQL Server service account in order to write to the Security log). For file destinations, the user must provide at least the file path and optionally, the maximum size and the maximum number of rollover files. SQL Server names audit files automatically, according to the following pattern:

<audit_name>_<audit_guid>_nn_<timestamp_as_bigint>.sqlaudit

When the active audit file reaches the maximum size specified, it automatically rolls over to a new file. This process continues up to the maximum number of rollover files specified by the MAX_ROLLOVER_FILES argument. When or if the maximum number of rollover files is reached, SQL Server begins deleting an existing audit file for every new one created, starting with the oldest first. Note that if the delete operation fails for whatever reason, the audit silently continues.

Optionally, the audit can reserve the maximum disk space on startup. Naturally, the SQL Server service account must have write permissions on the destination folder.

To provide control over security-performance tradeoffs, a queue delay can be configured on the server audit. If this value is 0, audit records are written synchronously with the action that generated them. Alternatively, a queue delay in milliseconds can be specified, to lessen performance impact under load. The minimum delay is 1,000 milliseconds (the default).

To meet the most stringent security requirements, a server audit optionally can be configured so that SQL Server will shut down if the audit fails. For example, if the destination drive for the audit log becomes unavailable, SQL Server shuts down and can be restarted manually with the –m command switch unless the root cause of the shutdown is corrected.

By default, server audits are created in a disabled state. This can be overridden in DDL so that the audit is enabled immediately. In most cases, however, administrators will want to fully configure the audit before enabling it.

A server audit is automatically tagged with a GUID which uniquely identifies it. To support distributed scenarios such as database mirroring, the CREATE SERVER AUDIT statement allows this GUID to be assigned explicitly. After the audit is created, the GUID cannot be changed.

The following DDL example shows the creation of an audit named PCI_Audit, which will write to a file with no delay, and force the server to shut down in the event of a failure to write to the file.

Transact-SQL

Copy Code

CREATE SERVER AUDIT PCI_Audit
TO FILE (FILEPATH = ’F:\AuditLogs\’, MAXSIZE = 1GB, MAX_ROLLOVER_FILES = 80)
WITH (QUEUE_DELAY = 0, ON_FAILURE = SHUTDOWN)

This server audit is disabled initially.

The server audit can be modified after creation by using the ALTER SERVER AUDIT statement. The following example changes the destination to the Windows Application log and relaxes the queue delay and failure settings.

Transact-SQL

Copy Code

ALTER SERVER AUDIT PCI_Audit
TO APPLICATION_LOG
WITH (QUEUE_DELAY = 1000, ON_FAILURE = CONTINUE)

The ALTER SERVER AUDIT statement is also used to enable or disable a server audit.

Transact-SQL

Copy Code

ALTER SERVER AUDIT PCI_Audit
WITH (STATE = ON)

A server audit can only be enabled or disabled outside of the scope of an active transaction.

In SQL Server Management Studio, server audits are created and managed in the Audits folder, which is under the server-level Security folder.

Figure 2: Creating an audit in SQL Server Management Studio

Permissions

Actions on a server audit (CREATE, ALTER, or DROP) require the ALTER ANY SERVER AUDIT permission, which is covered by the CONTROL SERVER permission.

Writing to the Windows Security Log

Writing to the Windows Security log deserves special mention, because there are some extra considerations to take into account. Because writing to the Windows Security log is a very privileged operation, the SQL Server service account needs to be granted the SeAuditPrivilege (also known as “Generate Security Audit”) privilege. This can be accomplished though the Local Security Policy tool (secpol.msc). Just add the service account to LocalPolicies/User Rights Assignment/Generate Security Audits.

In addition, the audit policy granularity for Windows must be modified before the SQL Server entries can be logged. On Windows Server 2003, use the Security Policy Tool to modify the Local Policies/Audit Policy/Audit Object Access setting; both ‘Success’ and ‘Failure’ should be enabled. On the Windows Vista® operating system and Windows Server 2008, use the auditpol command-line tool and issue the command auditpol /set /subcategory:”application generated” /success:enable /failure:enable. Please note that in some domain environments, the domain policy may override these settings, and assistance from the Domain Administrator will be required in this case. Users who install SQL Server 2008 Developer onto a Windows XP computer will not be able to write the audit information to the Windows Security log because this capability is not supported by the operating system.

Server Audit Specification

Server audit specifications can be created with the CREATE SERVER AUDIT SPECIFICATION statement. A server audit must exist before a server audit specification can be created, since the DDL requires that an audit name be specified.

The main content of a server audit specification is the list of action groups that it will audit. Auditable actions are collected into groups and cover server-level activity such as server configuration changes and login/logout. These groups are hardwired, and they are detailed in the SQL Server documentation.

The following statement creates a server audit specification to track backup/restore events, SQL Server service starts and stops, and changes in the membership of server roles.

Transact-SQL

Copy Code

CREATE SERVER AUDIT SPECIFICATION PCI_Server_Mgmt_Spec
FOR SERVER AUDIT PCI_Audit
  ADD (BACKUP_RESTORE_GROUP),
  ADD (SERVER_STATE_CHANGE_GROUP),
  ADD (SERVER_ROLE_MEMBERSHIP_CHANGE_GROUP)
WITH (STATE = OFF)

Server audit specifications can be reassigned to a different server audit after they are created by using the ALTER SERVER AUDIT SPECIFICATION statement. This statement also allows the list of audited action groups to be changed and the state to be toggled between enabled (ON) and disabled (OFF).

The following example adds an action group to the specification created in the previous statement.

Transact-SQL

Copy Code

ALTER SERVER AUDIT SPECIFICATION PCI_Server_Mgmt_Spec
  ADD (SERVER_PRINCIPAL_CHANGE_GROUP)

Change to the state of an audit (enabled or disabled) can only be made outside the scope of a transaction. Also, if the ALTER SERVER AUDIT statement changes the state from ON to OFF, it may not include any other changes within the same statement.

In SQL Server Management Studio, server audit specifications are created and managed in the Server Audit Specifications folder, which is under the server-level Security folder.

Permissions

Actions on a server audit specification (CREATE, ALTER, or DROP) require the ALTER ANY SERVER AUDIT permission, which is covered by CONTROL SERVER.

Database Audit Specification

Database audit specifications are much like server audit specifications, but there are some significant differences. As the name implies, of course, database audit specifications pertain to the auditing of database level actions. As with server audit specifications, a predefined list of audit action groups can be used to define what the specification tracks.

In addition to this, however, database audit specifications allow more specific audit actions to be tracked. This is where granular actions within the database can easily be targeted. Before exploring the details of this, examine the following statement.

Transact-SQL

Copy Code

CREATE DATABASE AUDIT SPECIFICATION PCI_Txn_Database_Spec
FOR SERVER AUDIT PCI_Audit
  ADD (DATABASE_OBJECT_PERMISSION_CHANGE_GROUP),
  ADD (SELECT ON dbo.Customer BY dbo),
  ADD (INSERT ON dbo.Customer BY dbo),
  ADD (UPDATE ON dbo.Customer BY dbo),
  ADD (DELETE ON dbo.Customer BY dbo),
  ADD (EXECUTE ON dbo.usp_SubmitPO BY public)

This specification tracks all actions that fall into the DATABASE_OBJECT_PERMISSION_CHANGE group, which is a useful thing to monitor if you have multiple administrators working in your database. In addition, it also tracks specific DML actions against the Customer table by the dbo user, and any execution of the usp_SubmitPO stored procedure. Also note the use of the keyword public to track changes by all users.

In SQL Server 2008, this granular action definition is a key distinction of database audit specifications from their server-level counterparts. The general form for defining an action to be audited is:

<action> ON <object> BY <principal>

Auditing occurs regardless of the means by which the action was taken. In other words, a SELECT on the Customer table will be audited if the user action was a SELECT statement on Customer, a SELECT on a view that queries the table, an EXECUTE of a stored procedure that queries the table, and so on.

Note that <object> in the above format can refer to an object like a table, view, or stored procedure, or an entire database or schema. For the latter cases, the forms DATABASE::<db_name> and SCHEMA::<schema_name> are used, respectively.

Specifying a principal allows the audit to be narrowly focused, thereby minimizing the amount of data captured in the audit. In order to audit an action for all principals, the public role can be specified. For example, the following action records all SELECTs on all objects within the MyDB database by any user in the MyDBRole role.

Transact-SQL

Copy Code

SELECT ON DATABASE::MyDB BY MyDBRole

As with server-level specifications, a database audit specification can be enabled or disabled at creation, or afterwards with the ALTER DATABASE SERVER SPECIFICATION statement. The ALTER statement also allows modification of the list of audited actions and action groups.

In SQL Server Management Studio, database audit specifications are created and managed in the Database Audit Specifications folder, which is under the database-level Security folder for the database in question.

Permissions

Actions on a database audit (CREATE, ALTER, or DROP) require the ALTER ANY DATABASE AUDIT permission, which is covered by CONTROL DATABASE.

More on the Technical Architecture of Audit

Before we move into how audit data is read and used, a few more technical aspects of the implementation are worth mentioning. Earlier, it was stated that SQL Server Audit is native to the server. There are many aspects of this feature that are more tightly bound to the DBMS, not the least of which is the way in which audit events are triggered. Auditing in SQL Server 2008 is implemented by hooking the internal permissions checks, which occur inside the database engine. When a permission check occurs, SQL Server Audit has the opportunity to produce an audit record, if a relevant audit is specified. This means all forms of access to an object are audited.

A second aspect of SQL Server Audit that should be noted is its behavior within transactions. There are two pieces to this. The first is how operations on an audit itself interact with transactional boundaries. All audit-related DDL statements, including the CREATE SERVER AUDIT statement, can be issued within an active transaction unless they trigger changes in the state of an audit object. If within a transaction, the creation of the audit will be scoped within the transaction – it will commit or roll back with the transaction.

Another piece is how auditable events are recorded when they occur within a transaction. The simple way to describe this is: They are always audited. Clearly there would be negative security implications if data could be read, but no audit was recorded because a pending transaction was rolled back. So, the recording of audit events occurs irrespective of transaction scope and whether a rollback occurs or not.

Using Audit Data

This section includes information about the ways in which you can use and apply the data generated by SQL Server Audit.

Audit Files

When a SQL Server 2008 server audit is configured with the audit destination of File option, the audit data is written to a binary file on disk. The target location can be a local folder or a UNC path to a network share.

Although the server audit can specify the path where the audit file will be created, the file name is automatically generated by SQL Server. The file name pattern is:

<audit_name>_<audit_guid>_nn_<timestamp_as_bigint>.sqlaudit

In this pattern, nn is a sequential partition number that is incremented as new audit files are generated, if the audit is configured to allow rollover to new files.

The audit file may be written to a folder protected by NTFS encryption, provided the SQL Server service account has the appropriate permissions. Writing to a folder with NTFS compression is also permitted. In both cases, of course, some performance impact should be expected. If the target location for the audit file is a remote file share, the audit content is not encrypted when travelling across the network.

As mentioned, the audit file is in a binary format and is not readable with a text editor. SQL Server provides a table-valued function called fn_get_audit_file(), which is used to read audit data. This function takes the arguments indicated in Table 1.

Table 1: Arguments to fn_get_audit_file()

The following statement reads all audit files for a specific audit.

Transact-SQL

Copy Code

SELECT * FROM fn_get_audit_file(
'D:\Audits\MyAudit-_C26128D1-F97B-4B82-9E47-B6A296045B05_*.sqlaudit',
default, default)

The following example reads all audit files in the E:\SqlAudits\ folder.

Transact-SQL

Copy Code

SELECT * FROM fn_get_audit_file('E:\SqlAudits\*', default, default)

And this example reads all audit records in a specific audit, starting from a known offset.

Transact-SQL

Copy Code

SELECT * FROM fn_get_audit_file(
'D:\Audits\MyAudit-_C26128D1-F97B-4B82-9E47-B6A296045B05_*.sqlaudit',
'D:\Audits\MyAudit-_C26128D1-F97B-4B82-9E47-B6A296045B05_0_128439520854140000.sqlaudit',
5120)

Incidentally, the initial_file_name and audit_file_offset parameters can be determined by looking at the file_name and audit_file_offset columns respectively from the output of the last invocation of fn_get_audit_file().

Naturally, because this is a SELECT from a table-valued function, a WHERE clause, ORDER BY clause, and other standard SQL SELECT syntax can be used to shape the result set.

Because the fn_get_audit_file() function takes an explicit path as an argument, it is possible to move inactive audit files to a new location and read them using this function. At this point the audit file is just static data. Thus audit files can be moved and queried at will after they are no longer receiving audit events. A useful implication of this is that audit files from multiple servers can be consolidated in a single folder and queried as a set. In this way, administrators or auditors can easily look for key events across a distributed set of SQL Servers.

The fn_get_audit_file() function returns a rich set of information captured by SQL Server Audit. More than two dozen columns are available, providing details in several areas, such as:

• The date and time of the event, and whether it succeeded (or permissions were denied)
• The user context of the event (principal id and name at server and database level)
• The type of action (for example, SELECT, EXECUTE, DELETE)
• The target object
• The connection context (server and instance, database, schema)
• The actual Transact-SQL statement that triggered the audit event (if applicable)
• The audit file name and the position of the audit record in the file
• Additional XML information for some special events, such as audit management events

As is apparent, a great deal of information is available about each audited event. One of the columns, statement, contains the actual text of the action that caused the audited event, although the actual data values in the statement might not be displayed if the statement was parameterized. Note that this may not directly name the audited resource. For example, an audited SELECT event on Table1 might be caused by a SELECT on View1, which references Table1.

The statement field is nvarchar and is 4,000 characters in length. In the event that a statement exceeds this size, SQL Server 2008 generates multiple audit records, spreading the statement text across as many records as necessary to capture the full content. A sequence number field in the audit records enables the full statement text to be reassembled.

The fn_get_audit_file() function is your jumping-off point to implement the best audit analysis solution for your environment. Because it essentially presents the audit data as a table, it provides the means to query, mine, archive, or report on the audit logs in any way necessary. In this sense, it is perhaps the most flexible of the three possible targets for audit data.

The Windows Event Log

A SQL Server 2008 audit can alternatively be configured to log to the Windows Application log or the Windows Security log. This can be valuable for a few reasons:

• The Windows event log is a familiar location and format for many server administrators and auditors.
• The Security log has inherent restrictions on writing, tampering, and viewing, which make it attractive as a repository for audit information.
• There are existing Microsoft and third-party solutions aimed at consolidating, monitoring, and alerting on Windows event logs. For example, Microsoft System Center has a component called Audit Collection Services that can selectively consolidate Security event logs from many servers. And the System Center Operations Manager product is dedicated to monitoring, reporting, and alerting on Windows event logs.

When a server audit is configured with the TO APPLICATION_LOG or TO SECURITY_LOG option, all audit events are written to the relevant log. The events contain the same information as is returned by the fn_get_audit() table-valued function for audits to file. In the event log, this information is written to the event body in text format.

For users who intend to set up monitoring or alerting on event log entries, it is important to know what event log specific attributes will be assigned to SQL Server Audit entries. All SQL Server Audit events are logged with the SQL Server instance name as the event source. The event id is 33205. The description of the event is where distinguishing characteristics of events can be found. So, to implement a filtering or alerting on audit events, the Event log management tool used will need to support identification of events based on the description for example, regular expression searches).

Performance Comparison

Using a sample of OLTP workloads typical of a customer environment, the performance of SQL Server Audit was measured and compared to SQL Trace where possible. The results consistently indicated a performance advantage for SQL Server Audit with improvements ranging from 11% to 45%. The following list provides a short profile of the workloads used and the subsequent table reveals values for a sample of the run times for each workload. For the comparison, SQL Trace is running in C2 Audit mode and SQL Server Audit is configured to audit the equivalent events and write the output to a file.

Workload 1 contains 11 databases, ranging from 1.94 MB to 1812.5 MB. It also has 755 tables with an average of 2761 rows, with primarily char and then smallint and decimal columns.

Here is the activity summary for workload 1 (% of workload):

• Stored procedures:
  • sp_cursorfetch
• EXECUTE (38.72%)
• Statements:
  • ORDER BY (21.90%)
  • SELECT FROM (39.51%)
• 1,219,234 statements were executed.

Workload 2 contains 2 databases ranging from 64 MB to 423.88 MB. It has 35 tables with an average of 49,141 rows, with primarily bit, varbinary, int, and nvarchar columns.

Here is the activity summary for workload 2 (% of workload):

• EXECUTE (100%)
• 1,633,557 statements were executed

Workload 3 contains 3 databases ranging from 1.94 MB to 1059.63 MB. It has 154 tables with an average of 586 rows, with primarily real, numeric, and float columns.

Here is the activity summary for workload 3:

• Stored procedures:
  • sp_execute
  • sp_prepare
  • sp_unprepare
• EXECUTE (94.25%)
• Statements:
  • SELECT FROM (39.87%)
• 585,400 statements were executed.

Workload 4 contains 1 database at 3235.75 MB. It has 84 tables with an average of 144,245 rows, with primarily int, varchar, and datetime columns.

Here is the activity summary for workload 4 (% of workload):

• Stored procedures:
  • sp_cursorfetch
• EXECUTE (95.89%)
• 3,435,303 statements were executed.

Workload 5 contains 1 database at 174.94 MB. It has 152 tables with an average of 4,108 rows, with primarily char and numeric, and then int and float columns.

Here is the activity summary for workload 5 (% of workload):

• Stored procedures:
  • sp_cursorclose
  • sp_cursorfetch
  • sp_cursoropen
• EXECUTE (78.58%)
• Statements:
  • SELECT FROM (26.96%)
• 296,642 statements were executed.

Table 2: Performance numbers for SQL Server Audit vs. SQL Trace

In the table, the PERF COST VS BASE is calculated as (SQL AUDIT– BASE TIME) / BASE TIME, and the PERF GAIN VS TRACE is calculated as (SQL TRACE – SQL AUDIT) / SQL TRACE.

The improvement between SQL Trace and SQL Server Audit ranges from 11.08% to 45.09%, with Workload 2 showing the greatest difference between the two. This is likely a result of the workload generating a huge amount of Audit events which tends to emphasize SQL Server Audit’s greater efficiency at file I/O. Also observed from the table is that the cost of running SQL Server Audit ranges from 6.24% to 35.42%. Keep in mind that these values are with a large number of audit action groups enabled so the cost would be lower with more modest Audit settings. Since SQL Trace lacks the fine-grained auditing capabilities of SQL Server Audit, a performance comparison between the two is not possible for this scenario.

Examples

The following examples provide real-world scenarios for the use of SQL Server Audit.

Example 1

A relatively simple but very relevant usage of SQL Server Audit is to monitor the activity of privileged users accessing a sensitive table. This can easily be accomplished with the SQL Server Audit feature in SQL Server 2008 by setting up the proper database audit specification. For this example, assume that the sensitive table is in the hr_db database and is called hr.salary and we want to detect when the dbo (and consequently sysadmin) tries to query the table. In this example, the audit information will be written to a file on a remote share called \\AuditServer\Audit, on which the SQL Server service instance has permissions to write but not read or modify.

First we need to create the Audit and the Database Audit Specification objects.

Transact-SQL

Copy Code

USE master
CREATE SERVER AUDIT audit1 TO FILE (FILEPATH='\\AuditServer\Audit')
USE hr_db
CREATE DATABASE AUDIT SPECIFICATION hr_dbspec FOR SERVER AUDIT audit1
ADD(SELECT,UPDATE,INSERT,DELETE ON hr.salary by dbo)

Because the objects are created disabled by default, they need to both be enabled.

Transact-SQL

Copy Code

USE master
ALTER SERVER AUDIT audit1 WITH (STATE=ON)
USE hr_db
ALTER DATABASE AUDIT SPECIFICATION hr_dbspec WITH (STATE=ON)

At this point, the audit is turned on and all queries against the hr_db table by the dbo or the sysadmin are recorded, as are any actions that enable or disable the audit.

To confirm that both the audit and the audit specification are enabled, the system views can be queried.

Transact-SQL

Copy Code

SELECT is_state_enabled FROM sys.server_file_audits
SELECT is_state_enabled FROM sys.database_audit_specifications

Example 2

Some compliance regulations require that access and usage of cryptographic keys be audited. SQL Server Audit is capable of recording all activity that touches a symmetric encryption key or the private key of a certificate or an asymmetric key pair. Concisely, this activity is covered by the DATABASE_OBJECT_CHANGE_GROUP action group at both the server and database levels. The DATABASE_OBJECT_CHANGE_GROUP action group covers all activity involving key usage as well as CREATE, ALTER, and DROP of objects in a database not contained within a schema. Aside from the initial setup period of the database, the incidents of CREATE, ALTER, and DROP should be low, meaning that most of the activity captured under this action group should be restricted to cryptographic key activity. For this example, creation of the Audit will be demonstrated using SQL Server Management Studio. To create the audit object, expand the Security tree under the instance, right-click Audits, and then click New Audit. The Create Audit dialog box, which is displayed in Figure 3, opens, enabling you to configure the audit properties.

Figure 3: Create Audit dialog box

If the defaults are acceptable, the only input required is the File path, assuming that the audit destination is a file. Notice that SQL Server Management Studio created a default audit name based on the timestamp. Next the server and database audit specifications must be created. This can be accomplished by right-clicking on Server Audit Specifications and Database Audit Specifications in the Object Explorer respectively (see Figure 4).

Figure 4: Creating a database audit specification through SQL Server Management Studio

For the database audit specification, the Create Database Audit Specification dialog box, which is shown in Figure 5, appears.

Figure 5: Create Database Audit Specification dialog box

The audit object created in the previous step needs to be selected in the Audit drop-down list. Next select DATABASE_OBJECT_CHANGE_GROUP from the Audit Action Type drop-down list.

The steps for creating a server audit specification are very similar. At this point, enable the audit and the related specifications by right-clicking them in the Object Explorer.

After the audit is running, administrators can leverage the abilities of Policy-Based Management (PBM) to manage the audits on multiple servers to see whether they are running and whether they are configured properly. A basic understanding of PBM is assumed in the subsequent discussion; for more information, see SQL Server Books Online.

Creating a policy to determine whether an audit or an audit specification is enabled is fairly straightforward. To create a policy that reports whether a server has an audit enabled, a new condition needs to be created using the audit facet and an expression that evaluates whether @Enabled equals True (see Figure 6).

Figure 6: PBM Create New Condition dialog box

Note that the value in the Name box is arbitrary. Now that the condition is created, a new policy should be created. In this example, the new policy is given the name AuditOnPolicy, and the value in Check Condition is set to the AuditOn condition that was just created (Figure 7).

Figure 7: PBM Create New Policy dialog box

Clicking OK creates the policy that will evaluate whether the audit object on the server is enabled (or servers if the evaluation is initiated through the Registered Servers dialog box). Evaluation of the policy provides a list of audit objects defined in the instance and an indication of whether they are active or not. The results of the evaluation in Figure 8 indicate that one audit is not enabled.

Figure 8: PBM Evaluate Policies dialog box

Please note that the audit objects are read-only in this release of SQL Server. Because of this, clicking Configure returns an error. Finally, a similar policy should be created to determine whether the audit specification(s) are enabled as well.

Of course, knowing that an audit is enabled is important but equally interesting is validating that the audit is configured properly. Although determining whether an action group, such as DATABASE_OBJECT_CHANGE_GROUP, has been defined in the audit specification might not be obvious, it is possible. Because no PBM facet exists for audit action groups, the policy can instead be described as a T-SQL query to determine whether a specific action group is included within the specification. One such query is provided here.

Transact-SQL

Copy Code

SELECT 1
FROM sys.server_audits AS a
     JOIN sys.database_audit_specifications AS s
          ON a.audit_guid = s.audit_guid
     JOIN sys.database_audit_specification_details AS d
          ON s.database_specification_id = d.database_specification_id
WHERE a.is_state_enabled = 1
     AND s.is_state_enabled = 1
     AND d.audit_action_name = N'DATABASE_OBJECT_CHANGE_GROUP'

The query returns the value 1 if an active audit contains a specification created with the DATABASE_OBJECT_CHANGE_GROUP action group. To create a condition based on this query in PBM, do the following:

1. Create a new condition and in Expression, click on the “…” button to bring up the Advanced Edit dialog box.
2. Scroll down the Functions and properties list and double-click ExecuteSql(). This populates Cell Value with the text “ExecuteSql(string returnType, string sqlQuery)”. You can edit this string to replace string returnType with ’numeric’ and string sqlQuery with the SELECT statement above (see Figure 9; note that the single quote in the query must be escaped with another single quote).

Figure 9: PBM Advanced Edit Window

3. After clicking OK and returning to the Create New Expression dialog box, complete the Expression by setting Operator to = and Value to 1.

4. Set Facet to Database because you want this query evaluated for each database in the instance.

When evaluated, a policy using this expression will help the administrator detect when the database is not being audited properly.

Conclusion

The new SQL Server Audit feature introduced in SQL Server 2008 represents a significant improvement over the auditing capabilities offered in previous versions of SQL Server. One of the key advancements is the introduction of fine-grained auditing whereby events can be targeted to specific actions on an object by particular principals; the objects can even be scoped down to the individual table level. Performance is another big incentive, because SQL Server Audit performs significantly better than a comparable SQL Trace, up to around 45% in some cases. Additionally, the audit target is no longer confined to just files, because the Windows Application and Security logs are now options. And considering benefits such as persistence of the audit state between instance restarts and the involuntary recording of changes to the audit state, the new SQL Server Audit feature provides a robust and comprehensive auditing solution for the enterprise.

For more information:

http://msdn2.microsoft.com/en-us/library/cc280386(SQL.100).aspx: Understanding SQL Server Audit

http://msdn2.microsoft.com/en-us/library/bb630282(SQL.100).aspx: SQL Server Extended Events:

http://msdn2.microsoft.com/en-us/library/bb510667(SQL.100).aspx: Administering Servers by Using Policy-Based Management

http://www.microsoft.com/sqlserver/2008/en/us/security.aspx: SQL Server 2008 Security

http://www.microsoft.com/sqlserver/: SQL Server Web site

http://technet.microsoft.com/en-us/sqlserver/: SQL Server TechCenter

http://msdn.microsoft.com/en-us/sqlserver/: SQL Server DevCenter 

 

Here is a link to the original white paper. For your convience I placed a copy of what was on the microsoft web site. I would encourage you to go to the original location. 

Auditing in SQL Server 2008

Posted Michael Corey,

Founder & CEO, Ntirety

www.ntirety.com

My Personal Twitter Account: Michael_Corey

Ntirety Corporate Twitter Account: Ntirety

Those of you, who know me, know I have spent a good part of my professional Career volunteering in User Groups.  I spent many years as President of the Independent Oracle Users Group and helped it become what it is today.  Along the way I met some great people and got to work closely with some of the most prominent people in the IT industry today. Along the way I also help found the Professional Association of SQL Server. I would encourage you if you have not become active with a professional association you should do it. You will look back on it as a very rewarding experience.

When I was approach to see if Ntirety would consider being  sponsor for the Microsoft SQL Server 2008 Loadfest Ntirety was happy to do it. 

More About Microsoft SQL Server 2008 Loadfest

Join us for the SQL Server Installfest and do a hands-on installation of SQL Server 2008.

Recommended Audience: IT Professionals

Location: Micriosoft, 201 Jones Road; Waltham MA; 6th Floor MPR

Date/Time: Friday 3/27/2009 8:00am - 5:00pm

Registration 8:00am - 9:00am

Click To Register for Microsoft SQL Server 2008 Loadfest

The Installfest session starts with a discussion of the different editions of SQL Server and where each might be appropriate. Before the installations there will be a discussion on preparation steps:

• Server sizing

• Preparing disks for SQL Server

• Security preparation



During the install process you’ll receive step-by-step instruction and live demonstration of the installation process. Several SQL Server experts will be on hand to help with any issues that might arise.



The session will follow up with post-install steps to prepare your SQL Server for production use. Tasks such as:

• Creating a backup strategy

• Database maintenance tasks like index-reorganization and DBCC

• Managing database growth



After the Loadfest session the day will continue with breakout sessions



Sponsored by:

New England SQL Server User Group

Boston Area Windows Server User Group

Novick Software, Inc.

Ntirety Database Administration As a Service "TM"

Microsoft

Breakout Sessions

• SQL Server Clinic – One-on-one help with installation or other SQL Server problems.

• Securing SQL Server – Configuration, encryption, auditing, and Defense Against the Dark Arts (hackers).

• Business Intelligence and Reporting

• Data in the Cloud – Moving data to the internet

• New features of T-SQL



So bring your laptop (or server if you like) and install SQL Server 2008. Plenty of power will be available but you will have to bring everything else (including media). There is limited capacity for people to bring computers so to reserve your spot send an email to Dan Stolts with "2009 SQL Loadfest" as the subject letting him know that you would like to bring a server for the load.  You can email him through his website at http://blogs.technet.com/danstolts/contact.aspx However, a computer is not required. There will be a demo install on a large screen for everyone to follow.  If you do want to participate, you should have the operating system already setup.  There will NOT be time to setup the OS before installing SQL.

Pizza and soda's supplied for lunch by www.ntirety.com

COST... FREE ... Thanks to the generous donations from www.ntirety.com.  If you get stuck with your server deployment afer all this great training or need help in maintaining any of your SQL servers, they will be happy to service you.



We may wrap up a little early but we will have some goodies to give out at the end of the day so plan on staying as long as you can.   Hope to see you there!

 

About Boston User Groups
Boston User Groups is a non-profit service organization established by community leaders for community leaders.  We are volunteers that want to give back to the community.  We want to share our many years of experience and develop community programs that truly make the New England Area a model for how the “technology community” can help the community.   We are committed to the success of the community leaders and their groups.  We will do anything and everything that we can to help these groups succeed.  We are mostly a collaboration mechanism to help user group leaders meet and exceed their group objectives. Boston User Groups known as BUG is a group that helps collaboration amoung technology groups and community leaders in the New England Region.  Vist online at http://www.bostonusergroup.org

About Ntirety
Ntirety - Database Administration As a Service “TM”.  Ntirety Database Administration service provides U.S. Based Database professionals leveraging best of breed technologies at an affordable monthly cost to Proactively Monitor, Manage, and Optimize, while providing additional bandwidth in the management of your Oracle and Microsoft SQL Server Database environments.

Posted Michael Corey,

Founder & CEO, Ntirety

www.ntirety.com

On Saturday November 29th, I reported on my blog the Microsoft Yahoo talks were back on.  I am sure this will go back and forth for a while. Its does not surprise me that Microsoft has tapped a senior executive from Yahoo for such a key position at Microsoft. Yahoo better be careful, Microsoft might go forward without them, and do it all themselves. As a Yahoo shareholder I would hate to see that happen.

Here is a copy of the Microsoft Press Release:

Microsoft Appoints Dr. Qi Lu to Run Online Services Group

Yahoo! veteran to oversee Internet offerings for consumers, advertisers and publishers.

REDMOND, Wash. — Dec. 4, 2008 — Microsoft Corp. today announced that Dr. Qi Lu will join the company as president of the Online Services Group. Dr. Lu will lead Microsoft’s efforts in search and online advertising and all the company’s online information and communications services. Dr. Lu will report to Microsoft Chief Executive Officer Steve Ballmer.

Lu, 47, most recently served as executive vice president of Engineering for the Search and Advertising Technology Group at Yahoo!, where he was responsible for development efforts around Yahoo!’s Web search and monetization platforms. Dr. Lu left Yahoo! in August 2008 after 10 years of service.

“I am tremendously excited to welcome Qi to Microsoft,” Ballmer said. “Dr. Lu’s deep technical expertise, leadership capabilities and hard-working mentality are well-known in the technology industry, and Microsoft will benefit from his addition to our executive management team.”

“I am genuinely excited about the opportunities ahead for Microsoft to make an enormous impact on the online industry,” Dr. Lu said. “Microsoft has built a great foundation for its search and advertising technologies and put an amazing team of researchers and engineers in place to drive the next wave of innovation in online services. I’m looking forward to working with them to help transform the way people and businesses use the Internet to find and share information.”

Before his most recent role at Yahoo!, Lu was vice president of engineering responsible for the technology development of Yahoo!’s Search and Marketplace business unit, which includes the company’s search, e-commerce, and local listings of businesses and products.

Before joining Yahoo! in 1998, Dr. Lu was a Research Staff Member at IBM Almaden Research Center. Before IBM, Dr. Lu worked at Carnegie Mellon University as a Research Associate, and at Fudan University in China as a faculty member. Dr. Lu holds 20 U.S. patents, and received his bachelor of science and master of science in computer science from Fudan University and his Ph.D. in computer science from Carnegie Mellon University.

Lu’s first day at Microsoft will be Jan. 5, 2009. In his role running the Online Services Group, he will oversee several groups including the Advertiser & Publisher Solutions business, managed by Scott Howe who was promoted to corporate vice president; the Online Audience business, managed by Senior Vice President Yusuf Mehdi; OSG Research & Development, managed by Senior Vice President Satya Nadella; and OSG Finance, managed by Rik van der Kooi who was promoted to corporate vice president.

With the successful integration of aQuantive now complete, Brian McAndrews, former CEO of aQuantive and senior vice president of Microsoft’s Advertiser & Publisher Solutions Group, has decided to transition out of Microsoft, and will do so over the next several months, serving in a consultative capacity to Steve Ballmer and Qi Lu during that time.

“Brian McAndrews built a world-class business for advertisers and publishers and led the successful integration of aQuantive into Microsoft, setting the foundation for our next phase of growth,” Ballmer said. “While I am sorry to see Brian leave the company, I respect and understand his decision and wish him nothing but the best in the future.”

“I also want to congratulate Scott and Rik on their well-deserved promotions and look forward to their leadership in the Online Services Group alongside Qi, Yusuf and Satya,” Ballmer said.

As part of today’s announcement, several teams will move to further align resources. The field sales organizations in the Online Services Group will move to Microsoft’s centralized Sales, Marketing and Services Group led by chief operating officer Kevin Turner. This group, called Consumer & Online, will be led by Corporate Vice President Darren Huston and will include the Global Advertising Sales and Services organization, led by vice president Bill Shaughnessy.

Founded in 1975, Microsoft (Nasdaq “MSFT”) is the worldwide leader in software, services and solutions that help people and businesses realize their full potential.

Note to editors: If you are interested in viewing additional information on Microsoft, please visit the Microsoft Web page at http://www.microsoft.com/presspass on Microsoft’s corporate information pages. Web links, telephone numbers and titles were correct at time of publication, but may since have changed. For additional assistance, journalists and analysts may contact Microsoft’s Rapid Response Team or other appropriate contacts listed at http://www.microsoft.com/presspass/contactpr.mspx.

To go to the original Microsoft Press Release...

Microsoft Appoints Dr. Qi Lu to Run Online Services Group

Fresh Off the Press From Microsoft. December 10th

New President of Online Services Group Sees Chance to Make Impact at Microsoft

Q&A: Qi Lu discusses what attracted him to Microsoft and how he plans to boost the company’s efforts in online search and advertising.

REDMOND, WASH. – Dec. 10, 2008 – On Dec. 4, Microsoft announced Qi Lu had been hired as president of the Online Services Group. Lu will lead Microsoft’s efforts to expand and strengthen its search and online advertising efforts.

Lu comes to Microsoft four months after leaving Yahoo!, where he most recently held the position of executive vice president of Engineering for the Search and Advertising Technology Group. During his 10 years at Yahoo, Lu gained a reputation as top-tier technologist and superb manager. Before joining Yahoo! in 1998, Lu was a Research Staff Member at IBM’s Almaden Research Center. He also has worked at Carnegie Mellon University as a Research Associate and at Fudan University in China as a faculty member. Lu holds 20 U.S. patents, and received his Bachelor of Science and Master of Science in computer science from Fudan University in Shanghai, and his Ph.D. in computer science from Carnegie Mellon University in Pittsburgh, Pa.

PressPass spoke with Lu shortly after the announcement of his new position.

PressPass: Why Microsoft? What was behind your decision to take this new role?

Dr. Qi Lu speaks to Microsoft employees at a Town Hall event on Dec. 8 in Redmond, Wash. Lu will join Microsoft as president of the Online Services Group effective Jan. 5, 2009. Click for high-res version.

Lu: For me, the answer is impact. In my professional career the biggest motivating factor for me is always being in a position to have great impact in what I do. I'm always interested in being in a position or in a place to build the technologies, products or businesses that enable our customers, our users, to be able to do more and be more.

I cannot think of a better platform to have an impact than this position at Microsoft, because we have tremendous opportunities ahead to achieve great impact for our users, our customers and our industry. That's why I'm very excited about this opportunity.

PressPass: When you say you can have an impact through Microsoft, what is it you mean?

Lu: Specifically, it’s the strength of technology and the talent at Microsoft – along with a broad-based online audience, the foundations of its search products and the assets in our advertising platforms. All those things enable our products and our businesses to reach vast numbers of users and customers so we can make a tremendous contribution to our industry as a whole.

PressPass: When you were at Yahoo!, how do you view Microsoft as a competitor?

Lu: I’ve always had a great deal of respect for Microsoft as a company. In my view, Microsoft is one of the most, if not the most, successful companies in terms of value creation, and in terms of producing technology and products that transform society. In my view, Microsoft is a company that really brought computing to every household, and that created a tremendous amount of value to the users and to the overall economy.

As a competitor, you never cut out Microsoft. They keep coming at you. In that way, I’ve always held Microsoft in very high regard.

Also, the people at Microsoft are extraordinary technologists – extremely capable, bright individuals. So, from the standpoint of looking in from the outside, there is tremendous strength in the core talent of Microsoft’s R&D. In my view, this is one of the key foundations of building winning products and winning business in the marketplace.

PressPass: Steve Ballmer recruited you to join Microsoft. How did he make his pitch?

Lu: Steve and I first met last September, in a hotel in San Jose, California. We spent almost half a day talking. We talked about the competitive landscape, about the possibility to really innovate and take the user experience [of Microsoft’s search capabilities] to the next level, and about creating a more competitive space, particularly in the search space. We all believe that it's better for everybody involved when we have a healthy, more competitive environment.

Two things he said really stood out. First was the level of commitment on investment. Steve made it very clear how he views that as critical for the long-term future of Microsoft, and his strong commitment to invest in R&D resources is very, very important to me.

The other thing Steve said that helped convince me this was the right thing for me to do was his commitment to product quality, because you compete in the marketplace on the strength of the product that you bring to the market. You must have a strong commitment to protect the quality of the user experience in the product that you build.

PressPass: When you look broadly at the search space, what sorts of trends do you see playing out over the next year or two?

Lu: There are tremendous opportunities for product innovation, and there are several key forces that are driving us towards that.

One is the advent of more powerful computing infrastructures, [such as] cloud computing infrastructures that enable R&D teams to go through a vast amount of data and find and fix problems very, very quickly. This enables teams to improve the product quality at a much faster rate, and also will help us better understand user intent when they do a search. And the more we understand user intent, the more we can present better search results and an overall search experience that is dramatically improved from where we are today, whether it's through better completion of a particular task or the discovery of very useful and interesting information.

Another trend is the Web as a platform for publishing all sorts of content. There is more and more rich and fresh content, and more engaging social content. So, there is a lot more material to work with. If we're able to understand user intent better, and combine that with the richer content available out there, we will be able to produce a very engaging search experience.

PressPass: Where do you see the opportunities for Microsoft in the search and online space?

Lu: First, I think there is a genuine opportunity to take our search products to the next level. I see that Microsoft's search product quality is improving at a very, very fast rate, that there are great foundations there. And with the technology base, the talent base, the computing infrastructures, I'm confident that we will be in a position to produce a differentiated and compelling search experience.

The second opportunity is to continue building a very powerful advertising platform. Microsoft has made a series of strategic acquisitions, and also built a bunch of internal technologies and products. The key is to put all those assets together to build powerful, highly scalable advertising platforms. The advertising we see today will be very different in the future because of new platforms for it. Ads will be truly relevant and useful, and the experience will be compelling.

PressPass: Whenever anyone talks about competition in search, the target always is Google. Are they catchable?

Lu: Well, we're here to win, and my view on this is that to win in the search space, fundamentally you build on the strengths of your product. And we know what it takes to build a compelling user experience and winning product, which is to have a powerful infrastructure, great talent and put great processes in place so that we can out-develop, out-market, out-innovate our competitors.

But make no mistake; I think Google is a very, very powerful company. They are definitely ahead in the search space. There are a lot of challenges ahead. We've got our work cut out for us.

PressPass: You begin your new job January 5. What will be your first priority?

Lu: I would say hit the gym first. That's actually literally what I do first. Usually I get up reasonably early and try to hit the gym.

But seriously, I'm very much looking forward to hit the ground running. I will try to meet with lots of people, teams, individuals, and work very closely with my directs, my staff and their direct staff to try to get up to speed as fast as I can. I want to make sure the whole organization is very clear on what we are trying to hit, and is energized about our mission and our goals. We have a clear path from where we are today, to where we need to be, and to reach that next level we need to keep executing and building winning products.

Posted Michael Corey,

Founder & CEO, Ntirety

www.ntirety.com