SQL Sentry Quick Start 27
9 SQL Sentry Security Overview
The Quick Start Guide covers the following topics related to SQL Sentry Security, including required permissions for the various SQL Sentry components.
Security Topic
Monitoring Service
Security
Client Security
Watching Servers Across
Domains
Non-Windows
Environment
SQL Sentry Performance
Advisor
Description
This topic discusses the permissions required by the SQL Sentry
Monitoring Service account when watching (monitoring) Connections.
This topic discusses the permissions required when running the SQL
Sentry Client, including scenarios in which the Client connects directly to a monitored server.
This topic is a brief overview of the options available for watching
(monitoring) servers across domains, including information about pass-
through authentication and configuring SQL Sentry Sites within your environment.
This topic discusses the options for watching (monitoring) Connections in a non-Windows environment, including pass-through
authentication.
See this section for advanced information about the Performance
Advisor Security Requirements , including
Port Requirements for
monitored servers.
The User Guide covers the following topics related to restricting user access within SQL Sentry.
Security Topic
Rights Based Security
Role Based Security
Description
This topic discusses restricting user access within the SQL Sentry
Client based on Windows and SQL Server Authentication accounts.
This topic discusses restricting user access within the SQL Sentry Client based on SQL Sentry Database roles.
9.1
Monitoring Service Security
The SQL Sentry Monitoring Service is a Windows service which runs in the context of a Domain account.
This account must have SysAdmin privileges on each watched SQL Server.
The account must also have Windows Administrator privileges on any computer with a watched Windows Task Scheduler connection, or to collect system level performance metrics
©2015 SQL Sentry. All Rights Reserved.
SQL Sentry Quick Start 28
with SQL Sentry Performance Advisor.
It is not necessary for this account to be a Domain Administrator account. Instead, it is recommended that the service account be a standard user Domain account that has been added to the local
Administrators group of each monitored target. For more information about security and SQL Sentry
Performance Advisor, please see the
Performance Advisor Security Requirements topic.
Note: As of SQL Server 2008 the local Administrators group of a Windows server is no longer automatically given access to a SQL Server instance installed on that Windows server. Keep this in mind when installing SQL Sentry for use with SQL Server 2008 and above.
Adding the service account to the local Windows Administrators group for the SQL Sentry
Database server does not automatically grant the service user access to the SQL Sentry Database.
CHANGING THE MONITORING SERVICE CREDENTIALS
After the initial installation, the Service Configuration Utility is used to update or change the credentials of the SQL Sentry Monitoring Service account. The Service Configuration Utility can be accessed within the SQL Sentry program group in the Windows Start Menu.
Using the Service Configuration Utility is the only supported way of changing the SQL Sentry
Monitoring Service credentials. For more information please see the Service Configuration Utility topic in the SQL Sentry User Guide.
MONITORING SERVICE CONNECTION PROPERTIES
If you are monitoring a server with SQL Sentry Event Manager, and do not have a need to utilize
Event Manager's General Performance Monitoring features, you may configure the Monitoring
Service to use SQL Server Authentication. This is done through a Connection's Monitoring Service
Connection Properties.
To access the Monitoring Service Connection Properties for a Connection, right-click the
Connection and choose the Monitoring Service Connection Properties command. From the
Connection Properties dialog, uncheck Use Integrated Authentication, and enter the SQL Server
Authentication account you would like the Monitoring Service to use for the Connection.
Important: If you configure SQL Authentication for a Connection which is being monitored with
SQL Sentry Performance Advisor, Performance Advisor will not be able to collect Windows level metrics for that Connection. This is because Performance Advisor collects various performance and configuration data directly from Windows, and requires a higher level of access to the operating system than does Event Manager. See the
Performance Advisor Security
Requirements topic for more information.
STARTING THE MONITORING SERVICE
The SQL Sentry Monitoring Service will start automatically after installation. It will become active upon detecting a valid license on the SQL Sentry Database. If for some reason the Service fails to start, you may follow these directions to start the service manually.
©2015 SQL Sentry. All Rights Reserved.
SQL Sentry Quick Start 29
1. Select the Services icon from Control Panel -> Administrative Tools.
2. From the list of services select SQL Sentry Monitoring Service, then right-click and select
“Start”, or click the “Play” button on the toolbar.
REQUIRED PERMISSIONS FOR ORACLE DATABASES
The user accounts that the SQL Sentry Client and Monitoring Service use when connecting to Oracle servers must be granted "view" privileges on the sys schema at a minimum. In order to run, enable, or disable a DBMS job using the Client, you must be the owner of the job. In order to run, enable, disable, or reschedule a Scheduler job, you must be either the owner of the job, or a user that has been granted the "alter" privilege on the job.
Note: SQL Sentry's Oracle support requires the Oracle client connection software to be installed on each SQL Sentry Client machine and on each SQL Sentry Monitoring Service machine. The full Oracle client, including the Oracle Data Access Components (ODAC) and Oracle Data Provider
(ODP) components, is required. Oracle client versions prior to 9i, though they may work, are not supported.
9.2
Client Security
Although the SQL Sentry Client receives the majority of its information from the SQL Sentry
Database, there are times when the Client must connect directly to a monitored server in order to receive information.
WHEN DOES THE SQL SENTRY CLIENT CONNECT DIRECTLY TO A MONITORED SERVER?
The SQL Sentry Client connects directly to a monitored server when: a Connection is Watched a real-time action is initiated a job is manually started or stopped a job is rescheduled a QuickTrace is run
The SQL Sentry Client will also connect directly with the monitored server when a forced metadata and history synch is performed. Selecting CTRL + Refresh on the toolbar will perform this action. This is different than just selecting the Refresh button alone, which would only retrieve information from the
SQL Sentry Database.
AUTHENTICATION METHOD USED WHEN THE CLIENT CONNECTS TO A MONITORED SERVER
In those cases where the Client does need to connect directly to a monitored Connection, the authentication method used varies depending on the specified User Connection Properties of that
Connection. By default, the Client will use the credentials of the interactive user, whenever it needs to connect directly to a Connection.
As an alternative to integrated authentication, you may specify database specific credentials in the
©2015 SQL Sentry. All Rights Reserved.
SQL Sentry Quick Start 30
User Connection Properties. The User Connection Properties for a Connection can be accessed through the right-click context menu of the Connection. First unselect the Use Integrated
Authentication check box and then enter your desired account information. For example, for a SQL
Server Connection you would want to enter a SQL Server Authentication Account with the desired
Server Role.
SHARED GROUPS NODE VS SQL SERVER REGISTRATIONS NODE
There are a few differences regarding how authentication works depending on whether you are accessing the Connection from the context of the Shared Groups node or the context of the SQL
Server Registrations node in the Navigator pane.
For SQL Server Connections accessed within the context of the Shared Groups node, Windows
authentication is used by default. However, if you have specified SQL Server credentials using the
User Connection Properties context item, those credentials will be used instead.
For SQL Server Connections accessed within the context of the SQL Server Registrations node, the
Client uses the authentication method and credentials defined for the corresponding SSMS registration. This is also referred to as the "native registration" and is accessed using the connection's
Edit Registration Properties context menu item.
If SQL Server authentication credentials are set using the User Connection Properties context item, those credentials will be used instead, and they will effectively override the authentication settings of the native registration. The initial connection to the target will always be made using the native registration credentials, however, so that the Client can ascertain the true identity of the SQL Server, and ensure it isn't already being watched using a different name, as can be the case when an alias has been configured for the server.
RESTRICTING ACCESS AND SERVER VISIBILITY IN THE SQL SENTRY CLIENT
For information about restricting user access within the SQL Sentry Client based on Windows and
SQL Server Authentication accounts see the Rights Based Security topic in the SQL Sentry User Guide.
For information about restricting user access within the SQL Sentry Client based on SQL Sentry
Database roles see the Role Based Security topic in the SQL Sentry User Guide
9.3
Watching Servers Across Domains
It is possible to monitor/watch connections across domains with SQL Sentry even when there is no trust relationship between them. The best option to achieve this depends on the resources available and number of servers you wish to watch. See below for a short explanation of each option; select the associated link for more information.
OPTIONS FOR WATCHING SERVERS ACROSS DOMAINS
©2015 SQL Sentry. All Rights Reserved.
SQL Sentry Quick Start 31
Option
Pass-through Authentication
Description
Pass-through authentication enables Windows computers in different domains or in non-
Windows network environments to communicate with one another by using identical user accounts and passwords on each computer.
This solution is ideal when you only need to monitor a few servers outside of your primary domain and you do not have the resources available to install another
Monitoring Service in the secondary domain.
Site Configuration
Sites represent a logical grouping of Computers , Connections , SMTP Servers , and Monitoring Services within your SQL Sentry environment. With the Site Configuration option, you will install a SQL Sentry Monitoring Service in each domain/location where you have servers that you wish to monitor.
Each Monitoring Service will only poll the servers in their own domain. The Monitoring
Service located outside of your primary domain will use either Pass-through authentication or SQL Server authentication to communicate with the SQL Sentry Database server.
This solution is ideal if you have a need to monitor a large number of servers outside of your primary domain, or have a need to monitor servers which are geographically separated from your main installation.
This solution also requires that you have the
required resources available in the
secondary location to install a Monitoring Service.
9.3.1
Pass-through Authentication
Pass-through authentication enables Windows computers in different domains or in non-Windows network environments to communicate with one another by using identical user accounts and passwords on each computer.
For example, if user “JoeDBA” with password “SQLrocks!” is created on SERVER1 and SERVER2,
JoeDBA will be able to connect and authenticate directly from SERVER1 to SERVER2, and vice versa, without using domain-level authentication.
It is the job of the SQL Sentry Monitoring Service to collect data from monitored targets, then store the data in the SQL Sentry Database for analysis with the SQL Sentry Client. In the above scenario,
SERVER1 may be the computer where the SQL Sentry Monitoring Service is running, and SERVER2 either the monitored computer, or the computer where the SQL Sentry Database resides.
Note: Additional configuration may be required on machines running Windows Vista and higher with the introduction of User Access Control (UAC). When a remote connection is made using pass-through authentication the machine is unable to resolve elevated permissions under UAC, and for WMI and registry purposes the account is treated as a regular (non-admin) user, even if
©2015 SQL Sentry. All Rights Reserved.
SQL Sentry Quick Start 32
the account exists in the local administrators group.
Please see the Performance Advisor: WMI or Registry Access KB article for more information and configuration details about using pass-through authentication on Windows Vista and higher:
Important: SQL Server authentication can be used for any watched Event Manager SQL Server connection using a connection's "Monitoring Service Connection Properties" context menu item. This can eliminate the need for pass-through authentication if SQL Sentry's performance monitoring isn't being utilized to collect Windows performance counters from the target servers, and if you aren't monitoring the server with Performance Monitor or Event Manager Windows
Task Scheduler.
If performance monitoring is required either via SQL Sentry Performance Advisor or you need to watch a Windows Task Scheduler, pass-through authentication may still be required.
9.4
Least Privilege General Performance Monitoring
For an overview of the performance monitoring features available with SQL Sentry Event Manager please see the Schedule Performance Monitoring topic in the SQL Sentry User Guide. It is possible to collect performance counter data in SQL Sentry Event Manager without Windows Administrator privileges.
First, you will need to add the SQL Sentry Monitoring Service account to the Performance Monitor security group of the machine on which the Monitoring Service is installed. Next, for the service to be able to access the performance counters of your watched connections remotely you will need to grant the service account read access to certain registry keys. On each machine that you wish to collect performance counters, follow the steps below.
1. Navigate to the winreg key located at the following path:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg
2. Right click on the winreg key and select Permissions. Add the SQL Sentry Monitoring Service account.
3. Restart Windows
NOTE: For general information on editing the Windows Registry see Microsoft KB article 256986 .
SEE ALSO
Schedule Performance Monitoring
General Performance Monitoring
©2015 SQL Sentry. All Rights Reserved.
SQL Sentry Quick Start 33
9.5
Non-Windows Network Environment Security
If you are not using Windows Active Directory for domain management, you may need to take additional steps to ensure SQL Sentry will work properly. The primary means by which this is accomplished is using Windows
pass-through authentication.
SQL Server authentication can be used for any watched SQL Server connection in a non-Windows network using a connection's "Monitoring Service Connection Properties" context item.
SQL SENTRY CLIENT
In non-Windows networks, in order to connect to watched SQL Servers using the SQL Sentry Client you must either:
1. Use SQL Server authentication for any SQL Server registrations, or the SQL Server connection.
2. Use Windows
pass-through authentication. This means the Windows user using the SQL Sentry
Client must also exist on the target SQL Server computer. The user name and password on each computer must match exactly.
SQL SENTRY MONITORING SERVICE
Pass-through authentication is the only means by which the SQL Sentry Monitoring Service can collect
Windows performance counters or watch Windows Task Scheduler in a non-Windows network environment. Therefore the service user account must exist both on the service computer and all monitored computers, and the user name and password must match exactly.
©2015 SQL Sentry. All Rights Reserved.