30/1/2019 Librería

Lab Answer Key: Module 4: Protecting Data with

Encryption and Auditing
Es
te
do
cu
Lab: Using
me
nto
pe
Auditing and Encryption
rte
No lui ne
es sg ce
tán u ille aL
pe rm uis
rm oc G
Exercise 1: Working
as ea with
@
uil
ler SQL Server Audit
m
itid orr
las gm oC
co ail orr
pia .co ea
ss m Lo
in pe
au ra.
tor
Task 1: Prepare the Lab Environment
iza
c ión
.

1. Ensure that the MT17B-WS2016-NAT, 20764C-MIA-DC, and 20764C-MIA-SQL

Evirtual
ste
machines are running, and then log on to 20764C-MIA-SQL as
do
ADVENTUREWORKS\Student
cu
me
with the password Pa55w.rd.
nto
pe
rte
2. Ino ethe D:\Labfiles\Lab04\Starter
N l u isg ne
ce folder, right-click Setup.cmd, and then click
stá uil aL
np ler uis
Run aseradministrator.
mi
mo
co Gu
tid rre ille
as a @ rm
las gm oC
co a orr
3. In the User Account pia
ss
Control
il.c
om dialog
ea box, click Yes, and then wait for the script
Lo
in pe
to finish. au
tor
ra.
iza
ció
n.

Task E2: Create a Server Audit

ste
do
cu
me
nto
ert p
1. Start
No SQL
lui Server
en
e Management Studio and connect to the MIA-SQL database
es sg ce
tán ille u a
engine peusingrmWindows
o
Lu
is authentication.
rm co Gu
itid rre ille
as a@ rm
las gm o
Co Security node, right-click the Audits node, and
2. In Object Explorer,
co expand
p
ail
.c therre
ias om aL
sin op
then click New Audit. au era
.
tor
iza
ció
. n
3. In the Create Audit dialog box, in the Audit name box, type activity_audit.

4. In the File path box, type D:\Labfiles\Lab04\Starter\Audit, and then click OK.
https://skillpipe.com/?lang=es-ES#/reader/book/24820548-a5cd-4cbe-80fd-0658d7f0f8c4 1/10
30/1/2019 Librería

5. In Object Explorer, expand the Audits node, right-click the activity_audit node,
and then click Enable Audit.

6. In the Enable Audit dialog box, click Close.

Es
te
do
cu
me
nto
p
Task N3: Create
lu aertServer
en
e
Audit Specification
oe isg ce
stá uil aL
np ler uis
erm mo
co Gu
itid ille rre
as rm a@
1. In Object Explorer,
l as
co
right-click
gm
ail
o C the Server Audit Specifications node, and then
orr
pia .co ea
click New Server Audit s sin m
Specification. Lo
pe
au ra.
tor
iza
có
2. In the Create Server Audit iSpecification n. dialog box, in the Name box, type
audit_logins.

3. In the Audit box, type activity_audit.

Es
te
do
cu
4. In the mActions
en
to box, in the Audit Action Type list, select the
pe
rte
SUCCESSFUL_LOGIN_GROUP
No lui
s
ne
c value, and then click OK.
es gu ea
tán ille
Lu
pe is rm
rm Gu oc
5. In Object iExplorer,
tid o rre expand ille the Server Audit Specifications node, right-click
as a @ rm
las gm oC
the audit_loginsopinode,
c
as
a il.and
co then
orr
ea click Enable Server Audit Specification.
sin m Lo
pe
au ra.
tor
6. In the Enable Server Audit iza Specification dialog box, click Close.
ció
n.

7. In Object Explorer, collapse the Security node.

Es
te
do
cu
me
nt
Task 4: Createo paertDatabase
e
Audit Specification
No lui ne
es sg ce
tán u ille aL
pe rm uis
rm Gu oc
itid ille orr
ea
1. In Object Explorer,
a sl
as
@expand
gm
rm the Databases node, expand the salesapp1 node,
oC
co ail orr
pia .co enode.
and then expand the s s Security m aL
op
in era
au .
tor
iza
2. Right-click the Database Audit ci ón Specifications node, and click New Database
.
Audit Specification.

https://skillpipe.com/?lang=es-ES#/reader/book/24820548-a5cd-4cbe-80fd-0658d7f0f8c4 2/10
30/1/2019 Librería

3. In the Create Database Audit Specification dialog box, in the Name box, type
employees_change_audit, and in the Audit box, type activity_audit.

4. In the Actions box, in the Audit Action Type list, click the INSERT value.

5. In the Object Class list, on the first row, click OBJECT.

Es
te
do
cu
6. In the mObject
en
to Name column, in the first row, click the ellipsis (…).
pe
rte
No lui ne
es sg ce
7. In the
t án Select i lle Objects
u
rm
aL
uis
dialog box, in the Enter the object names to select
pe o
rm co Gu
(examples) itid box,rretype HR.Employees,
as a@
ille
rm and then click OK.
las gm oC
co ail orr
pia .co ea
8. In the Principal Name s m
sin column, in Lo the first row, click the ellipsis (…).
pe
au ra.
tor
iza
c
9. In the Select Objects dialogiónbox, . in the Enter the object names to select
(examples) box, type public, and then click OK.

10. EOn the second row, in the Audit Action Type list, click the UPDATE value.
ste
do
cu
11. In the mObject
en
to Class list on the second row, click OBJECT.
pe
rte
No lui ne
ea sg c
12. In ethe
stá Object
n ille Name
r Lu column, in the second row, click the ellipsis (…).
u
pe mo is
rm co Gu
itid ille rre
as rm a@
13. In the Select Objects
l a sc g mawindow, o C in the Enter the object names to select
orr
op il.c ea
ias om
(examples) box, type sin HR.Employees, Lo
pe and then click OK.
au ra.
tor
iza
ció
14. In the Principal Name column, n. in the second row, click the ellipsis (…).

15. In the Select Objects window, in the Enter the object names to select
(examples) box, type public, and then click OK.
Es
te
do
cu
16. In the mCreate
en
to Database Audit Specification dialog box, click OK.
pe
rte
No lui ne
ea sg c
17. In eObject
stá
n Explorer,
ille
r Luexpand the Database Audit Specifications node, right-click
u
pe mo is
mi r
orr uil c G
the employees_change_audit
tid
a ea ler
m
node, and then click Enable Database Audit
sl @ oC
a gm
Specification.s copia ail
.co
orr
ea
ss m Lo
in pe
au ra.
tor
18. In the Enable Database Audit
iza
ció Specification dialog box, click Close.
n.

https://skillpipe.com/?lang=es-ES#/reader/book/24820548-a5cd-4cbe-80fd-0658d7f0f8c4 3/10
30/1/2019 Librería

Task 5: Generate Audited Activity

1. In SQL Server Management Studio, on the File menu, point to Open, and click
Project/Solution.
Es
2. Intethe
do Open Project window, browse to D:\Labfiles\Lab04\Starter\Project, and
cu
en m
double-click
to Project.ssmssln.
pe
rte
No lui ne
es sg ce
u a L expand Queries, and then double-click the Lab
3. In Solution
t án
pe
i llExplorer,
erm uis Exercise
rm o co Gu
i
01 - audittidactivity.sql r rea ille
query.
as @ rm
las gm oC
co ail orr
pia .co ea
ss m Lo
4. Highlight the code under in
au
the heading pe Task 1, and click Execute.
ra.
tor
iza
ció
n.

Task 6: Review Audit Data

Es
te
do
cu
me
n
1. Under theto pheading
ert Task 2, type:
No lui en
sg ec
es u ea
tán ille Lu
pe rm is
rm oc Gu
itid orr ille
ea
SELECT * as la oC @
gm
rm
orrsc ail
. co ea op
ias
FROM sys.fn_get_audit_file(' m Lo
sin pe
au ra.
t
D:\Labfiles\Lab04\Starter\Audit\*',
oriz
ac
ión
default,default) .

WHERE session_id = @@SPID;

Es
te
oc d
2. Highlight
um the code you have typed and click Execute.
e nto
pe
rte
No lui ne
es sg ce
tán u ille aL
pe rm uis
rm oc Gu
itid orr ille
as ea rm
las @ oC
gm
Task 7: Disable the cAudit
op ail
.co
orr
ea
ias m Lo
sin pe
au ra.
tor
iza
ón ci
1. In Object Explorer, under MIA-SQL,
. expand the Security node, expand the
Audits node, right-click activity_audit, and then click Disable Audit.

https://skillpipe.com/?lang=es-ES#/reader/book/24820548-a5cd-4cbe-80fd-0658d7f0f8c4 4/10
30/1/2019 Librería

2. In the Disable Audit dialog box, click Close.

Result: After completing this exercise, you will be able to:

• Create a server audit.
Es
te
do
• Createcumaenserver audit specification.
to
pe
rte
N l uidatabase ne
• Create
oe
stá
a sg
uil
ce audit specification.
ler aL
np mo uis
erm co Gu
• Retrieve audit i tid data.
as
r rea
@
ille
rm
las gm oC
co ail orr
pia .co ea
ss m Lo
in pe
au ra.
tor
iza
ció
n.
Exercise 2: Encrypt a Column with Always Encrypted

Task E1: Encrypt a Column

ste
do
cu
me
nto
ert p
1. In
No SQLluServer
i
en Management Studio, under MIA-SQL, under Databases, under
e
es sg ce
tán u ille a
salesapp1,
pe expand
rm
o
Lu the Tables node, expand the Sales.Customers node, and
is
rm Gu co
itid ille rre
then expand as the Columns
las
a @
gm
rm node.
oC
co ail orr
pia .co ea
ss m Lo
2. i
Right-click phone (nvarchar(24),
na pnot
era null), and click Encrypt Column.
uto .
riz
ac
ión
.
3. In the Always Encrypted dialog box, on the Introduction page, click Next.

4. On the Column Selection page, under Sales.Customers, select the phone

Erow.
ste
do
c um
e
5. Change nthe
to value of the Encryption Type box to Randomized, and then click
pe
rte
No lui ne
Next.
es
t
sg
u ille
ce
aL
án rm uis
pe oc
rm Gu
orr
itid e ille
6. On the Master
a s l Key@Configuration
as
a
gm
rm
oC page, click Next.
co ail orr
pia .co ea
ss m L
7. On the Run Settings page, i n au click oNext.
pe
ra.
tor
iza
ció
n.
8. On the Summary page, click Finish.

9. When the encryption process has finished, click Close.

https://skillpipe.com/?lang=es-ES#/reader/book/24820548-a5cd-4cbe-80fd-0658d7f0f8c4 5/10
30/1/2019 Librería

10. In Object Explorer, under salesapp1, under theTables node, right-click

Sales.Customers, and then click Select top 1000 rows. Notice that the values
in the phone column are encrypted.

Es
te
do
cu
m
Task 2: ViewenAlways
to
p
Encrypted Data from an Application
ert
No lui en
sg ec
es u ea
tán ille Lu
pe rm is
rm oc G
1. In File Explorer,
itid ornavigate
rea uil to D:\Labfiles\Lab04\Starter, right-click
a ler
m
sl @ oC
sc ma a g
query_encrypted_columns.ps1,
op
ia
il.c
o
orr
ea and then click Run with PowerShell.
ss m Lo
in pe
au ra.
tor
2. Review the output of the script.
iza
ci The script demonstrates how a change in the
ón
.
connection string to enable the Column Encryption Setting property allows it
to decrypt the Always Encrypted column. This is possible because the script
has access to the column master key in the local Windows key store.
Es
te
do
cu
3. When myou
en have finished reviewing the results, press Enter to close the
to
erwindow. p
PowerShell
N lu ten
e
oe isg ce
stá uil aL
np ler uis
erm mo
co Gu
itid rre ille
as a@ rm
las gm oC
co ail orr
aL pia .co e
Result: After completing
s s this exercise,
in
m op you will be able to implement Always
au era
Encrypted. tor
iz
.
ac
ión
.

Exercise 3: Encrypt a Database Using TDE

Es
te
do
cu
en m
Task 1: Createto a Service Master Key
p ert
No lui en
sg ec
es u ea
tán ille
Lu
pe isrm
rm Gu oc
1. In SQL Server o
Management rm Studio, in Solution Explorer, double-click the Lab
itid rre ille
as a@
las gm oC
Exercise 03 - TDE.sql co
pia
ailquery.
.co
orr
ea
ss m Lo
in pe
au ra.
tor
2. Highlight the code under the i za heading for Task 1, and click Execute.
ció
n.

https://skillpipe.com/?lang=es-ES#/reader/book/24820548-a5cd-4cbe-80fd-0658d7f0f8c4 6/10
30/1/2019 Librería

Task 2: Back Up the Service Master Key

1. Edit the query under the heading for Task 2 so that it reads:

EsBACKUP MASTER KEY TO FILE =

te
do
cu
me
'D:\Labfiles\Lab04\Starter\Audit\smk.bak'
nto
pe
ENCRYPTION rte BY PASSWORD = 'iD2Z1i85saFyAiK7auzn$';
No lui ne
es sg ce
tán uil a
ler Lu
pe mo is
rm co Gu
itid rre ille
as a@ rm
las gm oC
2. Highlight the query c a
op youil.have oamended
rre and click Execute.
ias co aL
sin m op
au era
tor .
iza
ció
n.

Task 3: Create and Back Up a Server Certificate

Es
te
do
um c
1. Highlight
en the code under the heading for Task 3, and click Execute.
to
pe
rte
No lui ne
s ce
2. Edit
es the query
tán
gu
ille under a L the heading for Task 4 so that it reads:
pe rm uis
rm oc Gu
itid orr ille
as e a rm
las @ oC
gm
co ail orr
BACKUP CERTIFICATE p ias . cTDE_cert
om ea
sin Lo
pe
au ra.
tor
TO FILE = 'D:\Labfiles\Lab04\Starter\Audit\TDE_cert.bak'
iza
ció
WITH PRIVATE KEY n.

(
FILE = 'D:\Labfiles\Lab04\Starter\Audit\TDE_cert_pk.bak',
Es ENCRYPTION BY PASSWORD = '*R8vkULA5aKhp3ekGg1o3'
te
do
c
); umen
to
pe
rte
NGO
oe l u isg ne
ce
stá uil aL
np l erm uis
erm oc Gu
itid o rre ille
as a@ rm
las gm oC
3. Highlight the query co
pia youil.have
a
co
oamended
rre
aL
and click Execute.
ss m o
in pe
au ra.
tor
iza
ció
n.

Task 4: Create a Database Encryption Key and Encrypt the salesapp1 Database

https://skillpipe.com/?lang=es-ES#/reader/book/24820548-a5cd-4cbe-80fd-0658d7f0f8c4 7/10
30/1/2019 Librería

1. Edit the query under the heading for Task 5 so that it reads:

USE salesapp1;
GO
EsCREATE DATABASE ENCRYPTION KEY
te
do
WITH cu ALGORITHM = AES_256
me
nto
ENCRYPTION pe
rte BY SERVER CERTIFICATE TDE_cert;
No lui ne
es sgu ce
GO ánt i lle aL
pe rm uis
rm o co Gu
itid rre ille
as a@ rm
las gm oC
co ail orr
pia .co ea
ss m Lo
2. Highlight the query you in have amended
au
pe
ra. and click Execute.
tor
iza
ció
n.
3. Highlight the code under the heading for Task 6, and click Execute.

4. Highlight the code under the heading for Task 7, click Execute, and then review
Ethe
ste
results.
do
cu
me
nto
p ert
No lui en
sg ec
es u ea
tán ille Lu
pe sG rm i
Task 5: Movermthe oc
salesapp1
iti orr uil Database
e l
da a@ erm
sl gm oC
as
co ail orr
pia .co ea
Lo ss m
pe in
1. a
In Object Explorer, under ra.
u tor the Databases node, right-click salesapp1, point to
iza
ció
Tasks, and then click Detach. n.

2. In the Detach Database dialog box, select the Drop Connections check box,
and then click OK.
Es
te
do
cu
3. me Explorer, in the Connect list, click Database Engine.
In Object
nto
pe
rte
No lui ne
es ea sg c
4. Connect
tán toillMIA-SQL\SQL2
er Lu
u using Windows authentication.
pe mo is
rm co Gu
itid rre ille
mo as a@ r
5. In Object Explorer,
las
c
under
gm
a
theCoMIA-SQL\SQL2 instance, right-click Databases
op il.c rre
ias om aL
and click Attach. sin op
era
au .
tor
iza
ció
6. In the Attach Databases dialog
. box, click Add. n

7. In the Attach Databases dialog box, navigate to the

https://skillpipe.com/?lang=es-ES#/reader/book/24820548-a5cd-4cbe-80fd-0658d7f0f8c4 8/10
30/1/2019 Librería

D:\Labfiles\Lab04\Starter\Setupfiles folder, click the salesapp1.mdf file, and

then click OK.

8. In the Microsoft SQL Server Management Studio dialog box, notice that an
error message is displayed because the certificate with which the database
Eencryption
ste key is protected does not exist on the MIA-SQL\SQL2 instance.
do
cu
Because me of this, the data file cannot be attached, click OK.
nto
pe
rte
No lui ne
9. In ethe sg
Attach ce
Databases dialog box, click Cancel.
stá uil aL
np ler uis
erm m oc
orr Gu
itid ea ille
10. In Solution Explorer, a s @ rm
double-click the Lab Exercise 03 - move DB.sql query.
las gm oC
co ail orr
pia .co ea
ss m Lo
in pe
11. On the Query menu, point au
tor to Connection,ra. and then click Change Connection.
iza
ció
n.
12. In the Connect to Database Engine dialog box, connect to the MIA-SQL\SQL2
database engine using Windows authentication.

13. EHighlight
ste the code under the heading for Task 10, and click Execute. This
do
cu
createsmea server master key on MIA-SQL\SQL2.
n to
pe
rte
No lui ne
14. Highlight sgthe ce under the heading for Task 11, and click Execute. This
es
tán uil code aL
ler uis
pe mo
creates ramitcertificate
ida
co
r r ea
inGuthe
ille master database on MIA-SQL\SQL2 from the
sl @ rm
as created gm oC
backup files you co ail previously.
orr
pia .co ea
ss m Lo
in pe
au ra.
15. In Object Explorer, underrizthe t o MIA-SQL\SQL2 instance, right-click Databases
ac
ión
and click Attach. .

16. In the Attach Databases dialog box, click Add.

Es
17. Intethe
do Attach Databases dialog box, navigate to the
c um
en
D:\Labfiles\Lab04\Starter\Setupfiles
to
p
folder, click the salesapp1.mdf file, and
ert
e
N
then
o e clickl u isg OK.nece
stá uil aL
np ler uis
erm mo
co Gu
itid rre ille
18. In the Attach as Databases a@ rmdialog box, click OK.
oC
las gm
co ail orr
pia .co ea
ss m Lo
19. Highlight the code under i n au the heading
pe for Task 12, and click Execute.
ra. This
tor
iza
queries the Sales.Customers ció table in the salesapp1 database.
n.

20. Review the query results then close SQL Server Management Studio without
saving any files.
https://skillpipe.com/?lang=es-ES#/reader/book/24820548-a5cd-4cbe-80fd-0658d7f0f8c4 9/10
30/1/2019 Librería

Result: After completing this exercise, you will be able to:

• Encrypt a database using TDE.

• Move
Es
t
an encrypted database to another SQL Server instance.
ed
oc
um
en
to
pe
rte
No lui ne
es sg ce
tán u ille aL
pe rm uis
rm oc Gu
itid orr ille
as ea rm
las @ oC
gm
co ail orr
pia .co ea
ss m Lo
in pe
au ra.
tor
iza
ció
n.

Es
te
do
cu
me
nto
pe
rte
No lui ne
es sg ce
tán u ille aL
pe rm uis
rm oc Gu
itid orr ille
as ea rm
las @ oC
gm
co ail orr
pia .co ea
ss m Lo
in pe
au ra.
tor
iza
ció
n.

Es
te
do
cu
me
nto
pe
rte
No lui ne
es sg ce
tán u ille aL
pe rm uis
rm oc Gu
itid orr ille
as ea rm
las @ oC
gm
co ail orr
pia .co ea
ss m Lo
in pe
au ra.
tor
iza
ció
n.

https://skillpipe.com/?lang=es-ES#/reader/book/24820548-a5cd-4cbe-80fd-0658d7f0f8c4 10/10