Common Criteria Compliance: A True Story
Published On: May 26, 2016
Categories: Alerting, Advisory Conditions, Custom Conditions 0
In the latest SQL Sentry Custom Conditions Pack, a new condition named 'Common Criteria Compliance' Enabled was added. This setting, as its name implies, assists in meeting international computer security compliance standards known as Common Criteria, and has been available in Enterprise Edition since SQL Server 2008 R2.
The setting is found on the Security page of Server Properties:
Common Criteria Compliance allows the following to occur:
- Residual Information Protection (RIP)
- The ability to view login statistics
- That column GRANT should not override table DENY
While the Common Criteria Compliance setting offers a great feature for those who need to use it, it does create additional overhead, and will have some level of impact to your server's performance. A vitally important detail when it comes to enabling this setting is that it doesn't take effect until after the server has been restarted. This is where the custom condition comes into play, allowing you to set an alert in case the feature is set to enabled, whether the server has already been restarted or not, and hopefully preventing an unwanted performance issue from occurring.
You might think we're being overly cautious about this setting, but there is a little story behind it.
Once upon a time, long before I worked at SQL Sentry and could not possibly be at fault for this, a server suddenly began to exhibit performance issues. That ill-performing server had recently been restarted and there had been no recent changes that would have explained its decline in performance. A valiant Sentry set forth post-haste on a quest to save the server from whatever sorcery had caused it to fall ill, vowing to return it to full health! That brilliant Sentry, who (unfortunately this time) was also not me, discovered that Common Criteria Compliance was enabled. The setting had been changed long before the server was restarted, but the effects of the change were not seen at that time (typical warlock magic). Thanks to the Sentry's heroic efforts, the server made a full recovery from this affliction, and everyone at SQL Sentry rejoiced and danced through the hallways, eventually making their way out onto the streets of Huntersville into a grand parade of celebration. At least I think that's what happened; I wasn't exactly there.
Common Criteria Compliance is a setting you will want to be cautious about using if you do not absolutely need it. It could go into effect at an unexpected time, including upon failover, and the 'Common Criteria Compliance' Enabled custom condition will help you catch when the setting has been enabled.
Melissa is the Product Education Manager at SentryOne. Melissa has over a decade of experience with SQL Server through software performance and scalability testing, analysis and research projects, application development, and technical support.