Table of Contents
Administer Servers by Using Policy-Based Management Policy-Based Management Storage Configure the General Properties of Policy-Based Management Configure Alerts to Notify Policy Administrators of Policy Failures Create a Policy-Based Management Policy Create a New Policy-Based Management Condition View or Modify the Properties of a Policy-Based Management Policy View or Modify the Properties of a Policy-Based Management Condition Delete a Policy-Based Management Policy Delete a Policy-Based Management Condition Evaluate a Policy-Based Management Policy from an Object Evaluate a Policy-Based Management Policy from That Policy Evaluate a Policy-Based Management Policy on a Schedule Export a Policy-Based Management Policy Import a Policy-Based Management Policy Subscribe or Unsubscribe a Database to a Policy Category Manage Policy Categories Working with Policy-Based Management Facets View the Policy-Based Management Facets on a SQL Server Object View the Properties of a Policy-Based Management Facet Copy a Policy-Based Management Facet State to an XML File Monitor and Enforce Best Practices by Using Policy-Based Management Asymmetric Keys Encryption Strength Check Disk Input and Output Subsystem for IO Delay Problems Check Disk Input-Output Subsystem for Read Retry Problems Check Integrity of Database with Suspect Pages Correct Affinity Mask and Affinity Input and Output Mask Overlap Default Trace Log Files Disabled Detect Failed Input and Output Requests Detect SCSI Host Adapter Issues Device Driver Control Error Device Not Ready Error Disable Lightweight Pooling Guest Permissions on User Databases Input and Output Error During Hard Page Fault Increase or Disable Blocked Process Threshold Keep the Affinity Mask Default Value Keep the Locks Configuration Option Default Value Network Packet Size Should Not Exceed 8060 Bytes Outdated Backup Place Data and Log Files on Separate Drives Server public Permissions Set the AUTO_CLOSE Database Option to OFF Set the AUTO_SHRINK Database Option to OFF Set the Max Degree of Parallelism Option for Optimal Performance Set the PAGE_VERIFY Database Option to CHECKSUM SQL Server Login Password Expiration SQL Server Login Password Strength Storage System Input-Output Time-out Symmetric Keys on System Databases Symmetric Keys on User Databases Trustworthy Bit Unexpected System Failures Use Database Mail Instead of SQL Mail Verify Max Worker Threads Setting Policy Management Node (Object Explorer) Create New Condition or Open Condition Dialog Box, General Page Create New Condition or Open Condition Dialog Box, Description Page Open Condition Dialog Box, Dependent Policies Page Advanced Edit (Condition) Dialog Box Create New Policy or Open Policy Dialog Box, General Page Create New Policy or Open Policy Dialog Box, Description Page View Policies Dialog Box Evaluate Policies Dialog Box, Policy Selection Page Evaluate Policies Dialog Box, Evaluation Results Page Facet Properties Dialog Box, General Page Facet Properties Dialog Box, Dependent Policies Page Facet Properties Dialog Box, Dependent Conditions Page Results Detailed View Dialog Box View Facets Dialog Box Select Source Dialog Box Export As Policy Dialog Box Import Policies Dialog Box Tutorial: Administering Servers by Using Policy-Based Management Lesson 1: Create and Apply an Off By Default Policy Lesson 1-1 - Create the Off By Default Policy Lesson 1-2 - Configure a Server to Run the Off By Default Policy Lesson 2: Create and Apply a Naming Standards Policy Lesson 2-1 - Create the Finance Name Policy Lesson 2-2 - Subscribe to and Check the Finance Name Policy Administer Servers by Using Policy-Based Management 3/24/2017 • 4 min to read • Edit Online
Policy-Based Management is a policy based system for managing one or more instances of SQL Server. Use is to create conditions that contain condition expressions. Then, create policies that apply the conditions to database target objects. For example, as the database administrator, you may want to ensure that certain servers do not have Database Mail enabled, so you create a condition and a policy that sets that server option.
IMPORTANT!! Policies can affect how some features work. For example, change data capture and transactional replication both use the systranschemas table, which does not have an index. If you enable a policy that all tables must have an index, enforcing compliance of the policy will cause these features to fail.
Use SQL Server management Studio to create and manage policies, to: 1. Select a Policy-Based Management facet that contains the properties to be configured. 2. Define a condition that specifies the state of a management facet. 3. Define a policy that contains the condition, additional conditions that filter the target sets, and the evaluation mode. 4. Check whether an instance of SQL Server is in compliance with the policy. For failed policies, Object Explorer indicates a critical health warning as a red icon next to the target and the nodes that are higher in the Object Explorer tree.
NOTE: When the system computes the object set for a policy, by default the system objects are excluded. For example, if the object set of the policy refers to all tables, the policy will not apply to system tables. If users want to evaluate a policy against system objects, they can explicitly add system objects to the object set. However, though all policies are supported for check on schedule evaluation mode, for performance reason, not all policies with arbitrary object sets are supported for check on change evaluation mode. For more information, see http://blogs.msdn.com/b/sqlpbm/archive/2009/04/13/policy-evaluation-modes.aspx Three Policy-Based Management components Policy-Based Management has three components: Policy management. Policy administrators create policies. Explicit administration. Administrators select one or more managed targets and explicitly check that the targets comply with a specific policy, or explicitly make the targets comply with a policy. Evaluation modes. There are four evaluation modes; three can be automated: On demand. This mode evaluates the policy when directly specified by the user. On change: prevent. This automated mode uses DDL triggers to prevent policy violations.
IMPORTANT! If the nested triggers server configuration option is disabled, On change: prevent will not work correctly. Policy-Based Management relies on DDL triggers to detect and roll back DDL operations that do not comply with policies that use this evaluation mode. Removing the Policy-Based Management DDL triggers or disabling nest triggers, will cause this evaluation mode to fail or perform unexpectedly.
On change: log only. This automated mode uses event notification to evaluate a policy when a relevant change is made. On schedule. This automated mode uses a SQL Server Agent job to periodically evaluate a policy. When automated policies are not enabled, Policy-Based Management will not affect system performance. Terms Policy-Based Management managed target Entities that are managed by Policy-Based Management, such as an instance of the SQL Server Database Engine, a database, a table, or an index. All targets in a server instance form a target hierarchy. A target set is the set of targets that results from applying a set of target filters to the target hierarchy, for example, all the tables in the database owned by the HumanResources schema. Policy-Based Management facet A set of logical properties that model the behavior or characteristics for certain types of managed targets. The number and characteristics of the properties are built into the facet and can be added or removed by only the maker of the facet. A target type can implement one or more management facets, and a management facet can be implemented by one or more target types. Some properties of a facet can only apply to a specific version.. Policy-Based Management condition A Boolean expression that specifies a set of allowed states of a Policy-Based Management managed target with regard to a management facet. SQL Server tries to observe collations when evaluating a condition. When SQL Server collations do not exactly match Windows collations, test your condition to determine how the algorithm resolves conflicts. Policy-Based Management policy A Policy-Based Management condition and the expected behavior, for example, evaluation mode, target filters, and schedule. A policy can contain only one condition. Policies can be enabled or disabled. Policies are stored in the msdb database. Policy-Based Management policy category A user-defined category to help manage policies. Users can classify policies into different policy categories. A policy belongs to one and only one policy category. Policy categories apply to databases and servers. At the database level, the following conditions apply: Database owners can subscribe a database to a set of policy categories. Only policies from its subscribed categories can govern a database. All databases implicitly subscribe to the default policy category. At the server level, policy categories can be applied to all databases. Effective policy The effective policies of a target are those policies that govern this target. A policy is effective with regard to a target only if all the following conditions are satisfied: The policy is enabled. The target belongs to the target set of the policy. The target or one of the targets ancestors subscribes to the policy group that contains this policy. Links to specific tasks Store Policy-Based Management policies.| Configure Alerts to Notify Policy Administrators of Policy Failures Create a New Policy-Based Management Condition Delete a Policy-Based Management Condition View or Modify the Properties of a Policy-Based Management Condition| Export a Policy-Based Management Policy Import a Policy-Based Management Policy| Evaluate a Policy-Based Management Policy from an Object Work with Policy-Based Management Facets| Monitor and Enforce Best Practices Using Policy-Based Management Examples Create the Off By Default Policy Configure a Server to Run the Off By Default Policy ## See also Policy-Based Management Views (Transact-SQL) Policy-Based Management Storage 3/24/2017 • 1 min to read • Edit Online
Policies are stored in the msdb database. After a policy or condition is changed, msdb should be backed up. For more information, see Back Up and Restore of System Databases (SQL Server). Storing Policies SQL Server 2016 includes policies that can be used to monitor an instance of SQL Server. By default, these policies are not installed on the Database Engine; however, they can be imported from the default installation location of C:\Program Files\Microsoft SQL Server\130\Tools\Policies\DatabaseEngine\1033. You can directly create policies by using the File/New menu, and then saving them to a file. This enables you to create policies when you are not connected to an instance of the Database Engine. Policy history for policies evaluated in the current instance of the Database Engine is maintained in msdb system tables. Policy history for policies applied to other instances of the Database Engine or applied to Reporting Services or Analysis Services is not retained. Configure the General Properties of Policy-Based Management 3/24/2017 • 1 min to read • Edit Online
This topic describes how to configure the properties for Policy-Based Management in SQL Server 2016 by using SQL Server Management Studio or Transact-SQL. In This Topic Before you begin: Security To configure Policy-Based Management, using: SQL Server Management Studio Transact-SQL
Before You Begin
S ecurity
P ermissions Requires membership in the PolicyAdministratorRole fixed database role.
Using SQL Server Management Studio To configure Policy-Based Management 1. In Object Explorer, click the plus sign to expand the server where you want to configure Policy-Based Management properties. 2. Click the plus sign to expand the Management folder. 3. Right-click Policy Management and select Properties. The following options are available in Policy Management Properties dialog box. Enabled Specifies whether Policy-Based Management is enabled. HistoryRetentionInDays Specifies the number of days that policy evaluation history should be retained. If this value is 0 (the default), the history will not be automatically removed. LogOnSuccess Specifies whether Policy-Based Management logs successful policy evaluations. When this value is false (the default), only failed policy evaluations are logged. When this value is true, both successful and failed policy evaluations are logged. 4. When finished, click OK.
Using Transact-SQL To configure Policy-Based Management 1. In Object Explorer, connect to an instance of Database Engine. 2. On the Standard bar, click New Query. 3. Copy and paste the following example into the query window and click Execute.
-- enables Policy-Based Management USE msdb; GO EXEC dbo.sp_syspolicy_configure @name = N'Enabled', @value = 1; GO
For more information, see sp_syspolicy_configure (Transact-SQL). Configure Alerts to Notify Policy Administrators of Policy Failures 3/24/2017 • 1 min to read • Edit Online
When Policy-Based Management policies are executed in one of the three automated evaluation modes, if a policy violation occurs, a message is written to the event log. To be notified when this message is written to the event log, you can create an alert to detect the message and perform an action. The alert should detect the messages as shown in the following table.
EXECUTION MODE MESSAGE NUMBER
On change: prevent 34050
(if automatic)
On change: prevent 34051
(if On demand)
On schedule 34052
On change 34053
To set up an alert to respond to the Policy-Based Management error messages, see the following topics: Create an Operator Create an Alert Using an Error Number Assign Alerts to an Operator Permissions When policies are evaluated on demand, they execute in the security context of the user. To write to the error log, the user must have ALTER TRACE permissions or be a member of the sysadmin fixed server role. Policies that are evaluated by a user that has less privileges will not write to the event log, and will not fire an alert. The automated execution modes execute as a member of the sysadmin role. This allows the policy to write to the error log and raise an alert. Additional Considerations About Alerts Be aware of the following additional considerations about alerts: Alerts are raised only for policies that are enabled. Because On demand policies cannot be enabled, alerts are not raised for policies that are executed on demand. If the action you want to take includes sending an e-mail message, you must configure a mail account. We recommend that you use Database Mail. For more information about how to set up Database Mail, see Create a Database Mail Account. Create a Policy-Based Management Policy 3/24/2017 • 2 min to read • Edit Online
This topic describes how to create a Policy-Based Management policy in SQL Server 2016 by using SQL Server Management Studio. In This Topic Before you begin: Security To create a policy, using: SQL Server Management Studio
Before You Begin
S ecurity
P ermissions Requires membership in the PolicyAdministratorRole role in the msdb database.
Using SQL Server Management Studio To create a policy 1. In Object Explorer, click the plus sign to expand the server where you want to create a new a Policy-Based Management policy. 2. Click the plus sign to expand the Management folder. 3. Click the plus sign to expand Policy Management. 4. Right-click the Policies folder and select New Policy. 5. In the Create New Policy dialog box, in the Name box, type the name of the new policy. 6. If you want the policy to be enabled as soon as it is created, select the Enabled check box. If the evaluation mode is On demand, the Enabled check box is not available. 7. In the Check condition list, select one of the existing conditions, or select New Condition. To edit a condition, select the condition and then click the ellipsis (...). For more information, see Create a New Policy- Based Management Condition or View or Modify the Properties of a Policy-Based Management Condition. 8. In the Against targets box, select one or more target types for this policy. Some conditions and facets can only be applied to certain types of targets. The available target sets appear in the associated box. Expand Every to select a filtering condition for some types of the targets. If no targets appear in this box, the check condition is scoped at the server level. 9. In the Evaluation Mode box, select how this policy will behave. Different conditions can have different valid evaluation modes. For more information about which evaluation modes are valid, see Administer Servers by Using Policy-Based Management. 10. If the policy will be evaluated on a schedule, set the evaluation mode to On schedule, and then click Pick to select a schedule, or click New to create a new schedule. 11. To limit the policy to subset of the target types, in the Server restriction box, select from limiting conditions or create a new condition. For more information on the available options in the Create New Policy dialog box, see Create New Policy or Open Policy Dialog Box, General Page or Create New Policy or Open Policy Dialog Box, Description Page. 12. When finished click OK. Create a New Policy-Based Management Condition 3/24/2017 • 1 min to read • Edit Online
This topic describes how to create a Policy-based Management condition in SQL Server 2016 by using SQL Server Management Studio. In This Topic Before you begin: Security To create a condition, using: SQL Server Management Studio
Before You Begin
S ecurity
P ermissions Requires membership in the PolicyAdministratorRole role in the msdb database.
Using SQL Server Management Studio To create a condition 1. In Object Explorer, click the plus sign to expand the server where you want to create a Policy-based Management condition. 2. Click the plus sign to expand the Management folder. 3. Click the plus sign to expand Policy Management. 4. Click the plus sign to expand the Facets folder. 5. Right-click the facet in which you want to create a new condition and select New Condition. 6. In the Create New Condition dialog box, in the Name box, type the name of the new condition. 7. Confirm the correct facet in the Facet list, or select a different facet. 8. Under Expression, construct condition expressions by selecting a facet property in the Field box, together with its associated operator and value. When you add multiple expressions, the expressions can be joined by using And or Or. For more information on the available options in this dialog box, see Create New Condition or Open Condition Dialog Box, General Page, Create New Condition or Open Condition Dialog Box, Description Page, and Advanced Edit (Condition) Dialog Box. 9. When finished, click OK. View or Modify the Properties of a Policy-Based Management Policy 3/24/2017 • 1 min to read • Edit Online
This topic describes how to view or modify a Policy-Based Management policy's properties in SQL Server 2016 by using SQL Server Management Studio or Transact-SQL.
Before You Begin
P ermissions Requires membership in the PolicyAdministratorRole role in the msdb database.
Using SQL Server Management Studio To view the properties of all policies on an object 1. In Object Explorer, right-click a server, server object, database, or database object, point to Policies and select View. For more information on the available options in the View Policies –object_name dialog box, see View Policies Dialog Box. 2. When finished, click Close.
To view or modify a specific policy's properties 1. In Object Explorer, click the plus sign to expand the server that contains the Policy-Based Management policy that you want to view or modify. 2. Click the plus sign to expand the Management folder. 3. Click the plus sign to expand Policy Management. 4. Click the plus sign to expand the Policies folder. 5. Right-click the policy that you want to view or modify and select Properties. For more information on the available options in the Open Policy –policy_name dialog box, see Create New Policy or Open Policy Dialog Box, General Page and Create New Policy or Open Policy Dialog Box, Description Page. 6. When finished, click OK.
Using Transact-SQL To view a policy's properties 1. In Object Explorer, connect to an instance of Database Engine. 2. On the Standard bar, click New Query. 3. Copy and paste the following example into the query window and click Execute. USE msdb; GO SELECT name, execution_mode, description, is_enabled, job_id FROM syspolicy_policies; GO
For more information, see syspolicy_policies (Transact-SQL). View or Modify the Properties of a Policy-Based Management Condition 3/24/2017 • 1 min to read • Edit Online
This topic describes how to view or modify the properties of a Policy-Based Management condition in SQL Server 2016 by using SQL Server Management Studio or Transact-SQL.
Before You Begin
P ermissions Requires membership in the PolicyAdministratorRole role in the msdb database.
Using SQL Server Management Studio To view or modify a condition's properties 1. In Object Explorer, click the plus sign to expand the server that contains the condition that you want to view or modify. 2. Click the plus sign to expand the Management folder. 3. Click the plus sign to expand Policy Management. 4. Click the plus sign to expand the Conditions folder. 5. Right-click the condition that you want to view or edit and select Properties. For more information on the available options in the Open Condition –condition_name dialog box, see Create New Condition or Open Condition Dialog Box, General Page, Open Condition Dialog Box, Dependent Policies Page, Create New Condition or Open Condition Dialog Box, Description Page, and Advanced Edit (Condition) Dialog Box. 6. When finished, click OK.
Using Transact-SQL To view a condition's properties 1. In Object Explorer, connect to an instance of Database Engine. 2. On the Standard bar, click New Query. 3. Copy and paste the following example into the query window and click Execute.
USE msdb; GO SELECT name, description, facet, expression, is_name_condition, obj_name FROM syspolicy_conditions; GO
For more information, see syspolicy_conditions (Transact-SQL). Delete a Policy-Based Management Policy 3/24/2017 • 1 min to read • Edit Online
This topic describes how to delete a Policy-Based Management policy in SQL Server 2016 by using SQL Server Management Studio. In This Topic Before you begin: Security To delete a policy, using: SQL Server Management Studio
Before You Begin
S ecurity
P ermissions Requires membership in the PolicyAdministratorRole role in the msdb database.
Using SQL Server Management Studio To delete a policy 1. In Object Explorer, click the plus sign to expand the server that contains the Policy-Based Management policy that you want to delete. 2. Click the plus sign to expand the Management folder. 3. Click the plus sign to expand Policy Management. 4. Click the plus sign to expand the Policies folder. 5. Right-click the policy that you want to delete and select Delete. 6. In the Delete Object dialog box, ensure that the correct condition is selected and then click OK. Delete a Policy-Based Management Condition 3/24/2017 • 1 min to read • Edit Online
This topic describes how to delete a Policy-based Management condition in SQL Server 2016 by using SQL Server Management Studio. In This Topic Before you begin: Security To delete a condition, using: SQL Server Management Studio
Before You Begin
S ecurity
P ermissions Requires membership in the PolicyAdministratorRole role in the msdb database.
Using SQL Server Management Studio To delete a condition 1. In Object Explorer, click the plus sign to expand the server that contains the condition that you want to delete. 2. Click the plus sign to expand the Management folder. 3. Click the plus sign to expand Policy Management. 4. Click the plus sign to expand the Conditions folder. 5. Right-click the condition that you want to delete and select Delete. 6. In the Delete Object dialog box, ensure that the correct condition is selected and then click OK. Evaluate a Policy-Based Management Policy from an Object 3/24/2017 • 1 min to read • Edit Online
This topic describes how to evaluate a policy from a server instance, database, or database object in SQL Server 2016 by using SQL Server Management Studio. In This Topic Before you begin: Limitations and Restrictions Security To evaluate a policy from an object, using: SQL Server Management Studio
Before You Begin
L imitations and Restrictions The execution mode is defined as part of the policy and cannot be changed in the Evaluate Policies dialog box. The Evaluate Policies dialog box only shows policies appropriate for the database object.
S ecurity
P ermissions Requires membership in the PolicyAdministratorRole role in the msdb database.
Using SQL Server Management Studio To evaluate a policy from an object 1. In Object Explorer, right-click a server instance, a database, or a database object, point to Policies, and select Evaluate. 2. In the Evaluate Policies dialog box, select one or more policies and click Evaluate to run the policy in evaluation mode. This generates a compliance report for the target set but does not reconfigure SQL Server or enforce future compliance. For targets that do not comply with the selected policies and have properties that can be reconfigured by Policy-Based Management, you can enforce policy compliance by clicking Apply. For more information on the available options in the Evaluate Policies dialog box, see Evaluate Policies Dialog Box, Policy Selection Page, Evaluate Policies Dialog Box, Evaluation Results Page, and Results Detailed View Dialog Box. 3. When finished, click Close. Evaluate a Policy-Based Management Policy from That Policy 3/24/2017 • 1 min to read • Edit Online
This topic describes how to evaluate a policy using that policy in SQL Server 2016 by using SQL Server Management Studio. In This Topic Before you begin: Security To evaluate a policy, using: SQL Server Management Studio
Before You Begin
S ecurity
P ermissions Requires membership in the PolicyAdministratorRole role in the msdb database.
Using SQL Server Management Studio To evaluate a policy 1. In Object Explorer, click the plus sign to expand the server that contains the policy that you want to evaluate. 2. Click the plus sign to expand the Management folder. 3. Click the plus sign to expand Policy Management. 4. Click the plus sign to expand the Policies folder. 5. Right-click the policy that you want to evaluate and select Evaluate. 6. In the Evaluate Results dialog box, you see the results of the policy evaluation. For targets that do not comply with the policy and have properties that can be reconfigured by Policy-Based Management, you can enforce compliance by clicking Apply. For more information on the available options in the Evaluate Policies dialog box, see Evaluate Policies Dialog Box, Policy Selection Page and Evaluate Policies Dialog Box, Evaluation Results Page. 7. When finished, click Close. Evaluate a Policy-Based Management Policy on a Schedule 3/24/2017 • 1 min to read • Edit Online
This topic describes how to evaluate a Policy-Based Management policy on a schedule in SQL Server 2016 by using SQL Server Management Studio. In This Topic Before you begin: Security To evaluate a policy on a schedule, using: SQL Server Management Studio
Before You Begin
S ecurity
P ermissions Requires membership in the PolicyAdministratorRole role in the msdb database.
Using SQL Server Management Studio To evaluate a policy on a schedule 1. In Object Explorer, click the plus sign to expand the server that contains the policy schedule that you want to evaluate. 2. Click the plus sign to expand the Management folder. 3. Click the plus sign to expand Policy Management. 4. Click the plus sign to expand the Policies folder. 5. Right-click the policy whose schedule you what to evaluate and select Properties. 6. On the Open Policy –policy_name dialog box, in the Evaluation Mode list, select On schedule. 7. Under Schedule, click either Pick to specify an existing schedule or New to create a new schedule. 8. When finished, click OK. Export a Policy-Based Management Policy 3/24/2017 • 1 min to read • Edit Online
This topic describes how to export a Policy-Based Management policy in SQL Server 2016 by using SQL Server Management Studio. In This Topic Before you begin: Security To export a policy, using: SQL Server Management Studio
Before You Begin
S ecurity
P ermissions Requires membership in the PolicyAdministratorRole role in the msdb database.
Using SQL Server Management Studio To export a policy 1. In Object Explorer, click the plus sign to expand the server that contains the Policy-Based Management policy that you want to export. 2. Click the plus sign to expand the Management folder. 3. Click the plus sign to expand Policy Management. 4. Click the plus sign to expand the Policies folder. 5. Right-click the policy that you want to export and select Export Policy. 6. In the Export Policy dialog box, type the path and name of the file in the address bar. Alternately, find a suitable location for the file in the dialog box's navigation pane, and then type the name of the XML file in the File Name box. 7. When finished, click Save. Import a Policy-Based Management Policy 3/24/2017 • 1 min to read • Edit Online
This topic describes how to import a Policy-Based Management policy instance in SQL Server 2016 by using SQL Server Management Studio. In This Topic Before you begin: Limitations and Restrictions Security To import a policy instance, using: SQL Server Management Studio
Before You Begin
L imitations and Restrictions SQL Server ships with policies that can be used to monitor an instance of SQL Server. By default, these policies are not installed on the SQL Server Database Engine, but they can be imported from the default location of C:\Program Files\Microsoft SQL Server\130\Tools\Policies\DatabaseEngine\1033.
S ecurity
P ermissions Requires membership in the PolicyAdministratorRole role in the msdb database.
Using SQL Server Management Studio To import a policy instance 1. In Object Explorer, click the plus sign to expand the server where the newly-imported policy instance will reside. 2. Click the plus sign to expand the Management folder. 3. Click the plus sign to expand Policy Management. 4. Right-click the Policies folder and select Import Policy. 5. In the Import dialog box, type the path and name of the file; or use the Browse (...) button to locate the XML file that contains the policy, and then select the file. For more information on the available options in the Import dialog box, see Import Policies Dialog Box. 6. When finished, click OK. Subscribe or Unsubscribe a Database to a Policy Category 3/24/2017 • 2 min to read • Edit Online
This topic describes how to subscribe or unsubscribe a database to a policy category.in SQL Server 2016 by using SQL Server Management Studio or Transact-SQL. In This Topic Before you begin: Security To subscribe or unsubscribe a database to a policy category., using: SQL Server Management Studio Transact-SQL
Before You Begin
S ecurity
P ermissions Requires membership in the db_owner fixed database role.
Using SQL Server Management Studio To subscribe or unsubscribe a database to a policy category 1. In Object Explorer, click the plus sign to expand the server that contains the database wherein you want to manage category subscriptions. 2. Click the plus sign to expand the Databases folder. 3. Right-click the database wherein you want to manage category subscriptions, point to Policies, and select Categories The following options are available in the Categories dialog box: Expand column Click to expand a policy category. This lists all the policies that are included in the category. Name The name of the policy category. Subscribed Indicates whether the target has subscribed to the policy category. If this check box is disabled, the policy category is set for Mandate Database Subscriptions. This means that the policy category applies to all databases on the server. Policy When policy groups are expanded, displays the policies in the policy category. Enabled Indicates whether the policies are enabled or disabled. Execution Mode Displays the execution mode of the policy. History Click the View History hyperlink to open the Log File Viewer to see the policy history. 4. To subscribe to a Policy-Based Management category, select the category's check box under the Subscribed column. To unsubscribe from a category, clear the check box. 5. When finished, click OK.
Using Transact-SQL To subscribe a database to a policy category 1. In Object Explorer, connect to an instance of Database Engine. 2. On the Standard bar, click New Query. 3. Copy and paste the following example into the query window and click Execute.
USE AdventureWorks2012; -- Adds a subscription to the 'Finance' policy category for the AdventureWorks2012 database. EXEC sys.sp_syspolicy_subscribe_to_policy_category @policy_category = N'Finance'; GO
For more information, see sp_syspolicy_subscribe_to_policy_category (Transact-SQL).
To unsubscribe a database to a policy category 1. In Object Explorer, connect to an instance of Database Engine. 2. On the Standard bar, click New Query. 3. Copy and paste the following example into the query window and click Execute.
USE AdventureWorks2012; -- Deletes a subscription to the 'Finance' policy category for the AdventureWorks2012 database. EXEC sys.sp_syspolicy_unsubscribe_from_policy_category @policy_category = N'Finance'; GO
For more information, see sp_syspolicy_unsubscribe_from_policy_category (Transact-SQL). Manage Policy Categories 3/24/2017 • 1 min to read • Edit Online
This topic describes how to apply any or all available policies in a category to the whole instance of SQL Server 2016 by using SQL Server Management Studio or Transact-SQL. In This Topic Before you begin: Limitations and Restrictions Security To apply category policies to a SQL Server instance, using: SQL Server Management Studio Transact-SQL
Before You Begin
L imitations and Restrictions When using SQL Server 2016, if the Mandate Database Subscriptions check box is not selected, the policy category must be individually applied to each relevant portion of the server, such as one or more databases or tables. If you specify a policy category that does not exist, a new policy category is created and the subscription is mandated for all databases when you execute the stored procedure. If you then clear the mandated subscription for the new category, the subscription will only apply for the database that you specified as the target_object. For more information about how to change a mandated subscription setting, see sp_syspolicy_update_policy_category (Transact-SQL).
S ecurity
P ermissions This stored procedure runs in the context of the current owner of the stored procedure.
Using SQL Server Management Studio To apply category policies to a SQL Server instance 1. In Object Explorer, click the plus sign to expand the server where you will apply category policies. 2. Click the plus sign to expand the Management folder. 3. Right-click Policy Management and select Manage Categories. The following information is available in the Manage Policy Categories dialog box: Name The name of the policy category. Mandate Database Subscriptions Forces all databases on the instance of SQL Server to enforce policies in the policy category. 4. Select or clear any or all check boxes under Mandate Database Subscriptions to apply that policy category to the SQL Server instance. 5. When finished, click OK.
Using Transact-SQL To apply category policies to a SQL Server instance 1. In Object Explorer, connect to an instance of Database Engine. 2. On the Standard bar, click New Query. 3. Copy and paste the following example into the query window and click Execute.
USE msdb; GO -- configures the specified database to subscribe to a policy category that is named 'Table Naming Policies'. EXEC dbo.sp_syspolicy_add_policy_category_subscription @target_type = N'DATABASE' , @target_object = N'AdventureWorks2012' , @policy_category = N'Table Naming Policies'; GO
For more information, see sp_syspolicy_add_policy_category_subscription (Transact-SQL). Working with Policy-Based Management Facets 3/24/2017 • 1 min to read • Edit Online
A Policy-Based Management facet is a set of logical properties that are related to an area of management interest. SQL Server includes several predefined facets. For example, the Surface Area Configuration facet defines, as properties, the features that are off by default. When you manage many similar SQL Server environments, you can configure a facet in one instance of SQL Server, copy the state of the facet to a file, and then import that file into another instance of SQL Server as a policy. When the state has been converted to a policy, the policy can be applied to other instances of SQL Server, instance objects, databases, or database objects. This topic describes how to copy the state of a facet to an XML file.
Permissions The procedures in this topic require membership in the PolicyAdministratorRole role in the msdb database. Viewing and Copying Facet States View the Policy-Based Management Facets on a SQL Server Object Copy a Policy-Based Management Facet State to an XML File See Also Administer Servers by Using Policy-Based Management View the Policy-Based Management Facets on a SQL Server Object 3/24/2017 • 1 min to read • Edit Online
This topic describes how to view all of the Policy-Based Management facets applied to a specific SQL Server object in SQL Server 2016 by using SQL Server Management Studio. In This Topic Before you begin: Security To view all of the facets in an object, using: SQL Server Management Studio
Before You Begin
S ecurity
P ermissions Requires membership in the PolicyAdministratorRole role in the msdb database.
Using SQL Server Management Studio To view all of the facets in an object 1. In Object Explorer, right-click an instance of SQL Server, instance object, database, or database object, and then click Facets. 2. In the View Facets –object_name dialog box, in the Facet list, select a facet to view its properties. For more information on the available options in this dialog box, see View Facets Dialog Box. 3. When finished, click OK. View the Properties of a Policy-Based Management Facet 3/24/2017 • 1 min to read • Edit Online
This topic describes how to view the properties of a Policy-Based Management facet in SQL Server 2016 by using SQL Server Management Studio. In This Topic Before you begin: Security To view the properties of a facet, using: SQL Server Management Studio
Before You Begin
S ecurity
P ermissions Requires membership in the PolicyAdministratorRole role in the msdb database.
Using SQL Server Management Studio To view the properties of a facet 1. In Object Explorer, click the plus sign to expand the server that contains the facet whose properties you want to view. 2. Click the plus sign to expand the Management folder. 3. Click the plus sign to expand Policy Management. 4. Click the plus sign to expand the Facets folder. 5. Right-click the facet whose properties you want to view and select Properties. For more information on the available options in the Facet Properties –facet_name dialog box, see Facet Properties Dialog Box, General Page, Facet Properties Dialog Box, Dependent Policies Page, and Facet Properties Dialog Box, Dependent Conditions Page. 6. When finished, click Close. Copy a Policy-Based Management Facet State to an XML File 3/24/2017 • 1 min to read • Edit Online
This topic describes how to how to copy the state of a Policy-Based Management facet to an XML file in SQL Server 2016 by using SQL Server Management Studio. In This Topic Before you begin: Security To copy a facet state to an XML file, using: SQL Server Management Studio
Before You Begin
S ecurity
P ermissions The procedures in this topic require membership in the PolicyAdministratorRole role in the msdb database.
Using SQL Server Management Studio To copy a facet state to an XML file 1. In Object Explorer, right-click an instance of SQL Server, instance object, database, or database object, and then click Facets. 2. In the View Facets –object_name dialog box, click Export Current State as Policy. 3. In the Export as Policy dialog box, type the path and name of the file; or use the Browse (...) button to locate the file, and then type the name of the XML file. For more information on the available options in this dialog box, see Export As Policy Dialog Box 4. When finished, click OK. Monitor and Enforce Best Practices by Using Policy- Based Management 3/24/2017 • 2 min to read • Edit Online
Policy-Based Management allows you to monitor best practices for the SQL Server Database Engine. SQL Server provides a set of policy files you can import as best practice policies, and then evaluate the policies against a target set that includes instances, instance objects, databases, or database objects. Evaluate policies manually, set policies to evaluate a target set according to a schedule, or set policies to evaluate a target set according to an event. For more information about Policy-Based Management, see Administer Servers by Using Policy-Based Management. Policy and Rules for Database Engine The following table lists the policies included with the installation of SQL Server and information about the best practices rules each policy evaluates. The policies are stored as XML files and must be imported into SQL Server. For more information about how to import policies, see Import a Policy-Based Management Policy.
POLICY NAME BEST PRACTICE RULE
Asymmetric Key Encryption Algorithm Asymmetric Keys Encryption Strength
Backup and Data File Location Backup Files Must Be on Separate Devices from the Database Files
Data and Log File Location Place Data and Log Files on Separate Drives
Database Auto Close Set the AUTO_CLOSE Database Option to OFF
Database Auto Shrink Set the AUTO_SHRINK Database Option to OFF
Database Collation Set the Collation of User-defined Databases to Match Those of the master and model Databases
Database Page Verification Set the PAGE_VERIFY Database Option to CHECKSUM
Database Page Status Check Integrity of Database with Suspect Pages
Guest Permissions Guest Permissions on User Databases
Last Successful Backup Date Outdated Backup
Public Not Granted Server Permissions Server public Permissions
SQL Server 64-bit Affinity Mask Overlap Correct Affinity Mask and Affinity Input and Output Mask Overlap
SQL Server Affinity Mask Keep the Affinity Mask Default Value
SQL Server Blocked Process Threshold Increase or Disable Blocked Process Threshold POLICY NAME BEST PRACTICE RULE
SQL Server Default Trace Default Trace Log Files Disabled
SQL Server Dynamic Locks Keep the Locks Configuration Option Default Value
SQL Server Lightweight Pooling Disable Lightweight Pooling
SQL Server Login Mode Choose an Authentication Mode
SQL Server Max Degree of Parallelism Set the Max Degree of Parallelism Option for Optimal Performance
SQL Server Max Worker Threads for 32-bit SQL Server 2000 Verify Max Worker Threads Setting
SQL Server Max Worker Threads for 64-bit SQL Server 2000 Verify Max Worker Threads Setting
SQL Server Max Worker Threads for SQL Server 2005 and Verify Max Worker Threads Setting above
SQL Server Network Packet Size Network Packet Size Should Not Exceed 8060 Bytes
SQL Server Password Expiration SQL Server Login Password Expiration
SQL Server Password Policy SQL Server Login Password Strength
Symmetric Key Encryption for User Databases Symmetric Keys on User Databases
Symmetric Key for master Database Symmetric Keys on System Databases
Symmetric Key for System Databases Symmetric Keys on System Databases
Trustworthy Database Trustworthy Bit
Windows Event Log Cluster Disk Resource Corruption Error Detect SCSI Host Adapter Issues
Windows Event Log Device Driver Control Error Device Driver Control Error
Windows Event Log Device Not Ready Error Device Not Ready Error
Windows Event Log Failed I_O Request Error Detect Failed Input and Output Requests
Windows Event Log I_O Delay Warning Check Disk Input and Output Subsystem for IO Delay Problems
Windows Event Log I_O Error During Hard Page Fault Error Input and Output Error During Hard Page Fault
Windows Event Log Read Retry Error Check Disk Input-Output Subsystem for Read Retry Problems
Windows Event Log Storage System I_O Timeout Error Storage System Input-Output Time-out
Windows Event Log System Failure Error Unexpected System Failures See Also Working with Policy-Based Management Facets Asymmetric Keys Encryption Strength 3/24/2017 • 1 min to read • Edit Online
This rule checks whether asymmetric keys were created by using 1024-bit or stronger encryption. Best Practices Recommendations Use RSA 1024-bit or stronger encryption to create asymmetric keys for data encryption. For More Information Choose an Encryption Algorithm See Also Monitor and Enforce Best Practices by Using Policy-Based Management Check Disk Input and Output Subsystem for IO Delay Problems 3/24/2017 • 1 min to read • Edit Online
This rule checks the event log for error message 833. This message indicates that SQL Server has issued a read or write request from disk, and that the request has taken longer than 15 seconds to return. This error is reported by SQL Server and indicates a problem with the disk I/O subsystem. Delays this long can severely damage the performance of your SQL Server environment. Best Practices Recommendations Troubleshoot this error by examining the system event log for hardware-related error messages. Also, examine hardware-specific logs if they are available. Use Performance Monitor to examine the following counters: Average Disk Sec/Transfer Average Disk Queue Length Current Disk Queue Length For example, the Average Disk Sec/Transfer time on a computer that is running SQL Server is typically less than 15 milliseconds. If the Average Disk Sec/Transfer value increases, this indicates that the disk I/O subsystem is not optimally keeping up with the I/O demand. For More Information Microsoft Knowledge Base article 897284 SQL Server I/O Basics, Chapter 2 Check Disk Input-Output Subsystem for Read Retry Problems 3/24/2017 • 1 min to read • Edit Online
This rule checks the event log for SQL Server error message 825. This message indicates that SQL Server was unable to read data from the disk on the first try. This message indicates a major problem with the disk I/O subsystem. This message does not currently indicate a SQL Server problem. However, the disk problem could cause data loss or database corruption if it is not resolved. Best Practices Recommendations The following actions might help you discover and resolve the underlying hardware problem: Review the error log and the variable text in this message for clues that explain the problem. Check the disk system. The problem could be related to the disks, the disk controllers, array cards, or disk drivers. Contact the disk manufacturer for the latest utilities for checking the status of the disk system. Contact the disk manufacturer for the latest driver updates. For More Information MSSQLSERVER_825 SQL Server I/O Basics, Chapter 2 Check Integrity of Database with Suspect Pages 3/24/2017 • 1 min to read • Edit Online
This rule checks for user databases that have the database status set to suspect. When the SQL Server Database Engine reads a database page that contains an 824 error, the page is considered suspect, its page ID is recorded in the suspect_pages table in msdb, and the database that contains the page is set to suspect. Error 824 indicates that a logical consistency error was detected during a read operation. This error frequently indicates data corruption caused by a faulty I/O subsystem component. This is a severe error condition that threatens database integrity and must be corrected immediately. Best Practices Recommendations Review the SQL Server error log for the details of the 824 error for this database. Complete a full database consistency check (DBCC CHECKDB). Implement the user actions that are defined in MSSQLSERVER_824. For More Information Manage the suspect_pages Table (SQL Server) Correct Affinity Mask and Affinity Input and Output Mask Overlap 3/24/2017 • 1 min to read • Edit Online
This rule checks whether the instance of SQL Server has one or more processors that are assigned to be used with both the affinity mask and the affinity I/O mask options. On a computer that has more than one processor, the affinity mask and the affinity I/O mask options are used to designate which CPUs are used by SQL Server. Enabling a CPU with both the affinity mask and the affinity I/O mask can slow performance by forcing the processor to be overused. Best Practices Recommendations When you specify either the affinity mask or the affinity I/O mask options, you should specify both, but only enable each CPU no more than once. Do not enable the same CPU in both the affinity mask option and the affinity I/O mask option. The bits that correspond to each CPU should be in one of the following states: 0 in both the affinity mask option and the affinity I/O mask option 0 in the affinity mask option and 1 in the affinity I/O mask option 1 in the affinity mask option and 0 in the affinity I/O mask option For More Information affinity mask Server Configuration Option affinity Input-Output mask Server Configuration Option affinity64 mask Server Configuration Option affinity64 Input-Output mask Server Configuration Option See Also Monitor and Enforce Best Practices by Using Policy-Based Management Default Trace Log Files Disabled 3/24/2017 • 1 min to read • Edit Online
This rule checks the value of the sp_configure stored procedure default trace enabled option to determine whether default trace is set ON (1) or OFF (0). When this option is enabled, default tracing provides information about configuration and DDL changes to the SQL Server Database Engine. In some cases, this information can be helpful for customers and Microsoft Customer Service and Support when they troubleshooting issues with the Database Engine. Best Practices Recommendations Use the sp_configure stored procedure to enable tracing by setting the value of default trace enabled to 1. For More Information Server Configuration Options (SQL Server) See Also Monitor and Enforce Best Practices by Using Policy-Based Management Detect Failed Input and Output Requests 3/24/2017 • 1 min to read • Edit Online
This rule checks the system event log for EventId 50. This error is caused by a failed I/O request. Best Practices Recommendations Review the following Microsoft Knowledge Base articles for more information about how to troubleshoot this error: Microsoft Knowledge Base article 311081 Microsoft Knowledge Base article 885688 Detect SCSI Host Adapter Issues 3/24/2017 • 1 min to read • Edit Online
This rule checks the system event log for EventId 1066. This error is caused SCSI host adapter configuration issues or device malfunctioning. Best Practices Recommendations Review the following Microsoft Knowledge Base article for more information about how to troubleshoot this error: Microsoft Knowledge Base article 311081 Device Driver Control Error 3/24/2017 • 1 min to read • Edit Online
This rule checks the system event log for EventId 11. This could be caused by a corrupt device driver, a hardware problem, faulty cabling, or connectivity issues. Best Practices Recommendations Review the following Microsoft Knowledge Base articles for more information about how to troubleshoot this error: Microsoft Knowledge Base article 259237 Microsoft Knowledge Base article 154690 Device Not Ready Error 3/24/2017 • 1 min to read • Edit Online
This rule checks the system event log for EventId 15. This error can be caused by SCSI host adapter configuration issues or related problems. Best Practices Recommendations Review the following Microsoft Knowledge Base articles for more information about how to troubleshoote this error: Microsoft Knowledge Base article 259237 Microsoft Knowledge Base article 154690 Disable Lightweight Pooling 3/24/2017 • 1 min to read • Edit Online
This rule checks that lightweight pooling is disabled on the server. Setting lightweightpooling to 1 causes SQL Server to switch to fiber mode scheduling. Fiber mode is intended for certain situations in which the context switching of the UMS workers is the important bottleneck in performance. Because this is rare, fiber mode seldom improves performance or scalability on the typical system. Best Practices Recommendations The lightweightpooling option should only be enabled after thorough testing, after all other performance tuning opportunities are evaluated, and when context switching is a known issue in your environment. We recommend that you do not use fiber mode scheduling for routine operation because it can decrease performance by preventing the regular benefits of context switching, and because some components of SQL Server that use Thread Local Storage (TLS) or thread-owned objects, such as mutexes (a kind of Win32 kernel object), cannot function correctly in fiber mode To remove lightweight pooling, execute the following statement, and then restart the SQL Server Database Engine.
sp_configure 'show advanced options', 1; GO sp_configure 'lightweight pooling', 0; GO RECONFIGURE; GO
For More Information lightweight pooling Server Configuration Option See Also Monitor and Enforce Best Practices by Using Policy-Based Management Guest Permissions on User Databases 3/24/2017 • 1 min to read • Edit Online
This rule determines whether the guest user has permission to access the database. This rule applies to user databases only. Best Practices Recommendations Revoke the guest user permission to access the database if it is not required. The guest user cannot be dropped, but guest user can be disabled by revoking its CONNECT permission by executing REVOKE CONNECT FROM GUEST within any database other than master, tempdb, or msdb. For More Information Securing SQL Server See Also Monitor and Enforce Best Practices by Using Policy-Based Management Input and Output Error During Hard Page Fault 3/24/2017 • 1 min to read • Edit Online
This rule checks the system event log for EventId 51. This error is caused by an error during a hard page fault. Best Practices Recommendations Review the following Microsoft Knowledge Base article for more information about how to troubleshoot this error: Microsoft Knowledge Base article 305547 Increase or Disable Blocked Process Threshold 3/24/2017 • 1 min to read • Edit Online
This rules checks that the blocked process threshold option is set to 0 (disabled) or set to a value higher than or equal to 5 (seconds). Setting the blocked process threshold option to a value from 1 to 4 can cause the deadlock monitor to run constantly. Values 1 to 4 should only be used for troubleshooting, and never long term or in a production environment without the assistance of Microsoft Customer Service and Support. Best Practices Recommendations To resolve this problem, set the blocked process threshold option to a value of 5 (seconds) or higher, or disable blocked process threshold by setting the value to 0. To set the blocked process threshold to a value of 5 seconds, execute the following statement:
sp_configure 'show advanced options', 1 ; GO RECONFIGURE ; GO sp_configure 'blocked process threshold', 5 ; GO RECONFIGURE ; GO
For More Information blocked process threshold Server Configuration Option See Also Monitor and Enforce Best Practices by Using Policy-Based Management Keep the Affinity Mask Default Value 3/24/2017 • 1 min to read • Edit Online
This rule checks whether the SQL Server setting for the affinity mask is set to 0, which is the default value. The affinity mask option dynamically controls CPU affinity. For More Information affinity mask Server Configuration Option See Also Monitor and Enforce Best Practices by Using Policy-Based Management Keep the Locks Configuration Option Default Value 3/24/2017 • 1 min to read • Edit Online
This rule checks the value of the locks configuration option. This option determines the maximum number of available locks. This limits how much memory the SQL Server Database Engine uses for locks. The default setting of 0 enables the Database Engine to allocate and deallocate lock structures dynamically based on changing system requirements. If locks is nonzero, batch jobs will stop, and an "out of locks" error message will be generated, if the value specified is exceeded. Best Practices Recommendations Use the sp_configure system stored procedure to change the value of locks to its default setting by using the following statement:
EXEC sp_configure 'locks', 0;
For More Information Configure the locks Server Configuration Option sys.dm_tran_locks (Transact-SQL) sys.dm_os_wait_stats (Transact-SQL) Microsoft Knowledge Base article 271509 See Also Monitor and Enforce Best Practices by Using Policy-Based Management Network Packet Size Should Not Exceed 8060 Bytes 3/24/2017 • 1 min to read • Edit Online
If the value specified for sp_configure 'network packet size' or if the network packet size of any logged-in user is more than 8060 bytes, SQL Server performs different memory allocation operations. This can cause an increase in the process virtual address space that is not reserved for the buffer pool. Best Practices Recommendations The network packet size should not exceed 8060 bytes. For More Information Microsoft Knowledge Base article 903002 See Also Monitor and Enforce Best Practices by Using Policy-Based Management Outdated Backup 3/24/2017 • 1 min to read • Edit Online
This rule checks that a database has recent backups. Scheduling regular backups is important for protecting your databases against data loss from many different failures. The appropriate frequency for backing up data depends on the recovery model of the database, on business requirements about potential data loss, and on how frequently the database is updated. In a frequently updated database, the work-loss exposure increases fairly quickly between backups. Best Practices Recommendations We recommend that you perform backups frequently enough to protect databases against data loss. The simple recovery model and full recovery model both require data backups. For either recovery model, you can supplement your full backups with differential backups to efficiently reduce the risk of data loss. For a database that uses the full recovery model, we recommend that you take frequent log backups. For a production database that contains very important data, log backups would typically be taken every one to fifteen minutes.
NOTE The recommended method for scheduling backups is a database maintenance plan.
For More Information Back Up and Restore of System Databases (SQL Server) Recovery Models (SQL Server) Create a Differential Database Backup (SQL Server) Create a Full Database Backup (SQL Server) Maintenance Plans Transaction Log Backups (SQL Server) See Also Monitor and Enforce Best Practices by Using Policy-Based Management Place Data and Log Files on Separate Drives 3/24/2017 • 1 min to read • Edit Online
This rule checks whether data and log files are placed on separate logical drives. Placing both data AND log files on the same device can cause contention for that device, resulting in poor performance. Placing the files on separate drives allows the I/O activity to occur at the same time for both the data and log files. Recommendations When you create a new database, specify separate drives for the data and logs. To move files after the database is created, the database must be taken offline. Move files by using one of the following methods:
NOTE This policy cannot detect separate physical devices through mount points
Restore the database from backup by using the RESTORE DATABASE statement with the WITH MOVE option. Detach and then attach the database specifying separate locations for the data and log devices. Specify a new location by running the ALTER DATABASE statement with the MODIFY FILE option, and then restarting the instance of SQL Server. For More Information Move Database Files Move User Databases Database Detach and Attach (SQL Server) See Also Monitor and Enforce Best Practices by Using Policy-Based Management Server public Permissions 3/24/2017 • 1 min to read • Edit Online
This rule determines whether the public server role has server permissions. Every login that is created on the server is a member of the public server role. If this condition is met, every login on the server will have server permissions. Best Practices Recommendations Do not grant server permissions to the server public role.
IMPORTANT After setup completes the PUBLIC role has CONNECT permission on all the endpoints except the Dedicated Admin Connection. This is normal and should not be normally changed. (Access is controlled by using the CONNECT SQL permission which is automatically granted when new logins are created.)
For more information Securing SQL Server Set the AUTO_CLOSE Database Option to OFF 3/24/2017 • 1 min to read • Edit Online
This rule checks whether the AUTO_ CLOSE option is set OFF. When AUTO_CLOSE is set ON, this option can cause performance degradation on frequently accessed databases because of the increased overhead of opening and closing the database after each connection. AUTO_CLOSE also flushes the procedure cache after each connection. Best Practices Recommendations If a database is accessed frequently, set the AUTO_CLOSE option to OFF for the database. For More Information ALTER DATABASE SET Options (Transact-SQL) See Also Monitor and Enforce Best Practices by Using Policy-Based Management Set the AUTO_SHRINK Database Option to OFF 3/24/2017 • 1 min to read • Edit Online
This rule checks whether the AUTO_SHRINK database option is set to OFF. Frequently shrinking and expanding a database can lead to physical fragmentation. Best Practices Recommendations Set the AUTO_SHRINK database option to OFF. If you know that the space that you are reclaiming will not be needed in the future, you can reclaim the space by manually shrinking the database. For More Information Microsoft Knowledge Base article 315512 See Also Monitor and Enforce Best Practices by Using Policy-Based Management Set the Max Degree of Parallelism Option for Optimal Performance 3/24/2017 • 1 min to read • Edit Online
This rule determines whether the max degree of parallelism (MAXDOP) option for a value greater than 8. Setting this option to a larger value often causes unwanted resource consumption and performance degradation. Best Practices Recommendations Set the max degree of parallelism option to 8 or less by using sp_configure. For More Information Microsoft Knowledge Base article 329204 Configure the max degree of parallelism Server Configuration Option sp_configure (Transact-SQL) Set the PAGE_VERIFY Database Option to CHECKSUM 3/24/2017 • 1 min to read • Edit Online
This rule checks whether PAGE_VERIFY database option is set to CHECKSUM. When CHECKSUM is enabled for the PAGE_VERIFY database option, the SQL Server Database Engine calculates a checksum over the contents of the whole page, and stores the value in the page header when a page is written to disk. When the page is read from disk, the checksum is recomputed and compared to the checksum value that is stored in the page header. This helps provide a high level of data-file integrity. Best Practices Recommendations Set the PAGE_VERIFY database option to CHECKSUM. For More Information ALTER DATABASE SET Options (Transact-SQL) SQL Server Login Password Expiration 3/24/2017 • 1 min to read • Edit Online
This rule checks whether "Password expiration" of each SQL Server login is enabled. If SQL Server Authentication is enabled and if the operating system version is earlier than Windows Server 2003, an attacker could repeatedly exploit a known SQL Server login password. Best Practices Recommendations We recommend that you upgrade the operating system to Windows Server 2003. If SQL Server Authentication is not required in your environment, use Windows Authentication. For more information, see Choose an Authentication Mode. Enable "Password expiration" for all the SQL Server logins. Use ALTER LOGIN to configure the password policy for the SQL Server login. For More Information Password Policy See Also Monitor and Enforce Best Practices by Using Policy-Based Management SQL Server Login Password Strength 3/24/2017 • 1 min to read • Edit Online
This rule checks whether "Enforce password policy" of each SQL Server login is enabled. If SQL Server Authentication is enabled and if the operating system version is earlier than Windows Server 2003, an attacker could repeatedly exploit a known SQL Server login password. Best Practices Recommendations We recommend that you upgrade the operating system to Windows Server 2003. If SQL Server Authentication is not required in your environment, use Windows Authentication. Enable "Enforce password policy" for all the SQL Server logins. Use ALTER LOGIN to configure the password policy for the SQL Server login. For More Information Password Policy See Also Monitor and Enforce Best Practices by Using Policy-Based Management Storage System Input-Output Time-out 3/24/2017 • 1 min to read • Edit Online
This rule checks the system event log for EventId 9. This message indicates that an I/O time-out has occurred in the storage system. Best Practices Recommendations Review the following Microsoft Knowledge Base articles for more information about how to troubleshoot this error: Microsoft Knowledge Base article 259237 Microsoft Knowledge Base article 154690 For More Information SQL Server I/O Basics, Chapter 2 Symmetric Keys on System Databases 3/24/2017 • 1 min to read • Edit Online
This rule checks for user-created symmetric keys in the master, msdb, model, and tempdb databases. Best Practices Recommendations Do not create symmetric keys in the system databases. For More Information Choose an Encryption Algorithm See Also Monitor and Enforce Best Practices by Using Policy-Based Management Symmetric Keys on User Databases 3/24/2017 • 1 min to read • Edit Online
This rule checks whether keys that have a length of less than 128 bytes do not use the RC2 or RC4 encryption algorithm. Best Practices Recommendations Use AES 128 bit or larger to create symmetric keys for data encryption. If AES is not supported by your operating system, use 3DES. For More Information Choose an Encryption Algorithm See Also Monitor and Enforce Best Practices by Using Policy-Based Management Trustworthy Bit 3/24/2017 • 1 min to read • Edit Online
This rule determines whether the dbo role for a database is assigned to the sysadmin fixed server role and the database has its trustworthy bit set to ON. If these conditions are met, a privileged database user can elevate privileges to the sysadmin role. In this role, the user can create and run unsafe assemblies that compromise the system. Best Practices Recommendations Turn off the trustworthy bit or revoke sysadmin permissions from the dbo database role. For More Information ALTER DATABASE (Transact-SQL) See Also Monitor and Enforce Best Practices by Using Policy-Based Management Unexpected System Failures 3/24/2017 • 1 min to read • Edit Online
This rule checks for SYSTEM Event 6008 in the computer event log. This event indicates an unexpected system shutdown. The system might be unstable and might not provide the stability and integrity that is required to host an instance of SQL Server. Best Practices Recommendations Immediately address the cause of the unexpected server restarts, or move the instance of SQL Server to another computer. Use Database Mail Instead of SQL Mail 3/24/2017 • 1 min to read • Edit Online
This rule checks the sys.configurations catalog view to determine whether the SQL Mail XPs server-wide configuration option is set to ON. Best Practices Recommendations SQL Mail will be removed in a future version of SQL Server. Avoid using this feature in new development work, and plan to modify applications that currently use this feature. To send mail, use Database Mail. SQL Mail runs in-process to SQL Server service. If SQL Mail goes down, so does the server. Database Mail runs outside SQL Server in a separate process, is scalable, and does not require Extended MAPI client components to be installed on the production server. For More Information Database Mail See Also Monitor and Enforce Best Practices by Using Policy-Based Management Verify Max Worker Threads Setting 3/24/2017 • 1 min to read • Edit Online
This rule checks the max worker threads server option for potentially incorrect settings. Setting the max worker threads option to a small value may prevent enough threads from servicing incoming client requests in a timely manner and could lead to "thread starvation". However, setting the option to a large value can waste address space, because each active thread consumes up to 4 MB on 64-bit servers. Best Practices Recommendations Set the max worker threads option to 0. This enables SQL Server to automatically determine the correct number of active worker threads based on user requests. For More Information Configure the max worker threads Server Configuration Option See Also Monitor and Enforce Best Practices by Using Policy-Based Management Policy Management Node (Object Explorer) 3/24/2017 • 1 min to read • Edit Online
This section contains the following F1 Help topics for the PolicyManagement node of Object Explorer in SQL Server Management Studio. Create New Condition or Open Condition Dialog Box, General Page Open Condition Dialog Box, Dependent Policies Page Advanced Edit (Condition) Dialog Box Create New Policy or Open Policy Dialog Box, General Page Create New Policy or Open Policy Dialog Box, Description Page Create New Condition or Open Condition Dialog Box, Description Page View Policies Dialog Box Evaluate Policies Dialog Box, Policy Selection Page Evaluate Policies Dialog Box, Evaluation Results Page Facet Properties Dialog Box, General Page Facet Properties Dialog Box, Dependent Policies Page Facet Properties Dialog Box, Dependent Conditions Page Results Detailed View Dialog Box View Facets Dialog Box Select Source Dialog Box Export As Policy Dialog Box Import Policies Dialog Box See Also Administer Servers by Using Policy-Based Management Create New Condition or Open Condition Dialog Box, General Page 3/24/2017 • 1 min to read • Edit Online
Use this dialog box to create or change a Policy-Based Management condition. A condition is a Boolean expression that specifies a set of allowed states of a Policy-Based Management managed target with regard to facets. The properties that can be selected in the Expression/Field box depend upon the facet that is used. For more information about how conditions relate to facets and policies, see Administer Servers by Using Policy-Based Management. Options Name For a new condition, type the new condition name. For an existing condition, the name is displayed. Facet The facet used by this condition. AndOr When you add multiple expressions, indicates whether the expressions should be joined by using And or Or. Remains blank when there is only one expression. Field Each facet exposes one or more properties that can be set. In the field box, select a property from the list of available properties to create an expression for this condition. Operator Select a comparison operator for this expression. Operators are as follows: =, !=, >, >=, <, <=, [NOT]LIKE, [NOT]IN. Not all operators are available for some properties. Value The value setting for this expression. The allowed values depend on the facet. Values can be TRUE/FALSE, string, or numeric. String values must be enclosed in single quotation marks, for example: 'AdventureWorks'. Not all operators are available for some properties. Group Clauses Clauses can be grouped to operate as a single unit separate from the rest of the query, just like putting parentheses around an expression in a mathematical equation or logic statement. Grouping clauses is useful when you are building complex queries. To group clauses Press the SHIFT or CTRL keys, and then click two or more clauses to select a range. Right-click the selected area, and then click Group Clauses. See Also Administer Servers by Using Policy-Based Management Create New Condition or Open Condition Dialog Box, Description Page 3/24/2017 • 1 min to read • Edit Online
Use this dialog box to add a description to a Policy-Based Management condition. Options Description Type a description of the condition. Date created The date the condition was created. Created by The login that created the condition. Date modified The date the condition was last changed. Modified by The login that made the most recent change to the condition. See Also Administer Servers by Using Policy-Based Management Open Condition Dialog Box, Dependent Policies Page 3/24/2017 • 1 min to read • Edit Online
Use this dialog box to display a list of policies that currently reference this Policy-Based Management condition. For more information about how conditions relate to facets and policies, see Administer Servers by Using Policy- Based Management. Options Name Lists the name of each policy that references this current condition. Enabled A check mark indicates that the policy is currently enabled. Is blank if the policy is not enabled. History Click the View History hyperlink to display the execution history report. Created The date the policy was created. See Also Administer Servers by Using Policy-Based Management Advanced Edit (Condition) Dialog Box 4/6/2017 • 11 min to read • Edit Online
Use the Advanced Edit dialog box to create complex expressions for Policy-Based Management conditions. Options Cell value Displays the function or expression that will be used for the cell value as you create it. When you click OK, the cell value will appear in the Field or Value cell in the condition expression box of the Create New Condition or the Open Condition dialog box on the General page. Functions and properties Displays the available functions and properties. Details Displays the information about the functions and properties, in the format: function signature, function description, return value, and example. Syntax Valid expressions must be in the following format:
{property | function | constant}
{operator}
{property | function | constant} Examples Some examples of valid expressions are as follows: Property1> 5 Property1=Property2 Add(5, Multiply(.2,Property1)) IMPORTANT! The functions that you can use to create Policy-Based Management conditions do not always use Transact-SQL syntax. Make sure that you follow the example syntax. For example, when you use the DateAdd or DatePart functions, you must enclose the datepart argument in single quotes. FUNCTION SIGNATURE DESCRIPTION ARGUMENTS RETURN VALUE EXAMPLE FUNCTION SIGNATURE DESCRIPTION ARGUMENTS RETURN VALUE EXAMPLE Add() Numeric Add Adds two numbers. expression1 and Returns the data Add(Property1, (Numeric expression2 - Is any type of the 5) expression1, valid expression of argument that has Numeric any one of the data the greater expression2) types in the numeric precedence. category, except the bit data type. Can be a constant, property, or function that returns a numeric type. Array() Array Array (VarArgs Creates an array expression - Is an The array Array(2,3,4,5,6) expression) from a list of values. expression that will Can be used with be converted to an aggregate functions array. such as Sum() and Count(). Avg() Numeric Avg Returns the average VarArgs - Is list of The return type is Avg(1.0, 2.0, (VarArgs) of the values in the Variant expression determined by the 3.0, 4.0, 5.0) argument list. of the exact numeric type of the returns 3.0 in this or approximate evaluated result of example. numeric data type expression. category, except for the bit data type. If the expression result is integer, decimal, money and smallmoney, float and real category, the return types are int, decimal, money, and float; respectively. BitwiseAnd() Numeric BitwiseAnd Performs a bitwise expression1 and Returns a value of BitwiseAnd(Property1, (Numeric expression logical AND expression2 - Is any integer data type Property2) 1, Numeric operation between valid expression of category. expression2) two integer values. any one of the data types of the integer data type category. BitwiseOr() Numeric BitwiseOr Performs a bitwise expression1 and Returns a value of BitwiseOr(Property1, (Numeric logical OR operation expression2 - Is any integer data type Property2) expression1, between two valid expression of category. Numeric specified integer any one of the data expression2) values. types of the integer data type category. Concatenate() String Concatenate Concatenates two string1 and string2 The concatenated Concatenate("Hello", (String string1, strings. - Are the two strings string, with string1 " World String string2) that you want to followed by string2. ") returns " concatenate. Can be Hello World ". any valid non-null string. Count() Numeric Count Returns the number VarArgs - Is an Returns a value of Count(1.0, 2.0, (VarArgs) of items in the expression of any integer data type 3.0, 4.0, 5.0) argument list. type except text, category. returns 5 in this image, and ntext. example. FUNCTION SIGNATURE DESCRIPTION ARGUMENTS RETURN VALUE EXAMPLE DateAdd() DateTime DateAdd Returns a new datepart - Is the Is the new datetime Example: (String datepart, datetime value that parameter that value that is based DateAdd('day', Numeric number, is based on adding specifies on which on adding an 21, DateTime('2007- DateTime date) an interval to the part of the date to interval to the 08-06 specified date. return a new value. specified date. 14:21:50')) Some of the returns supported types are '2007-08-27 year(yy, yyyy), 14:21:50' month(mm, m)and in this example. dayofyear(dy, y). For more information, The following are see DATEADD dateparts and (Transact-SQL). abbreviations that are supported by number - Is the this function: value that is used to increment datepart. year: yy, yyyy date - Is an month: mm, m expression that returns a datetime dayofyear: dy, y value, or a character string in a date day: dd, d format. week: wk, ww weekday: dw, w hour: hh minute: mi, n second: ss, s millisecond: ms DatePart() Numeric DatePart Returns an integer datepart - Is the Returns value of DatePart('month', (String datepart, that represents the parameter that integer data type DateTime('2007- 08-06 DateTime date) specified datepart of specifies the part of category that 14:21:50.620')) the specified date. the date to return. represents the returns 8 in this Some of the specified datepart of example. supported types are the specified date. year(yy, yyyy), month (mm, m)and dayofyear(dy, y). For more information, see DATEPART (Transact-SQL). date - Is an expression that returns a datetime value, or a character string in a date format. DateTime() DateTime DateTime Creates a datetime dateString - Is the Returns a datatime DateTime('3/12/2006') (String dateString) value from a string. datetime value as a value created from string. the input string. FUNCTION SIGNATURE DESCRIPTION ARGUMENTS RETURN VALUE EXAMPLE Divide() Numeric Divide Divides one number expression_dividend Returns the data Example: (Numeric by another. - Is the numeric type of the Divide(Property1, expression_dividend expression to divide. argument that has 2) , Numeric The dividend can be the greater expression_divisor) any valid expression precedence. Note: This will be a of any one of the double operation. To data types of the do an integer numeric data type compare, you must category, except the combine the results datetime data type. with Round() . For example: expression_divisor - Round(Divide(10, Is the numeric 3), 0) = 3 expression by which . to divide the dividend. The divisor can be any valid expression of any one of the data types of the numeric data type category, except the datetime data type. Enum() Numeric Enum Creates an enum enumTypeName - Is Returns the enum Enum('CompatibilityLevel','Version100') (String value from a string. the name of the value as a numeric enumTypeName, enum type. value. String enumValueName) enumValueName - Is the value of the enum. Escape() String Escape (String Escapes a substring replaceString – Is Returns a modified Escape("Hello", replaceString, String of the input string the input string. replaceString in "l", "[") stringToEscape, with a given escape which each instance returns " He[l[lo ". String escapeString) string. stringToEscape – Is of stringToEscape is a substring of preceded by replaceString. This is escapeString. the string that you want to add an escape string in front of. escapeString – Is the escape string that you want to add in front of each instance of stringToEscape. FUNCTION SIGNATURE DESCRIPTION ARGUMENTS RETURN VALUE EXAMPLE ExecuteSQL() Variant ExecuteSQL Executes the returnType - ExecuteSQL (String returnType, Transact-SQL query Specifies the return ('Numeric', 'SELECT COUNT(*) String sqlQuery) against the target type of data FROM server. returned by the msdb.dbo.sysjobs') Transact-SQL <> 0 For more statement. The valid information about literals for Runs a scalar-valued ExecuteSql(), see returnType are as Transact-SQL query ExecuteSql() follows: Numeric, against a target function. String, Bool, instance of SQL DateTime, Array, Server. Only one and Guid. column can be specified in a sqlQuery - Is the SELECT statement; string that contains additional columns query to be beyond the first are executed. ignored. The resulting query should return only one row; additional rows beyond the first are ignored. If the query returns an empty set, then the condition expression built around ExecuteSQL will evaluate to false. ExecuteSql supports the On demand and On schedule evaluation modes. - @@ObjectName : Corresponds to the name field in sys.objects. The variable will be replaced with the name of the current object. - @@SchemaName : Corresponds to the name field in sys.schemas. The variable will be replaced with the name of the schema for the current object, if applicable. Note: To include a single quotation mark in an ExecuteSQL statement, escape the single quotation mark with a second single quotation mark. For example, to include a reference to a user named O'Brian, type O''Brian. FUNCTION SIGNATURE DESCRIPTION ARGUMENTS RETURN VALUE EXAMPLE ExecuteWQL() Variant ExecuteWQL Executes the WQL returnType - ExecuteWQL('Numeric', (string returnType , script against the Specifies the return 'root\CIMV2', 'select NumberOfProcessors string namespace, namespace that is type of data that is from string wql) provided. Select returned by the win32_ComputerSystem') statement can WQL. The valid <> 0 contain only a single literals are Numeric, return column. If String, Bool, more than one DateTime, Array, column is provided, and Guid. error will be thrown. namespace - Is the WMI Namespace to execute against. wql - Is the string that contains the WQL to be executed. False() Bool False() Returns the Boolean None Returns the Boolean IsDatabaseMailEnabled value FALSE. value FALSE. = False() GetDate() DateTime GetDate() Returns the system None Returns the system @DateLastModified date. date as DateTime. = GetDate() Guid() Guid Guid(String Returns a GUID guidString - Is the Returns the GUID Guid('12340000- guidString) from a string. string created from the 0000-3455-0000- representation of string. 000000000454') the GUID to be created. IsNull() Variant IsNull The value of check_expression - The return type is (Variant check_expression is Is the expression to type of check_expression, returned if it is not be checked for check_expression if Variant NULL; otherwise, NULL. check_expression is replacement_value) replacement_value check_expression not NULL; otherwise, is returned. If the can be of any Policy- the type of types are different, Based Management replacement_value replacement_value supported types: is returned. is implicitly Numeric, String, converted to the Bool, DateTime, type of Array, and Guid. check_expression. replacement_value - Is the expression to be returned if check_expression is NULL. replacement_value must be of a type that is implicitly converted to the type of check_expression. Len() Numeric Len Returns the number string_expression - Returns a value of Len('Hello') (string_expression) of characters, of the Is the string integer data type returns 5 in this given string expression to be category. example. expression, evaluated. excluding trailing blanks. FUNCTION SIGNATURE DESCRIPTION ARGUMENTS RETURN VALUE EXAMPLE Lower() String Lower Returns the string expression - Is the Returns a string that Len('HeLlO') (String_expression) after converting all source string represents the returns 'hello' in uppercase expression. source string this example. characters to lower expression after all case. uppercase characters are converted to lowercase. Mod() Numeric Mod Provides the integer expression_dividend Returns a value of Mod(Property1, (Numeric remainder after - Is the numeric integer data type 3) expression_dividend dividing the first expression to divide. category. , Numeric numeric expression expression_dividend expression_divisor) by the second must be a valid numeric expression. expression of any one of the data types in the integer or the numeric data type categories. expression_divisor - Is the numeric expression to divide the dividend by. expression_divisor must be any valid expression of any one of the data types in the integer or the numeric data type categories. Multiply() Numeric Multiply Multiplies two expression1 and Returns the data Multiply(Property1, (Numeric expressions. expression2 - Is any type of the .20) expression1, valid expression of argument that has Numeric any one of the data the greater expression2) types in the numeric precedence. category, except the datetime data type. Power() Numeric Power Returns the value of numeric_expression Return type is same Power(Property1, (Numeric the specified - Is an expression of as 3) numeric_expression, expression to the the exact numeric or numeric_expression. Numeric specified power. approximate expression_power) numeric data type category, except for the bit data type. expression_power - Is the power to which to raise numeric_expression. expression_power can be an expression of the exact numeric or approximate numeric data type category, except for the bit data type. FUNCTION SIGNATURE DESCRIPTION ARGUMENTS RETURN VALUE EXAMPLE Round() Numeric Round Returns a numeric expression - Is an Returns the same Round(5.333, 0) (Numeric expression, expression that is expression of the type as Numeric rounded to the exact numeric or numeric_expression. expression_precision specified length or approximate ) precision. numeric data type category, except for the bit data type. expression_precision - Is the precision to which expression is to be rounded. When expression_precision is a positive number, numeric_expression is rounded to the number of decimal positions that is specified by length. When expression_precision is a negative number, numeric_expression is rounded on the left side of the decimal point, as specified by expression_precision . String() String String Converts a variant expression - Is the Returns the string String(4) (Variant_expression) to a string. variant expression to value of the variant be converted to a expression. string. Sum() Numeric Sum Returns the sum of VarArgs- Is a list of Returns the Sum(1.0, 2.0, (VarArgs) all the values in the Variant expression summation of all 3.0, 4.0, 5.0) argument list. Sum of the exact numeric expression values in returns 15 in this can be used with or approximate the most precise example. numeric values. numeric data type expression data category, except for type. the bit data type. If the expression result is integer, numeric, money and small money, float and real category, the return types are int, numeric, money, and float; respectively. True() Bool TRUE() Returns the Boolean Returns the Boolean IsDatabaseMailEnabled value TRUE. value TRUE. = True() Upper() String Upper Returns the string expression - Is the Returns a string that Upper('HeLlO') (String_expression) after converting all source string represents the returns 'HELLO' in lowercase characters expression. source string this example. to uppercase. expression after all lowercase characters are converted to uppercase. See also Create New Condition or Open Condition Dialog Box, General Page Administer Servers by Using Policy-Based Management Create New Policy or Open Policy Dialog Box, General Page 3/24/2017 • 2 min to read • Edit Online Use this dialog box to create a new Policy-Based Management policy or modify an existing policy. Use the Against targets and Server restriction areas as a filter to limit policies to a subset of all possible targets. For conditions to be used as target filters, they must be defined on a physical facet, must not contain functions, and must not contain the LIKE operator. When the system computes the object set for a policy, by default the system objects are excluded. For example, if the object set of the policy refers to all tables, the policy will not apply to system tables. If users want to evaluate a policy against system objects, they can explicitly add system objects to the object set. However, though all policies are supported for check on schedule evaluation mode, for performance reason, not all policies with arbitrary object sets are supported for check on change evaluation mode. For more information, see http://blogs.msdn.com/b/sqlpbm/archive/2009/04/13/policy-evaluation-modes.aspx Options Name For a new policy, type the new policy name. For an existing policy, the name is displayed. Enabled Select the Enabled check box to enable the policy. Clear the Enabled check box to disable the policy. The Enabled box applies to policy automation. It creates or removes the automation system for the policy. Automation uses the following mechanisms: On change: prevent A database trigger enforces compliance. On change: log only A notification services event checks for compliance. On schedule A SQL Server Agent job is created to check for compliance on a schedule. Policies that are run using On demand evaluation mode do not use this check box. Check condition Select the Policy-Based Management condition that this policy uses. All conditions on the server for the associated Policy-Based Management facet are listed. Click New condition to create a new condition. Click the ellipsis (…) button to modify the condition. Against targets Select the target types that are available for this facet to complete a filter expression. Evaluation Mode Select the evaluation mode for the policy. Some policies can be checked but not enforced. The evaluation modes are as follows: On demand Policy will only be run when you run it from the Evaluate dialog box. On schedule Periodically evaluates the policy, records a log entry for policies that have out-of-compliance, and creates a report. Enables the Schedule box. On change: log only When changes are tried, this option does not prevent out-of-compliance changes, but logs policy violations. On change: prevent When changes are tried, this option prevents changes that would violate the policy. Schedule This option appears when On schedule evaluation mode is selected. Type the name of the schedule, click Pick to select a schedule from a list, or click New to create a new schedule. To enable the schedule area, On schedule must be selected. Server restriction Select the types of servers that are appropriate for this policy. Options are None or select a condition that filters the possible servers. See Also Administer Servers by Using Policy-Based Management Create New Policy or Open Policy Dialog Box, Description Page 3/24/2017 • 1 min to read • Edit Online Use this dialog box to add a description and additional information to a Policy-Based Management policy. Options Category When you are creating a new policy, select a policy category. Description Type a description of the policy. Additional help hyperlink: Text to display When executing policies, the additional help hyperlink is displayed in the Results Detailed View page. Type the text to display as a hyperlink. Additional help hyperlink: Address Type the hyperlink of a Web page to open when users click the hyperlink text that appears in the Results Detailed View page. Additional help hyperlink: Test Link Click to open the hyperlink to test the validity of the link. Date created The date the policy was created. Created by The login that created the policy. Date modified The date the policy was last changed. Modified by The login that made the most recent change to the policy. See Also Administer Servers by Using Policy-Based Management View Policies Dialog Box 3/24/2017 • 1 min to read • Edit Online Use this dialog box to view the policies that are effective for this target. This dialog box shows relevant policies, their policy categories, and information about the policies. Options Policy Health State Indicates the status of the policy with regard to this target. Remains blank when the state is unknown. Effective Indicates whether the policy is currently in effect for the target. Policy The name of each applicable policy. Category The policy category to which the selected policy belongs. Evaluation Mode The evaluation mode of the named policy. History Click the hyperlink to display the execution history report. Evaluate Click the hyperlink to open the Evaluate Policies dialog box to execute the policy. Last Execution The date and time the policy was last run. See Also Administer Servers by Using Policy-Based Management Evaluate Policies Dialog Box, Policy Selection Page 3/24/2017 • 1 min to read • Edit Online Use this dialog box to evaluate Policy-Based Management policies. By selecting the Evaluation Results page, you can apply policies to the items in a target set that do not comply with the policies. Options Source Specifies the source of the policies. To change the source, click the Browse (...) button to open the Select Source dialog box. Files Type the path of a file that contains a Policy-Based Management policy, or use the Browse (...) button to select the file. Server Select to connect to an instance of the SQL Server Database Engine that contains the policy that you want. Policies: Policy Click to open the policy dialog box for the specified policy. Policies: Category The category of the policy. This box is read-only. Policies: Facet The facet implemented by the policy. This box is read-only. Evaluate Runs the policy in evaluation mode. This generates a compliance report for the target set but does not reconfigure SQL Server or enforce future compliance. Possible Errors No targets found The target set could be empty due to any of the following reasons: There are no targets on the instance of SQL Server of the type specified by the policy. The server restriction might exclude the instance of SQL Server that contains the target. If the policy is on an object in a database (for example a table, view, or user) the database might not subscribe to the category of the policy. The target-set filter might exclude all targets on this instance of SQL Server. The target server type is different from the server type on which the policy is evaluated. For example, in the Database Engine, if you try to evaluate a policy that has been created for Analysis Services, you will receive an empty target set See Also Administer Servers by Using Policy-Based Management Evaluate Policies Dialog Box, Evaluation Results Page Evaluate Policies Dialog Box, Evaluation Results Page 3/24/2017 • 1 min to read • Edit Online Use this dialog box to view policy evaluation results, and to apply Policy-Based Management policies to a set of targets that does not comply with the policies. Options Results: Policy The name of the policy being evaluated. This box is read-only. Results: Message A link to information if an error occurs. Target details: Server The instance of SQL Server against which the policies are evaluated. Target details: Target The target against which the policies are evaluated. Target details: Details A link to the Results Detailed View dialog box that shows details of the policy evaluation. Target details: Message A link to information if an error occurs. See Also Administer Servers by Using Policy-Based Management Evaluate Policies Dialog Box, Policy Selection Page Results Detailed View Dialog Box Facet Properties Dialog Box, General Page 3/24/2017 • 1 min to read • Edit Online Use this dialog box to view the properties of a Policy-Based Management facet. Each facet can be applied to one or more target types, for example: server, database, or table. Use this page to view which target types are related to this facet. The properties of a facet are defined when a facet is created and cannot be changed by using this page. Options Description Provides a general description of the facet. Applicable target types Shows the types of targets that can be configured or evaluated by using this facet. Properties Displays the name and description of each facet property. See Also Administer Servers by Using Policy-Based Management Facet Properties Dialog Box, Dependent Policies Page 3/24/2017 • 1 min to read • Edit Online Use this dialog box to display a list of policies that currently reference this Policy-Based Management facet. Options Name Lists the name of each policy that references the current facet. Enabled A check mark indicates that the policy is currently enabled. Is blank if the policy is not enabled. History Click the View History hyperlink to display the execution history report. Created Is the date when the policy was created. See Also Administer Servers by Using Policy-Based Management Facet Properties Dialog Box, Dependent Conditions Page 3/24/2017 • 1 min to read • Edit Online Use this dialog box to display a list of conditions that currently reference this Policy-Based Management facet. Options Name Lists the name of each condition that references the current facet. See Also Administer Servers by Using Policy-Based Management Results Detailed View Dialog Box 3/24/2017 • 1 min to read • Edit Online This dialog box shows the results of policy evaluation after you have run a policy by using the Evaluate Policies dialog box and clicked Evaluate. This dialog box is read-only, and helps you understand which part of a property expression might be failing. Options AndOr When more than one property expression is present, indicates whether the property expressions are cumulative or alternative. Result Icon that represents the success or failure of the property expression. Field The property of the facet that is being modeled. Operator The operator for the expression, for example = or Like. Expected Value The value for the field that will cause the property expression to be successful. Actual Value The value for the field that was detected by the policy. Policy description The description of the policy. Additional help Click the hyperlink to open a Web page that is related to this policy. The Additional Help hyperlink is configured when the policy is created and might be blank or unavailable. See Also Policy Management Node (Object Explorer) Administer Servers by Using Policy-Based Management View Facets Dialog Box 3/24/2017 • 1 min to read • Edit Online Use this dialog box to view the properties of a Policy-Based Management facet. The properties of a facet are defined when a facet is created and cannot be changed by using this dialog box. Options Facet The name of the currently selected facet. Description Provides a general description of the facet. Facet properties Displays the names and settings of the facet properties. Export Current State as Policy Click to export the described state of the facet properties as a new policy in an XML file. See Also Administer Servers by Using Policy-Based Management Select Source Dialog Box 3/24/2017 • 1 min to read • Edit Online Use this dialog box to select the source of the policies to be run. To select one or more XML files that contain policies, select Files. To run the policies that are found on the instance of SQL Server, select Server. You can open this dialog box in several ways. To open this dialog box In Registered Servers, right-click Local Server Groups or any server under Local Server Groups, or any server under Central Management Servers, and then select Evaluate Policies. In the Policy Selection page of the Evaluate Policies dialog box, click the Browse (...) button. In Object Explorer, expand Management, expand Policy Management, right-click Policies, and select Import Policy. In the Import dialog box, click the Browse (...) button. In Object Explorer, right-click a server, database, or database object, select Policies, and then select Evaluate. In the Policy Selection page of the Evaluate Policies dialog box, click the Browse (...) button. Options Files Select one or more XML files that contain policies. Server Enables you to select a server that contains the policies that you want to run. Server type Only Database Engine servers contain policies. This box is read-only. Server name Select the server instance to connect to. By default, the server instance last connected to is displayed. Authentication Two authentication modes are available when you connect to an instance of the Database Engine. Windows Authentication Mode (Windows Authentication) Windows Authentication mode allows for a user to connect through a Windows user account. SQL Server Authentication When a user connects with a specified login name and password from a nontrusted connection, SQL Server performs the authentication itself by checking whether a SQL Server login account has been set up and whether the specified password matches the one previously recorded. If SQL Server does not have a login account set, authentication fails, and the user receives an error message. IMPORTANT When possible, use Windows Authentication. User name Enter the user name to connect with. This option is available only if you have selected to connect by using Windows Authentication. Login Enter the login to connect with. This option is available only if you have selected to connect by using SQL Server Authentication. Password Enter the password for the login. This option is editable only if you have selected to connect by using SQL Server Authentication. See Also Policy Management Node (Object Explorer) Administer Servers by Using Policy-Based Management Export As Policy Dialog Box 3/24/2017 • 1 min to read • Edit Online Use this dialog box to save a set of Policy-Based Management facet properties as a policy. Policies can be saved in an XML file, or saved directly to the current instance of the Database Engine. Options Policy definition name Type a name for the policy. Condition name Type a name for the condition. To local server Select to save the policy on the local server instance. To file To save the policy as an XML file, type the path and name of the file or use the Browse (...) button. See Also Administer Servers by Using Policy-Based Management Import Policies Dialog Box 3/24/2017 • 1 min to read • Edit Online Use this dialog box to import one or more policies (and their referenced condition) that are saved as XML files, into the current SQL Server Database Engine instance. Options Files to import To import a policy from an XML file, type the path and name of the file or use the Browse (...) button. Replace duplicates with items imported Select to overwrite any existing policy or condition of the same name if it already exists on this Database Engine instance. A condition with a dependent policy cannot be overwritten unless the dependent policy is also being overwritten. If this option is not selected, an existing condition that is using the same condition expression will not cause an error. Policy state Select the state that you want for the imported policy: Preserve policy state on import Enable all policies on import Disable all policies on import See Also Administer Servers by Using Policy-Based Management Import a Policy-Based Management Policy Export a Policy-Based Management Policy Tutorial: Administering Servers by Using Policy-Based Management 3/24/2017 • 1 min to read • Edit Online Welcome to the Administering Servers by Using Policy-Based Management Policies tutorial. This tutorial is intended for users who are familiar with SQL Server but new to the Policy-Based Management. What You Will Learn This tutorial creates a policy to administer your server and a policy that applies to a single database. One policy is run on demand to test for compliance. The other policy enforces future compliance. This tutorial is divided into two lessons: Lesson 1: Create and Apply an Off By Default Policy This lesson creates a policy that specifies that Database Mail is not enabled on the server. Then, it checks to see whether your server complies with the policy, and configures the server by disabling Database Mail. Lesson 2: Create and Apply a Naming Standards Policy This lesson creates a policy that defines and enforces a naming standard for tables. Requirements This lesson requires basic database knowledge and a basic understanding of SQL Server Management Studio. To use this tutorial, your system must have SQL Server Management Studio installed. Start the Tutorial Lesson 1: Create and Apply an Off By Default Policy See Also Administer Servers by Using Policy-Based Management Lesson 1: Create and Apply an Off By Default Policy 3/24/2017 • 1 min to read • Edit Online Using Policy-Based Management policies, you can administer one or more instances of SQL Server, one or more instance objects, server instances, one or more databases, or one or more database objects. As the database administrator, you want to ensure that certain servers do not have Database Mail enabled. In this lesson, you will create a condition and a policy that sets that server option. You will test the server to see whether it complies with the policy. Then, you will use the policy to reconfigure the server to bring the server into compliance. This lesson contains the following topics: Create the Off By Default Policy Configure a Server to Run the Off By Default Policy Next Task in Lesson Create the Off By Default Policy Next Lesson Lesson 2: Create and Apply a Naming Standards Policy Lesson 1-1 - Create the Off By Default Policy 3/24/2017 • 1 min to read • Edit Online This task creates a condition named Mail Off that is based on the Surface Area Configuration facet. Then, it creates a policy named Off By Default. To create the Mail Off condition 1. In Object Explorer, expand Management, expand Policy Management, expand Facets, right-click Surface Area Configuration, and then click New Condition. 2. In the Create New Condition dialog box, in the Name box, type Mail Off. 3. In the Facet box, confirm that Surface Area Configuration facet is selected. 4. In the Expression area, in the Field box, select @DatabaseMailEnabled, in the Operator box select =, and in the Value select False. 5. On the Description page, type a description of the condition, and then click OK to create the condition. To create the Off By Default policy 1. In Object Explorer, right-click Surface Area Configuration, and then click New Policy. 2. In the Create New Policy dialog box, in the Name box, type Off By Default. 3. Leave the Enabled checkbox unchecked. The Enabled checkbox applies to automated policies, and this policy will be executed on demand. 4. In the Check condition checkbox, scroll down to the Surface Area Configuration area, and then select Mail Off as the condition to check. 5. The Against targets box will be blank because this is a server-scoped policy. 6. In the Evaluation Mode checkbox, select On demand as the evaluation mode. 7. In the Server restriction checkbox, select None. 8. On the Description page, type a description of the policy. 9. You can provide a hyperlink to a Web page for your policies in the Additional help hyperlink area. In the Text to display box, type the text that will appear for the hyperlink. 10. In the Address box, type a hyperlink to a Help page, such as the home page for the IT department of your company. 11. To confirm the address by opening the Web page, click Test Link. 12. Click OK. Next Task in Lesson Configure a Server to Run the Off By Default Policy Lesson 1-2 - Configure a Server to Run the Off By Default Policy 3/24/2017 • 1 min to read • Edit Online Now you have a policy named Off By Default. In this task, you will check to see whether your server complies with the requirements of this policy. To run the Off By Default policy 1. In Object Explorer, right-click your instance of SQL Server, point to Policies, and then click Evaluate. 2. In the Evaluate Policies dialog box you can select policies from another instance of SQL Server or from a file. For this step, leave Source set to your instance of the Database Engine. 3. In the Policies section, select the Off By Default policy. 4. To see whether the server is in compliance with the policy, click Evaluate. 5. In the Results area, you will see a green circle with a check mark if the Database Engine complies with the policy. You will see a red circle with an X if the Database Engine does not comply with the policy. 6. In the Target Details area, you will see additional information in the Message column if an error occurs. In the Message column, click View to see a report that contains the results of the check for each facet property that was checked. 7. The policy description is displayed at the bottom of the page, and the Additional help section displays the hyperlink that you have configured for the policy. Click the message hyperlink to open the Web page that you specified when you created the policy. 8. Close the browser, and then close the Results Detailed View dialog box. 9. If the server is out of compliance and you want to disable Database Mail, click Apply in the Evaluation Results page. 10. Close both the Results Detailed View and the Evaluate Policies dialog boxes. Next Lesson Lesson 2: Create and Apply a Naming Standards Policy Lesson 2: Create and Apply a Naming Standards Policy 3/24/2017 • 1 min to read • Edit Online Some types of Policy-Based Management policies can create triggers to enforce future compliance with the policy. In this lesson, you create a policy that enforces a naming standard for tables. Then, you test the policy by trying to create a table that violates the policy. This lesson contains the following topics: Create the Finance Name Policy Subscribe to and Check the Finance Name Policy Next Task in Lesson Create the Finance Name Policy Lesson 2-1 - Create the Finance Name Policy 3/24/2017 • 2 min to read • Edit Online In this task, you will create a database named Finance, and then create a condition that requires all tables to start with the letters fintbl. Then, you will create a policy and policy category to enforce a naming standard for tables in the Finance database. To create the Finance database 1. In Management Studio, open a query window and execute the following statement: CREATE DATABASE Finance ; GO 2. In Object Explorer, click Databases, and then press F5 to refresh the list of databases. To create the Finance Tables condition 1. In Object Explorer, expand Management, expand Policy Management, right-click Conditions, and then click New Condition. 2. In the Create New Condition dialog box, in the Name box, type Finance Tables. 3. In the Facet list, select Multipart Name. 4. In the Expression area, in the Field box, select @Name; in the Operator box, select Like; and in the Value box, type 'fintbl%' to force all table names to start with the letters fintbl. 5. On the Description page, type Finance table names must begin with fintbl, and then click OK to create the condition. To create the Finance Name policy 1. In Object Explorer, right-click Policies, and then click New Policy. 2. In the Create New Policy dialog box, in the Name box, type Finance Name. 3. In the Check condition list, select Finance Tables. This is in the Multipart Name area. 4. In the Against area you will see a list of the database objects that could apply this policy. Select the check box for Every Table. 5. In the Every Database area, expand Every, and then click New condition. 6. In the Create New Condition dialog box, in the Name box, type Finance Database. 7. In the Expression box, complete the expression to include @Name = 'Finance', and then click OK to close the condition page. NOTE You might have to tab out of the Value box to enable the OK button. 8. In the Evaluation Mode list, select On change: prevent. This will enforce the policy by creating a database trigger on the Finance database. 9. Select the Enabled list. (The Enabled box does not apply to On demand policies.) 10. In the Server restriction list, select None. 11. Click OK. To create the Finance policy category 1. In Object Explorer, expand Management, right-click Policy Management, and then click Manage Categories. 2. In the Manage Policy Categories dialog box, under Name, type Finance in the blank box, and then clear Mandate Database Subscriptions. Mandate Database Subscriptions will force every database in the instance to subscribe to the policies that belong to this policy category. For this lesson, only the Finance database should subscribe to the Finance Name policy. 3. Click OK. Next Task in Lesson Subscribe to and Check the Finance Name Policy Lesson 2-2 - Subscribe to and Check the Finance Name Policy 3/24/2017 • 1 min to read • Edit Online In this task, you will configure the Finance database to subscribe to the Finance policy category. Then, you will test the Finance Name policy. To subscribe to the Finance policy category 1. In Object Explorer, expand Databases, right-click Finance, point to Policies, and then click Categories. 2. Select the Subscribed checkbox for the Finance category. 3. Click OK. To test the enforcement of the Finance Name policy 1. In Management Studio, open a query window. Execute the following statements that try to create a table that violates the Finance Name policy. The table violates the policy because the table name does not begin with the letters fintbl. USE Finance ; GO CREATE TABLE NewTable (Col1 int) ; GO Notice that the policy prevents the table from being created and returns an informational message that provides the policy name. 2. To provide a valid name, modify the code as follows and run the statement again. USE Finance ; GO CREATE TABLE fintblNewTable (Col1 int) ; GO This time, the table is created. To apply the policy to the whole server 1. Currently, only the Finance database subscribes to the Finance policy category. In many cases, it is easier to apply the policy category to the whole server. In Object Explorer, expand Management, right-click Policy Management, and then click Manage Categories. 2. In the Manage Policy Categories dialog box, locate the Finance category, and select the Mandate Database Subscriptions checkbox for the Finance category. 3. Click OK. Now the Finance category applies to all databases, but the condition that you have created restricts the Finance Name policy to the Finance database. This shows how you can use complex combinations of conditions to target policies in ways that will apply correctly on many servers. Summary This tutorial has shown you how to create Policy-Based Management conditions, policies and policy groups, and how to apply filters and check the compliance of Policy-Based Management targets. Next This tutorial is finished. To return to the start, click Tutorial: Administering Servers by Using Policy-Based Management. For a list of tutorials, see Tutorials for SQL Server 2016. See Also Administer Servers by Using Policy-Based Management