The Snapshot Summary tab lists statistics and other information about the selected snapshot.
Login counts may differ from what is displayed in SQL Server 2005 or later. This count displays the number of Server Principles collected. In SQL Server 2005 or later, Server Principles include Logins, Server Roles, and Certificates, while in SQL Server 2000, principles include only Logins.
Each snapshot is a listing of permission settings on a SQL Server instance at a particular point in time. You can filter and schedule your snapshots from the Audit SQL Server Properties window. Consider taking snapshots on a routine, scheduled basis. Because snapshots are taken over time, they can be viewed to see when changes are made to user or object permissions. For more information on configuring your snapshots, see Audited SQL Server Properties window.
Snapshots help you assess and manage your security settings. Snapshots represent the state of your SQL Server security at a given point in time. This provides a powerful tool you can use to diagnose security problems and quickly see where changes occur.
SQL Secure uses snapshots to capture security permission settings on SQL Server instances at configured intervals. At the scheduled time, a SQL Secure job is executed and data is collected from the SQL Server instance to the Repository database. This data set represents a single snapshot and is accessed directly by the SQL Secure Console.
Configuration before collecting snapshots
Before snapshots are taken, you must tell SQL Secure what permission data you would like to collect and when you want SQL Secure to collect it.
Snapshots are configured on the Audit Filters tab in the SQL Server Properties window. The Audit Filters tab allows you to choose the permission data that is most important to you. After you choose the appropriate settings, you can schedule the snapshot collection times on the Schedule tab.
To collect data about SQL login password health, use the Configure Weak Password Detection window.
Manage your snapshot list
Snapshots are managed through the grooming process. Grooming allows you to determine which snapshots should be deleted from the SQLsecure Repository. You can schedule grooming to occur on a routine basis, ensuring you keep only the snapshots you need. For more information, see Grooming. Keep in mind that snapshots associated with saved assessments cannot be groomed.
Be aware that snapshots that have been marked as baselines are not groomed.
Mark a snapshot as a baseline
Baseline snapshots are snapshots that will not be deleted in the grooming process.
| When snapshot should be marked as baseline | Importance |
|---|---|
| When you take your first snapshot | To have a starting point to use to identify changes to permissions over time |
| At the end of the month, quarter, or year | To track compliance to your database security policies |
| When you implement a new security model | To identify unwanted changes or issues with the new model |
| When you notice problems or irregularities in permission settings in a snapshot | To analyze the issue to correct problems and change permissions settings |
Use snapshots
Use the following tasks to configure and manage your snapshots.
- Configure snapshots on the Audited SQL Server Properties window
- Schedule snapshot collection times on the Audited SQL Server Properties window
- Explore user permissions on the Explore Permissions view
- Mark a snapshot as a baseline from the Audit History tab on the Explore Permissions view
- Delete snapshots that you do not want to keep from the Audit History tab on the Explore Permissions view
- Collect audit data manually by selecting Take Snapshot Now from the File menu
Resolve group names and group memberships across multiple domains
Using a single account to resolve group names and enumerate group memberships can be problematic when SQL Server grants permissions to accounts across multiple externally trusted domains.
In this situation, the server account specified on the Audited SQL Server Properties window should be an account that has been granted access to these external domains. This can be accomplished by either setting up two-way trusts between the account's domain and the external domains, or by creating pass-through accounts on all the external domains.