Enterprise Policy Management Framework with SQL Server 2008

SQL Server Technical Article

Writers: Tom Davidson, Lara Rubbelke, Dmitri Tchikatilov

Contributor: Sanjay Mishra

Technical Reviewers: Lindsey Allen, Hongfei Guo, Prem Mehra, Joseph Sack, Jimmy May, Glenn Berry (SQL Server MVP), Michael Thomassy

Published: February 2009

Applies to: SQL Server 2008

Summary: The Enterprise Policy Management (EPM) Framework leverages and extends the new Microsoft SQL Server 2008 Policy-Based Management feature across an entire SQL Server enterprise, including down-level instances of SQL Server such as SQL Server 2000 and SQL Server 2005.

Introduction

The Enterprise Policy Management (EPM) Framework leverages and extends the new Microsoft SQL Server 2008 Policy-Based Management feature across an entire SQL Server enterprise, including down-level instances of SQL Server such as SQL Server 2000 and SQL Server 2005. In addition, the EPM Framework can be used to:

  • Automate the evaluation of policies against a defined set of SQL Server instances, including SQL Server 2000 and SQL Server 2005.
  • Centralize the policy evaluation history to a single source for enterprise policy reporting.
  • Define best practices for implementing policy evaluation in extremely large enterprise environments.

This document provides best practice guidance on the use of the EPM Framework as a means of collecting and reporting on policy compliance across an entire SQL Server enterprise.

Policy-Based Management (PBM), a feature introduced in SQL Server 2008, significantly changes the way administrators manage the SQL Server data platform. In previous versions of SQL Server, DBAs spent a large amount of time reacting to issues caused by configuration changes or deployments that did not comply with best practice standards or regulatory requirements. To address this issue, some enterprise environments used custom code or scripts to validate compliance with these standards and requirements. The problem with this approach is that these custom consistency scripts are difficult and expensive to develop and maintain. Using PBM in SQL Server 2008, DBAs declare the desired state of the SQL Server environment and then manually or automatically check and/or enforce compliance of the system with that desired state. The desired state and the rules by which that desired state is enforced are known collectively as a policy. For an introduction to the SQL Server 2008 Policy-Based Management feature, see Administering Servers Using Policy-Based Management in SQL Server 2008 Books Online.

The Enterprise Policy Management Framework automates and extends the SQL Server 2008 Policy-Based Management feature to down-level instances of SQL Server. Because down-level versions such as SQL Server 2000 and SQL Server 2005 do not have the built-in SQL Server 2008 policy engine, policies must be evaluated periodically or on demand using Windows PowerShell command-line scripts. These PowerShell scripts evaluate each instance of SQL Server 2000 or SQL Server 2005 against policies that are defined and stored on an instance of SQL Server 2008. The results of these evaluations are stored in a management data warehouse that resides on a SQL Server 2008 instance that is defined as a Central Management Server.

The EPM Framework can be downloaded at https://www.codeplex.com/EPMFramework.

Benefits of the Enterprise Policy Management Framework

The EPM Framework can be used to automate policy evaluation across the enterprise, centralize collection of policy evaluations and provide reports across the enterprise containing graphical representations of how an IT department is implementing and meeting (or not meeting) company goals. The drill-down capabilities of reporting services provide details of problem areas. It provides concrete answers to such important questions as:

  • “Have all the backups completed?”
  • “Are we in compliance with security mandates?”
  • “Are we in compliance with performance best practices?”

The Enterprise Policy Management Framework is a solution for governing the business and regulatory compliance of your SQL Server environment. By comparing SQL Server deployments to the desired states known as policies, EPM provides the basis for new strategic management initiatives that focus manageability efforts, drive costs lower, limit exposure, and improve productivity.

The EPM Framework extends the Policy-Based Management feature of SQL Server 2008 to all identified SQL Server instances. The EPM Framework, the built-in policy engine, predefined policies, and the ease with which new servers and user-defined policies can be added to the existing policy umbrella all combine to provide a rich and nimble environment, replacing the need for high-maintenance custom scripting or mundane, error-prone manual checks. By collecting historical policy evaluation, EPM can be used to measure the quality of IT support over time insofar as adherence to policy objectives is concerned.

Today there are generally accepted standard industry metrics for IT service levels, such as:

  • Availability or up-time (for example, 99.99%).
  • Query performance (for example, 95% of all orders must complete in less than 5 seconds).
  • Report performance (for example, reports must be completed in less than 5 minutes).
  • Timely backups and batch processing, performed at times of off-peak load (for example, backups and batch processing must be completed by 6:00 A.M).

Enterprise Policy Management Framework compliance metrics could easily be added to the above list of accepted industry metrics. Organizations can identify a compliance goal and use the EPM Framework to quantify progress toward this organizational goal. When properly implemented, these goals can be defined at various levels, or categories, rolling up to the overall key performance indicator (KPI).

A sample report from the EPM Framework is shown in Figure 1 entitled “SQL Server Compliance Report”. The SQL Server Compliance report contains four perspectives of policy evaluation including Instance Compliance, Failed Policy Count by Policy Category, Failed Policy % By Month, and Last Execution Status.

Figure 1: SQL Server Compliance Report

Instance Compliance (upper left) shows policy compliance overall by instance. In this report, policy checks were performed on three instances overall. Two instances failed policy checks and one instance passed. Last Execution Status (lower left) provides drill-down details. Of the 18 failed policies, 13 were for the WIN2008\DEMO1 instance while 5 failures were reported for the WIN2008\SQL2000 instance.

Failed Policy Counts (upper right) breaks down evaluation by Policy Category. The 18 failed policies are further broken down into policy categories “2008 compliance”, “Microsoft Best Practices: Maintenance”, “Microsoft Best Practices: Security”, and “Microsoft Best Practices: Performance”. Failed Policy % By Month (lower right) shows compliance measured over time. Policy checking is shown in the blue bar graph. The blue line shows failed policy checks. The trend shows that over time more policies are being checked, with fewer failures.

The SQL Server Compliance report can be used to effectively and proactively focus managing efforts to drive costs lower, limit exposure, and improve productivity. Moreover, IT productivity goals can be set in terms of compliance. Let’s assume we have an IT policy compliance target of 80 percent. Trending over time clearly shows improvement in compliance. The last execution status showed a compliance rate exceeding the target at 82%. Next year’s compliance target would be set higher, say 90 percent.

Out of the box, SQL Server 2008 provides many predefined policies. In addition, users can design their own policies. Table 1 shows examples of policies for each policy area.

Policy area Scenario Comments User-defined? Version

Business

Backups complete

Have all my backups been completed?

N

All

Management

CLR

CLR enabled / disabled?

N

2005; 2008

Management

Naming convention

Naming convention compliance (for example, table names begin with tbl%)

N

All

Performance Best Practices

Data/log placement

Data and log on separate drives?

N

All

Performance Best Practices

MAXDOP (Max Degree Of Parallelism)

 - For OLTP applications, set MAXDOP=1

 - For data warehouse and reporting workloads, set MAXDOP to half the number of CPUs

N

All

Performance Best Practices

64-bit memory workload

Applications with large queries (for example, data warehouse or reporting applications fit 64-bit profile

N

All

Security Best Practices

Passwords

Password complexity and expiration?

N

2008

Security Best Practices

SQL Mail

SQL Mail disabled?

N

All

Security Best Practices

Security model

Integrated security enabled?

N

All

Security Best Practices

xp_cmdshell

xp_cmdshell is a security exposure – is it disabled?

N

All

Regulatory – User-defined

PCI

Credit card security compliance

Y

All

Table 1: Sample Policies for Enterprise Policy Management Framework

Ensuring compliance with best practices can help IT departments proactively avoid known problems before they occur.

Components of the EPM Framework

The EPM Framework solution, which extends Policy-Based Management to the enterprise, requires the following components to be configured in your environment. All SQL Server 2008 requirements listed below can be executed from and managed on the same instance:

 - SQL Server 2008 instance to store policies

 - SQL Server 2008 instance to act as the Central Management Server

 - SQL Server 2008 instance to execute the PowerShell script

 - SQL Server management database and policy history table to archive policy evaluation results

 - SQL Server 2008 Reporting Services to render and deliver policy history reports

When the Enterprise Policy Management (EPM) Framework is implemented, policies are evaluated against specified instances of SQL Server through PowerShell. This solution requires at least one instance of SQL Server 2008. The PowerShell script runs from this instance through a SQL Server Agent job or manually through the PowerShell interface. The PowerShell script captures the policy evaluation output, and then it inserts the output into a SQL Server table. SQL Server 2008 Reporting Services reports deliver information from the centralized table.

The Central Management Server (CMS) plays two very important roles in the EPM Framework. First, the CMS stores all of the logical server groups that are necessary in the PowerShell evaluation to determine which servers are evaluated. Second, the CMS acts as the centralized enterprise policy store. In SQL Server 2008, you can administer multiple servers by designating a Central Management Server and creating server groups. An instance of SQL Server that is designated as a Central Management Server maintains server groups that maintain the connection information for one or more instances of SQL Server. Transact-SQL statements and Policy-Based Management policies can be manually executed against server groups.

Invoke-PolicyEvaluation is the PowerShell cmdlet that runs serially. For better performance, multiple PowerShells can be run in parallel to expedite policy evaluation. To simplify the management of policy evaluation, multiple policies can be organized into policy categories. PerformanceBestPracticePolicies and SecurityPolicies are examples of policy categories. Servers should be organized into server groups such as ProductionServerGroup or SalesServerGroup. Using policy categories and server groups, Invoke-PolicyEvaluation performs the evaluation of a category of policies against a group of servers.

The EPM Framework requires a Policy Data Warehouse to store all policy history results. The EPM Framework enables an administrator to define the Policy Data Warehouse on any instance of SQL Server, although it may be worthwhile to place this database on the Central Management Server. All policy evaluation results are collected and stored in the Policy Data Warehouse for analysis and reporting.

The EPM Framework includes tools to centralize all historical policy evaluation results, making it a single reporting source for enterprise policy evaluation history and enterprise compliance. The PowerShell evaluation used for down-version evaluation naturally centralizes the results to the designated Policy Data Warehouse. SQL Server 2008 evaluation results are automatically stored in the local SQL Server 2008 msdb database. The EPM Framework includes a PowerShell script that is to be scheduled on each SQL Server 2008 instance. This script exports SQL Server 2008 policy history data for consumption to the Policy Data Warehouse.

As previously noted, PBM enables the DBA to declare the desired state of the SQL Server environment and then check the system for compliance with that state. The Invoke-PolicyEvaluation PowerShell cmdlet reports whether a target set of SQL Server objects complies with the conditions specified in one or more Policy-Based Management policies. Invoke-PolicyEvaluation evaluates one or more policies against a set of SQL Server objects called the target set. The set of target objects comes from a target server. Each policy defines conditions, which are the allowed states for the target objects.

SQL Server Reporting Services reports analyze the historical data with trends of policy compliance over time. KPIs show progress toward the policy targets of the enterprise.

To summarize, the Enterprise Policy Management Framework extends the reach of Policy-Based Management, providing a new perspective on IT quality that complements the established industry metrics of service levels and performance.

Advantages of SQL Server 2008 Policy Evaluation

There are a number of important distinctions regarding policy evaluation on SQL Server 2008, including on-change evaluation, event log alerting, advanced functionality and integration of SQL Server Management Studio. The on-change evaluation mode of SQL Server 2008 provides real-time reporting and enforcement (for example, 24x7). Advanced functionality and integration with SQL Server Management Studio includes policy dependencies, health states, subscriptions, history, and metrics such as KPIs.

For down-level versions of SQL Server 2000 and SQL Server 2005, an instance of SQL Server 2008 is used to execute the PowerShell scripts that evaluate each instance of SQL Server 2000 and SQL Server 2005 against the appropriate policies. The results of these evaluations are stored in a management data warehouse, which resides on the Central Management Server.

Advantages of Upgrading to SQL Server 2008 for Policy Evaluation

SQL Server 2008 can perform policy evaluation of down-level versions such as SQL Server 2000 and SQL Server 2005, but there is an important limitation. Because down-level versions do not include the SQL Server 2008 policy engine, policies must be evaluated periodically or on-demand using PowerShell scripts from SQL Server 2008. The limitation is that continual on-change enforcement or reporting is NOT available on down-level versions such as SQL Server 2000 and SQL Server 2005. The policy compliance of SQL Server 2000 and SQL Server 2005 are accurate at the time of evaluation ONLY.

Because continual or on-change evaluation is ONLY available if the target server is SQL Server 2008, this down-level solution is not designed for systems that have strong regulatory compliance requirements (requiring continual —that is, 24x7—compliance). The EPM Framework can, however, add some much-needed reporting of existing state as enterprise environments plan toward their SQL Server 2008 upgrades.

Organizations whose environments are subject to strong regulatory compliance requirements will want to upgrade to SQL Server 2008 as soon as possible to take advantage of SQL Server 2008 on-change policy enforcement modes. Lastly, some policies, such as strong passwords, do not apply to some earlier versions, such as SQL Server 2000.

Recommendations

The Enterprise Policy Management Framework collects policy evaluation history, and it provides analysis and reporting capabilities for the enterprise. Policy compliance effectively addresses one of the main issues facing DBAs today: the ad hoc problems caused by configuration changes or deployments that do not comply with the best practice standards.

A typical SQL Server environment will have multiple versions of SQL Server. A single SQL Server 2008 server will act as the CMS for enterprise policy management. This CMS server will store all of the server groups and the policies which are necessary in the enterprise. Using the CMS, policies are pushed out to the SQL Server 2008 servers. Only SQL Server 2008 instances allow you to leverage the full benefits of PBM, including on-change evaluation modes.

Down-level SQL Server policy evaluation requires PowerShell on-demand job execution. A PowerShell script is executed on a scheduled basis from the CMS. These PowerShell scripts evaluate each instance of SQL Server 2000 and SQL Server 2005 against the appropriate policies. The results of these evaluations are stored in a management data warehouse that resides on the CMS.

The following are best practice recommendations with EPM:

  • For performance, use parallel policy evaluation. Policy evaluation using Invoke-PolicyEvaluation runs serially. For this reason, multiple PowerShell executions of Invoke-PolicyEvaluation should be used to expedite the process.
  • Use policy categories. To simplify the management of policy evaluation, multiple policies should be organized into policy categories. PerformanceBestPracticePolicies or SecurityPolicies are examples of policy categories.
  • Leverage Best Practice Policies. Many of these predefined policies can be used to avoid problems before they occur.
  • Use server groups. To simplify the management of servers to be evaluated, multiple servers should be organized into server groups such as ProductionServerGroup or SalesServerGroup. In this manner, categories of policies can run against a group of servers.
  • Migrate down-level SQL Server 2000 and SQL Server 2005 instances to SQL Server 2008 as soon as practical. Only SQL Server 2008 targets can take advantage of 24x7 on-change evaluation modes which are critical for high regulatory requirements.

Conclusion

Policy-Based Management in SQL Server 2008 significantly improves the way administrators manage the data platform. The ease with which SQL Server 2008 enables effective policy management provides auditors and management more control over the environment. Ensuring compliance with best practices can help IT departments proactively manage the data platform, avoiding known problems before they occur.

The EPM Framework extends Policy-Based Management to the enterprise, providing an effective way to measure IT quality, providing direction for new strategic management initiatives to focus manageability efforts, driving costs lower, limiting exposure, and improving productivity.

For more information:

http://sqlcat.com/Default.aspx: SQL Server Customer Advisory Team (SQLCAT) site

https://msdn.microsoft.com/en-us/library/dd334464.aspx: SQLCAT White Papers in MSDN Library

https://technet.microsoft.com/en-us/sqlserver/bb671430.aspx: SQL Server Best Practices on the TechCenter

https://technet.microsoft.com/en-us/sqlserver/: SQL Server TechCenter

https://msdn.microsoft.com/en-us/sqlserver/: SQL Server DevCenter 

https://www.microsoft.com/sqlserver/: SQL Server Web site

Did this paper help you? Please give us your feedback. Tell us on a scale of 1 (poor) to 5 (excellent), how would you rate this paper and why have you given it this rating? For example:

  • Are you rating it high due to having good examples, excellent screen shots, clear writing, or another reason?
  • Are you rating it low due to poor examples, fuzzy screen shots, or unclear writing?

This feedback will help us improve the quality of white papers we release.

Send feedback.

Appendix: Additional Resources

Find additional resources below:

The Enterprise Policy Management Framework download: https://www.codeplex.com/EPMFramework

The SQL Server Manageability Team has started a new blog related to Policy-Based Management. This site will provide some great learning content for the terminology and development of policies: https://blogs.msdn.com/sqlpbm/ 

Windows PowerShell blog: https://blogs.msdn.com/powershell/

Lara Rubbelke’s blog: http://sqlblog.com/blogs/lara_rubbelke/default.aspx 

Dan Jones’ blog: https://blogs.msdn.com/dtjones/default.aspx 

Buck Woody’s blog: https://blogs.msdn.com/buckwoody/default.aspx