DATA SECURITY

PLATFORM AND
THE SQL SERVER
SA ACCOUNT
Publishing Information

Software Version 8.6

Publication date September 29, 2022

Copyright © 2005 -2022 Varonis Systems Inc.

All rights reserved.
This information shall only be used in conjunction with services contracted for
with Varonis Systems, Inc. and shall not be used to the detriment of Varonis
Systems, Inc. in any manner. User agrees not to copy, reproduce, sell, license,
or transfer this information without prior written consent of Varonis Systems, Inc.
Other brands and products are trademarks of their respective holders.
 Contents
Chapter 1: Data Security Platform and the SQL Server SA Account. . . . . . . . . . 1
Chapter 2: DSP Server Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Chapter 3: Installation and Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Chapter 4: General Operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Chapter 5: Varonis Changes to the SQL Database. . . . . . . . . . . . . . . . . . . . . . . 5

DATA SECURITY PLATFORM AND THE SQL SERVER SA ACCOUNT III

 Data Security Platform and the SQL Server SA Account

1 DATA SECURITY PLATFORM AND THE

SQL SERVER SA ACCOUNT

Database security and risk avoidance are vital.

With security ever in mind, the Data Security Platform is engineered not only to
ensure our customers have full visibility into their data, but also that only
authorized personnel can install, access and operate the Data Security
Platform itself.

While Varonis appreciates the sensitive nature of the SQL Server sysadmin
(sa) account, the Data Security Platform requires an SQL account assigned the
sa role for installation, and for adding or removing monitored resources (file
servers and directory service containers).

DATA SECURITY PLATFORM AND THE SQL SERVER SA ACCOUNT 1

 DSP Server Security

2 DSP SERVER SECURITY

Security of the Analytics information within the DSP Server

Information from the Analytics engine, including event data from the Probes,
recommendations, and so on, are all stored within a database. The first layer of
security for this information is the SQL Server security. A second layer of
security comes from using a unique, proprietary and frequently updated
database schema. In addition to the challenges a would-be hacker would have
in reconstructing the schema, information such as user IDs which might link
event data back to specific users, for example, are generated internally and do
not directly map to IDs within the broader IT environment. In this way, the
schema and unique internal mappings provide a layer of “security through
obscurity”. Given the amount of time it would take to determine the schema and
ID mappings, this obscurity provides an additional obstacle to those who would
seek to misuse this information.

Security of Configuration information within the DSP Server

In addition to the above, the other key pieces of configuration information

stored in the DSP Server are the user names and passwords required to
access Active Directory and the file servers. All user names and passwords
stored within the DSP Server are encrypted to ensure they remain secure.

DATA SECURITY PLATFORM AND THE SQL SERVER SA ACCOUNT 2

 Installation and Configuration

3 INSTALLATION AND CONFIGURATION

Sysadmin privileges are required for activities involving the Enterprise Installer
(installation, configuration change, repair, upgrade) and the Management
Console (adding or removing monitored resources).
These requirements are to perform the following:

Add stored procedures to the master database

Create new databases

Create login information

Create DBlinks

Install Common Language Runtime (CLR) functions

Important:

The Enterprise Installer will exit during the prerequisite check if the user
performing the installation is not a member of the sysadmin server role.

The sysadmin account is only used for the purposes listed above. There
is no need to save the account's credentials in the Data Security
Platform.

DATA SECURITY PLATFORM AND THE SQL SERVER SA ACCOUNT 3

 General Operation

4 GENERAL OPERATION

The Data Security Platform applications do not require sysadmin privileges to

operate.
The DSP operates using the VaronisOwner account, which is created during
the installation process.

This account is used to access and modify tables in Varonis databases, and is
assigned the db_owner role for these databases. When the shrink tempdb
option is enabled, the VaronisOwner account is also assigned the db_owner
role for the tempdb system database.

The VaronisOwner password is a unique password (generated per

environment). The password contains 12 characters (for example, letters,
numbers, and symbols).

DATA SECURITY PLATFORM AND THE SQL SERVER SA ACCOUNT 4

 Varonis Changes to the SQL Database

5 VARONIS CHANGES TO THE SQL

DATABASE

The Varonis Enterprise Installer makes the following changes to the SQL
database and database server:

It configures the Distributed Transactions Coordinator (DTC) service.

Local administrator permissions are required for this.

Changes to the registry:

HKEY_LOCAL_MACHINE\Software\Microsoft\MSDTC\Security

NetworkDtcAccess set to 1

NetworkDtcAccessTransactions set to 1

NetworkDtcAccessInbound set to 1

NetworkDtcAccessOutbound set to 1

NetworkDtcAccessClients set to 1

HKEY_LOCAL_MACHINE\Software\Microsoft\MSDTC

TurnOffRpcSecurity set to 1

AllowOnlySecureRpcCalls set to 0

FallbackToUnsecureRPCIfNecessary set to 0

It adds the working SQL user (by default, named VaronisOwner) as the DB
owner on all Varonis databases.

It creates SQL links to other SQL Servers if any exist in the environment
(such as a remote Probe).

It creates the Varonis databases:

vrnsDomainDB for the main database

Varonis for each Probe

One database per file server, named according to the file server's name

One database per Active Directory container, the name of which is

selected by the customer

DATA SECURITY PLATFORM AND THE SQL SERVER SA ACCOUNT 5

 DATA SECURITY PLATFORM AND THE SQL SERVER SA
Chapter 5
ACCOUNT

The structure of the databases includes thousands of tables, stored procedures,

functions, types, etc, which are subject to change from version to version

It uploads SQL CLR to the Varonis databases.

It enables the databases to access the file system, so that the amount of free disk
space can be checked on every database server on which Varonis databases are
installed, and users can be notified of low disk space. This can be disabled by
clearing the Allow check disk space option during installation (this option is found
on the DSP Server Selection page of the Enterprise Installer). If the option is
cleared, the Varonis databases are prohibited access to the file system; disk space
is not checked and no notification regarding available disk space is provided.

It implements the following on all related SQL Servers, in case the user decides to
periodically shrink the TempDB:
It creates the following stored procedures in the Master DB:
spVaronis_GrantTempDB_DBO

spVaronis_RevokeTempDB_DBO

It grants permanent system users db_owner permissions in the TempDB.

It adds the stored procedure spVaronis_GrantTempDB_DBO to the SQL

Server startup options.

It adds additional files to the TempDB on all related SQL Servers according to
the best practices formula, in case the user decides to split the TempDB files
into multiple data files.

It adds custom error messages to the SQL Server.

For the Data Security Platform reports (which are part of MS SQL Server):
It integrates the Varonis authentication mechanism into Reporting Services.
This includes copying DLLs to the Reporting server and altering the
configuration of the MS Reporting Service.
Files that are copied:
DataVantage.Reporting.SecurityExtensions.dll

Microsoft.Practices.EnterpriseLibrary.Common.dll

Microsoft.Practices.EnterpriseLibrary.Data.dll

Microsoft.Practices.EnterpriseLibrary.Logging.dll

Microsoft.Practices.EnterpriseLibrary.Security.dll

Microsoft.Practices.EnterpriseLibrary.Validation.dll

DATA SECURITY PLATFORM AND THE SQL SERVER SA ACCOUNT 6

 DATA SECURITY PLATFORM AND THE SQL SERVER SA
Chapter 5
ACCOUNT

Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dll

Microsoft.Practices.EnterpriseLibrary.Validation.Integration.WCF.dll

Microsoft.Practices.ServiceLocation.dll

Microsoft.Practices.Unity.dll

Microsoft.Practices.Unity.Interception.dll

DataVantage.Reporting.ADExtendedProperties.dll

AdvancedSearch.BL.dll

AdvancedSearch.DAL.dll

ReportGroupParser.dll

NetApiWrapper.NetApiBase.dll

NetApiWrapper.Security.dll

varonis.dll

Varonis.Server.Contracts.dll

Varonis.SQL.Crypto.dll

Configuration files that are altered:

RSReportServer.config

rssrvpolicy.config

rsmgrpolicy.config

RSReportServer.config

web.config

bin\ReportingServicesService.exe.config

It uploads Varonis reports to the Reporting server.

Local administrator permissions are required for this.

In addition, the Enterprise Installer verifies the configuration of the SQL Server, without
altering it. This requires registry access; Varonis therefore requires local administrator
permissions during installation and upgrade. The installer accesses the
HKLM\SOFTWARE\Microsoft\Microsoft SQL Server key, to check the port on
which the SQL Server is configured, whether the user specified the correct

DATA SECURITY PLATFORM AND THE SQL SERVER SA ACCOUNT 7

 DATA SECURITY PLATFORM AND THE SQL SERVER SA
Chapter 5
ACCOUNT

combination of port and instance name, and whether TCP/IP is enabled on the SQL
Server.

Finally, the Enterprise Installer starts the SQL Server agent, which is required for
report subscriptions.

DATA SECURITY PLATFORM AND THE SQL SERVER SA ACCOUNT 8