You are a database developer and you have about two years experience in reating business Intelligence (BI) by using SQL Server2008.
Now you are employed in a company named NaproStar which uses SQL Server2008.
You work as the technical support. Now you are in charge of an instance of a SQL Server 2008 server.
You use the server to execute SQL Server 2008 Integration Services (SSIS) packages.
Now you get an e-mail from your company CIO, according to the requirement of the CIO, the server must only execute only correctly signed packages.
The company CIO assigns this task to you. So what should you do to achieve this goal? (Exhibit)
A.
On all packages, the package protection level should be set to DontSaveSensitive
B.
On all packages, the package protection level should be set to EncryptSensitiveWithPassword
C.
You should set the BlockedSignatureStates registry entry to Block invalid and untrusted signatures and unsigned packages
D.
Tthe BlockedSignatureStates registry entry should be set to NoAdministrativeRestriction
Explanation:
Signing Packages with Certificates
A SQL Server 2005 Integration Services (SSIS) package can be signed with a certificate and configured to require the runtime to check the signature before loading the package. The properties of the package, CheckSignatureOnLoad and CertificateObject, indicate whether a certificate must be checked, and specify the certificate that was used to sign the package. The certificate used to sign the package must be enabled for code signing.
Integration Services provides a registry value that you can use to manage an organization’s policy for loading signed and unsigned packages. The registry value can also manage untrusted signatures of signed packages. With regard to the status of signatures used to sign packages, the BlockedSignatureStates registry value uses the following definitions:
A valid signature is one that can be read successfully.
An invalid signature is one for which the decrypted checksum (the one-way hash of the package code encrypted by a private key) does not match the decrypted checksum that is calculated as part of the process of loading Integration Services packages.
A trusted signature is one that is created by using a digital certificate signed by a Trusted Root Certification Authority. This setting does not require the signer to be found in the user’s list of Trusted Publishers.
An untrusted signature is one that cannot be verified as issued by a Trusted Root Certification Authority, or a signature that is not current.
To use the registry value to prevent packages from loading if the packages are unsigned, or have invalid or untrusted signatures, you must add the BlockedSignatureStates DWORD value to the HKEY_LOCAL_MACHINESOFTWAREMicrosoftMSDTS registry key and specify the value 0, 1, 2, or 3.
The following table lists the valid values of the DWORD data and their associated policies.
