A policy can be enforced by four possible execution modes:

1. On Demand: The policy is directly executed by a user, under the user security credentials.

2. On Change Prevent: Automated mode that uses DDL triggers to prevent a policy violation.

3. On Change Log Only: Automated mode that uses the event notification to evaluate whether a change has occurred, and logs policy violations.

4. On Schedule: Automated mode that uses the SQL Server Agent to schedule and periodically evaluate a policy, and logs policy violations.

The Policy-Based Management is stored in the msdb database and the PolicyAdministratorRole role controls all policies in the SQL Server.

One of the predefined, disabled policies is the Surface Area Configuration for Database Engine Features. This policy uses the Surface Area Configuration facet that controls which features are enabled to reduce the surface area of the SQL Server.

The policy objects are located under the Management folder of the SQL Server 2008 Management Studio. Open the Policies folder and right-click the Surface Area Configuration for the Database Engine Features option. From this window you would need to enable the policy, as it is disabled by default. Set up an Execution Mode, SQL Agent schedule (for On Schedule), and Server restrictions to filter on the SQL Server to run this policy, and then click OK.

For more detailed information, click Help for SQL Server 2008 Books Online. If you want to change a condition from False to True for the policy, go to the Management folder; open the Conditions folder, and right-click the Surface Area Configuration for the Database Engine Features condition, as shown in Figure 1-1. The Facet Properties window is shown in Figure 1-2.





As part of upgrading to SQL Server 2008, you should evaluate whether features that you have installed should be turned on or off. This will help reduce your area of exposure to potential threats, both external and internal.