November 29, 2004 at 11:14 am
I have been asked to come up with a list of requirements for database security scanning software. I'm wondering what people think might be useful as requirements for scanning software. Here are a few requirements I have quickly come up with. I'm wondering what else might be good requirements.
Requirements:
- Identify logins that have not changed there password for 60 days
- Identfty logins that have not logged into SQL Server for 6 month.
- Produce report of SQL Server access rights by Login/Database user.
- Identify if SQL Server is up to current Patch Level
-
Gregory A. Larsen, MVP
November 29, 2004 at 12:27 pm
Other suggestions:
1. NULL passwords
2. Passwords < X number of characters
3. Passwords that match logins
November 29, 2004 at 2:37 pm
Thank you for those. I'm sure there most be a number of other requirements. Is anyone actually using any tools (canned or homegrown) to scan SQL Server for security risks?
Gregory A. Larsen, MVP
November 29, 2004 at 11:26 pm
Use the Microsoft SQL Server Best Practises Analyser and Microsoft Baseline Security Analyser tools. Highly configurable, and they can be run over and over a server (or number of servers) and you can track changes as well, to make sure you are improving your security.
Microsoft SQL Server Best Practises Analyser:
Microsoft Baseline Security Analyzer:
Julian Kuiters
juliankuiters.id.au
November 30, 2004 at 7:54 am
Juilian thats for the tips on the free products from Microsoft. Is any one using any Third Party Products?
Gregory A. Larsen, MVP
November 30, 2004 at 9:29 am
The best third party tool out there is AppDetective. It is offered as a free trial download for 30 days at http://www.appsecinc.com. If you saw, it even got this years Readers' Choice Award for Best SQL Server Security Tool!
Highly recommend this!
November 30, 2004 at 1:28 pm
There are 2 additional products I use in conjunction with MS Baseline Analyzer.
1. Hyena Which is great for any Admin responsible for scanning. http://www.systemtools.com
2. NetIQ Security Manager which will show all vulnerabilities. http://www.netiq.com/products/sm/default.asp
December 1, 2004 at 2:11 am
I evaluated NGSSquirrel from NGSSoftware a couple of years ago, take a look here: http://www.nextgenss.com/squirrelsql.htm.
What I liked the most about it, was that it not only was able to find scores of security holes, but provided scripts for fixing most of them.
December 1, 2004 at 9:47 am
I also tried NGSSQuirreL, but it could give me what AppDetective could. And from what I heard AppDetective 5.0 will be coming out with some built-in scripts and the ability to write our own in.
December 1, 2004 at 11:38 am
Thanks for all your suggestions so far. Do any of you have any security scanning requirements you used to measure whether one tool was better than the other.
Gregory A. Larsen, MVP
December 1, 2004 at 12:41 pm
You can check out the SQLSecurity.com Checklist at: http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=24
Viewing 11 posts - 1 through 10 (of 10 total)
You must be logged in to reply to this topic. Login to reply