When I heard about DbSecure's SQL Auditor in September 1998, I downloaded the beta and was really impressed. Here was a utility that essentially performed a security audit on individual servers and their databases. I couldn't believe the holes SQL Auditor uncovered—not only on my development servers but also on servers at a client's site. Although I'm not a card-carrying member of Paranoids Anonymous, I do consider myself security conscious, so I was chagrined to learn that I had missed some basic things. After I did the inevitable soul searching ("How could I have missed this?"), I realized I probably wasn't alone.
In December 1998, Internet Security Systems (ISS) announced its version of SQL Auditor based on technology it acquired from DbSecure. ISS renamed the product Database Scanner and shipped version 2.0 in February, leaving SQL Server 6.x support unchanged but adding support for Sybase Adaptive Server. ISS expected to ship a new version of Database Scanner for SQL Server 7.0 in first quarter 1999, but as of press time, the product still hadn't shipped. ISS also offers SAFEsuite, a family of vulnerability- and intrusion-detection products; SAFEsuite's Internet Scanner particularly impresses me.
In addition, ISS hosts the extremely useful ntsecurity newsgroup. To subscribe to the daily digest version, include "subscribe ntsecurity-digest" in the body of a mail message to firstname.lastname@example.org. In SQL Server 7.0, Microsoft replaced SQL Server 6.x's three security modes—integrated, standard, and mixed—with Windows NT-only authentication or combined SQL Server and NT login authentication. NT-only authentication corresponds to integrated security, and SQL Server and NT login authentication corresponds to mixed security. Windows 9x users will have to use mixed security, which corresponds to SQL Server 6.5's mixed-security mode.
Other changes include new server and database roles and a lot of hole-closing related to the default systems administrator (sa) login. Because the sa is a special login that exists mainly for backward compatibility with all earlier versions of SQL Server, you will always get an sa login after installing SQL Server without a password. You cannot change or delete the sa, but you need to set up an sa password. If you don't replace the empty password with one of your own, someone familar with SQL Server could sign on as the sa and gain illegal access to your server. You can manage logins by right clicking Logins, which takes you to the enterprise Manager's Security folder.
SQL Server 6.x has several vulnerabilities. You can't enforce strong passwords or set up automatic password expiration. The software offers no way to identify old and unused logins (ISS calls them stale logins), nor does it warn the sa about password attacks. SQL Server 6.x stores the login and password you use for server registration in plain view (i.e., in Enterprise Manager—EM—in the HKEY_CURRENT_USER\Software\ Microsoft\MSSQLServer\SQLEW\ Registered Servers\ SQL 6.5 Registry key). A lack of referential integrity between master syslogins and individual databases' sysusers tables is also not uncommon. (If you drop a login without dropping a user or restore a database with a different set of users, you might get orphan user accounts or mismatched login and usernames.)
Database Scanner includes a dictionary of over 30,000 easily guessed passwords; these passwords will surprise many database administrators (DBAs) because a large percentage of their users probably use them. The password tools are worth their weight in gold. Database Scanner offers several versions if its password dictionary (e.g., full, faster, names-only). The program encourages you to add entries—for example, company- or location-specific passwords—to any or all of the dictionaries.
In addition to strong authentication-checking features, Database Scanner helps you manage remote logins, establish allowed login hours, and report on permissions for any database objects, including stored (and extended stored) procedures. The extended stored procedure xp_cmdshell represents a particularly nasty security hole, and several other extended stored procedures let users write to the NT Registry.
After you've gone through the initial security audit, you're probably going to want to use the Policy Editor to create and implement authentication, authorization, system security, and Year 2000 (Y2K)-compliance policies. Yes, Database Scanner can report on Y2K compliance in stored procedures and table data. Also, the basic configuration audit will check for the existence of potentially damaging backdoor functions associated with replication, mail, direct updates, login auditing, startup stored procedures, or Web tasks, and the audit will list NT files that give full control to the Everyone group. An audit will also reveal Trojan horses (i.e., standard system-stored procedures that have changed from their original states). Database Scanner also tracks the current positioning of hotfixes and service packs on servers, and informs customers when they need to install certain patches.
Database Scanner has an intuitive, easy-to-use GUI and comes with nearly 30 built-in reports:
|Active Logins |
Encrypted Object Analysis
Explicit Object Permissions
Explicit User Permissions
Extended Stored Procedures
|Login Attacks |
Logon Hours Violations
Modified System Stored Procedures
Password Strength Analysis
Summary of Violations
System Integrity Settings
Unauthorized Object Owners
Windows NT File Rights
Y2K Data Compliance
Y2K Procedures Compliance
Some of the reports display results graphically; many offer specific suggestions for corrective action. The late beta version that I used included a 100-page manual (also available online as a Portable Document Format—PDF—file). You can also choose from nearly a dozen free downloadable white papers at http://www.iss.net/prod/ whitepapers/index.php3. DBAs will find "Securing Microsoft SQL Server" and "Is Your Microsoft SQL Server Y2K Compliant?" especially useful.
|Database Scanner 2.0|
| Contact: ISS * 678-443-6000|