|
|
|
|
|
Database Scanner 3.0.1 1 2 3 4 5 6 7 8 9 10 Running a password check on my system returned the following. The graph tab would have shown a bar graph breaking down the number of logins by category. There is one "feature oversight" that appears here. The test login showed as a weak password. It is a weak password, but it was incorrectly classified. It should have been classified as being the same as the account. Database Scanner currently evaluates in the following order: null password, dictionary, same as login. A password the same as a login is a more serious violation than one that simply has a password in the scan dictionary. They are working on a fix to this so that the more serious violation will be classified.
As a whole, the default setting for OS level items is accurate. The default settings for database items need work. There is one paradox to Database Scanner. Some of the information is gathered from the registry. This can be done using extended stored procedures or the Win32 API, where extended stored procs is the defaults. A maximum security policy tells you by default to remove all registry extended stored procs along with just about all of the rest. This would break the ability of Database Scanner to evaluate your security policy. Also, if I'm going to remove the registry extended procs along with xp_cmdshell and a host of other extended stored procs while only having the ability to login to the SQL Server as sa, then how could I possibly run Win32 API calls? If I setup the maximum security policy, then I lose the ability of Database Scanner to accurately evaluate whether I am in compliance with my security policy. Database Scanner can still function even in an environment that has implemented maximum security. However, the only people that will be able to perform scans will need to be at least local administrators on the SQL Server so that it can execute Win32 API calls using your security credentials. Overall, Database Scanner is a good tool. While it takes a lot of setup and relies on output that you have to manually scan, it accurately does the job that it sets out to do. I would recommend using it to help you manage your security. However, it is rough around the edges. Significant enhancements need to be done to make it a solid and easy to use product that can add significant value to your environment. The biggest of these features is the ability to granularly schedule scans against multiple servers from an intuitive graphical interface. The other feature that would be nice is the ability to proactively manage security and have it automatically take predefined actions based upon violation thresholds. There are several features that could use improvement and I'm certain we'll see significant updates in the near future. SQL Server 7.0 support is "sort of" there and I'm sure this will probably see a full implementation in a future version. Even being rough around the edges, on a scale of 1 to 10, I'd give Database Scanner a 7. If I could have easily scheduled scans to catch things that can only be done via an active scan, it would have gotten a 9. I'd rate this one a strong buy consideration for your environment. If nothing else, it is worth the price just for the security eductaion. Internet Security Systems produces an award winning security suite to manage security settings across the enterprise. Not only can you get product overviews and evals from their website, but also several well written security whitepapers. Database Scanner is produced by Internet Security Systems. As of the writing of this review, the price for a single copy was $1995. |
All content on this site, except where noted, represents an original work of Michael R. Hotek and is protected by applicable copyright laws. The SQL Server FAQ is the sole work of Neil Pike. No page, portion of a page, or download may be used for commercial purposes in whole or in part without the express, written permission of the applicable author.
