|
|
|
|
|
Database Scanner 3.0.1 1 2 3 4 5 6 7 8 9 10 Selecting the Maximum policy and clicking the Open button will display the policy as shown below. As you will see throughout his review, many security features are implemented that SQL Server has no native capability for. Database Scanner can be used to help you fill in those gaps. The first thing that can be accomplished is to test the strength of passwords used on your system. There are several dictionaries that can be used for this. Database Scanner contains algorithms that allow it to decrypt the passwords and compare them to standard dictionary sets to test the strength. This is all secure and no password is ever uncovered for a hacker to get at. Database Scanner can also scan for password age as well to help you enforce changing passwords. It does this by running a comparison from one scan to the next. Neither of these capabilities exists within SQL Server, so this provides a security capability that many have been looking for.
One other thing to be aware of throughout this review is that while a lot of additional capabilities do exist, they are what I would call placeholders at this point. The functionality is there, but it can't be truly used without some future enhancements of Database Scanner. Others rely on having other things set on the server to allow them to detect what they need. The Login IDs can be scanned against a variety of settings. Showing 3 failed logins in a minute is a misnomer. Database Scanner does not run as a service and it does not do periodic security checks. It is a manually initiated process. The only way it can show 3 failed logins in a minute as an attack is if you have already enabled login in auditing on the SQL Server. (You should have this on.) Stale logins is one of those features where the skeleton is there, but it really isn't useful at this point. This can only be gathered through sp_who and is very transitory. Since Database Scanner is a manual process, it is very unlikely that you would be able to accurately detect this. Since you can not disable this option, I set this to as high a value as possible which means it probably won't be encountered in my lifetime or before ISS adds in the ability to run Database Scanner on a scheduled basis. The same goes for concurrent sa connections. Note: You do have the ability to run Database Scanner from a command prompt. This would give you the capability to add this to the Microsoft Task Scheduler or run under AT to accomplish periodic scans. I don't particularly like that implementation. I can simply run a scan for an entire policy instead of being allowed granular control. It also requires me to hard code my sa password into the command line which I really don't like. It is a tiny step forward from a fully manual process, but it has a long way to go yet.
|
All content on this site, except where noted, represents an original work of Michael R. Hotek and is protected by applicable copyright laws. The SQL Server FAQ is the sole work of Neil Pike. No page, portion of a page, or download may be used for commercial purposes in whole or in part without the express, written permission of the applicable author.
