Set and enforce security policies

Database Scanner 4.0.1 from Internet Security Systems (ISS) is a must-have for any DBA responsible for security. Database Scanner lets you set security policies on your SQL Server 7.0 and 6.x systems, then lets you audit your systems to see whether you're complying with those policies. (The product doesn't yet support SQL Server 2000.) You can also use the security-scanning and risk-assessment tool to perform password-penetration tests, which probe your database from outside the network to determine whether users are specifying easy-to-guess passwords or aren't using a password at all. With the information Database Scanner provides, you can make sure your database is secure.

You install Database Scanner on a Windows 2000 Professional or Windows NT client; you don't install any Database Scanner software on the SQL Server system that you want to scan. Because the tool performs its analysis from the scanning workstation, it leaves no footprint on the server. And because Database Scanner doesn't require any server software, it's ideal for contractors or auditors who need to quickly examine a database server's security. The contractor can simply install Database Scanner on a laptop, plug the laptop into the network, and instruct the product to scan the domain for any SQL Server systems on the network. (The contractor needs an administrator login to fully scan the database.) When Database Scanner finds a SQL Server system, it can run various tests against that server.

Getting Started


You install two Database Scanner programs: the core Database Scanner Client, which is a simple GUI, and the X-Press Update Install program. The X-Press Update Install program automatically scans the ISS Web site or a network drive for announcements about new SQL Server security problems that you need to guard against. Armed with this information, you can keep your security plan up-to-date and foil the latest intruder techniques.

After you register Database Scanner and set the program to use live data (under the Sample Data tab in the Options menu), you're ready to define your security policy. The tool provides three built-in customizable security policies—Secure, Confidential, and Top Secret—or you can create a policy from scratch. A security policy includes authentication checks for such vulnerabilities as stale login IDs, weak passwords, and excessive administrative actions; authorization checks for login hours violations, account permissions, and so on; and system integrity checks for such problems as Trojan horses and excessive resource usage.

Figure 1 shows the Security Policy Editor, which lets you select which rules to include in your policy. The right pane describes the security problem the check protects against. I found that in some cases, Database Scanner's predefined security policies, such as recommended file permissions, are too restrictive for certain environments, even at the medium level. In those cases, you must find a level of risk you're willing to take with your data. You can modify the security policies to better meet your needs by using Database Scanner's Set Security Policy editor.

When you have your security policy set up, you can perform an in-depth Full Audit Scan of the database from the client workstation. A scan is very processor-intensive on the client side. The scan I performed used close to 100 percent of my laptop's CPU during the entire scan. The scan takes about 4 to 10 minutes, depending on your network connectivity, to find violations in the policies you've set up. Although the client performs much of the analysis, make sure you perform your scans during off-peak hours. Database Scanner does consume between 5 percent and 10 percent of your server CPU as it combs through your server looking for information that might point to security problems.

Besides using Database Scanner to scan a database server, you can use the product to perform penetration tests, in which the tool tries to gain unauthorized access to your server. Database Scanner uses a dictionary attack, in which a client attempts to log in to a SQL Server system as the systems administrator (sa) and probe accounts by trying every word in the dictionary as the password. Database Scanner lets you choose whether to use a smaller list of dictionary words or a larger list. Of course, the larger list improves your odds of cracking the sa password. Both versions of the dictionary attack append numbers to commonly used words, as do many users when they create their passwords. Database Scanner can also use external dictionaries to test the password strength of your database server. If Database Scanner does access your SQL Server system, it performs a database scan to find other security violations.

In the full scan, Database Scanner performs a Password Strength Test. But you can also run the Password Strength Test separately from the full scan. The Password Strength Test reports which user accounts have strong, weak, or no passwords and which user accounts' passwords are the same as their usernames. The report doesn't tell you the passwords; it simply identifies accounts whose passwords are vulnerable. Note that if you run this test and monitor login failures on your server (as you should), make sure your NT Application log is large enough to handle a few thousand Login failed for user 'sa' errors. You could always turn off auditing, but then your test wouldn't tell you anything about your capacity to log these types of attacks.

After Database Scanner performs its scans and tests, you can use the tool to generate comprehensive reports about your server's security problems. You'll stay busy for weeks investigating and fixing everything you learn from these reports. Database Scanner lets you output reports in Crystal Reports format, which is understandable enough to hand directly to a client. Although the reports' content and presentation are excellent, the GUI that you use to create the reports isn't intuitive; nothing on the screen tells you what to do next.

The GUI, which Figure 2 shows, lets you select the reports you want to output and lets you specify that a report—for example, Database Summary—cover a particular database rather than every database on your server. You can select whether you want the reports output to a printer, a file, or your screen. If you save the reports to file rather than print them to paper, you can save the reports as Microsoft Excel, Microsoft Word, HTML, text, or Crystal Reports files. You can print all the reports or just the ones you want; note that if you print all the reports, you're looking at a few hundred pages of paper. After you select the reports you want to output, the GUI generates a file. However, the GUI doesn't let you combine all the reports into a single file. If you choose to print the files, the GUI generates one printer job for each report.

Database Scanner archives all test results in a Microsoft Access database on the client workstation so that you can view and track improvements in your security implementation. You need to compact the Access database occasionally, and Database Scanner provides an automated way to do this task through the Maintenance tab on the Options menu.

Make Your Server a Stronghold


Security violations usually occur on improperly configured servers or networks or on servers or networks with unenforced security policies—or no security policies at all. Database Scanner helps you avoid such problems. The tool finds improper configurations and helps you establish and enforce any level of security you want. Not only does Database Scanner find the security holes in your SQL Server systems, but it uses its reports to explain how to fix the holes.

I thought I was security-minded, but Database Scanner proved me wrong. On my server, Database Scanner found several passwords in clear text and several other passwords that the product easily cracked. The tool also provides reports showing orphaned User IDs (UIDs) and stale logins (logins that haven't been used in a long time and that you can probably delete). Database Scanner finds registry entries that contain passwords and checks the file permissions on your files to make sure they're secure. The tool also summarizes each database's configuration and size and performs a trend analysis of your security policies to show whether anyone has repaired the reported security violations since the tool produced a given report.

Pricing for Database Scanner begins at $995 per server. You must have a license for every server you want to scan with Database Scanner, and in some parts of the application, such as the penetration test, the server name is case-sensitive. If you don't enter the server name in the exact case you used when you entered the name in the license screen, the program returns an error saying that you don't have the appropriate number of licenses, which can get annoying. ISS says that the next version of Database Scanner, 4.1, will support SQL Server 2000. The upgrade to the new version, which ISS says will be available this month, is free for current Database Scanner customers who have maintenance contracts.

Database Scanner can help you replace a high-priced security consultant or help you become a better, more efficient consultant or security administrator yourself. Although the GUI isn't always easy to use, I believe the ISS programmers spent their time programming the right thing: a killer security-scanning application that is never out-of-date.

CONTACT INFORMATION
Product: Database Scanner 4.0.1
Contact: Internet Security Systems * 888-901-7477
Web: http://www.iss.net
Price: Starts at $995 per server
Decision Summary
Pros: Generates comprehensive security reports; performs trend analysis
Cons: DGUI isn't intuitive