Shulou(Shulou.com)06/01 Report--

In this issue, the editor will bring you about the assessment of SQL Server database vulnerabilities. The article is rich in content and analyzed and described from a professional point of view. I hope you can get something after reading this article.

The SQL Server vulnerability Detection (VA) feature is available in SQL Server Management Studio version 17.4 or later of SSMS, which allows SQL Server to scan your database for potential security vulnerabilities and can run against SQL Server version 2012 or later. If you haven't used the newer version on SSMS, don't worry, you can download it here.

It always worries me when we do any kind of scan of data, because the performance impact of database scanning can really ruin your day. Fortunately, VA is lightweight and can run without affecting performance, while delving into and pointing out where we can improve the security of SQL Server. This process is designed to use knowledge base rules to meet data privacy standards and compliance, which are given by looking for deviations from Microsoft best practices.

Actual combat exercise

To run vulnerability detection, simply select the database we need to scan, then right-click and select tasks. Here, you will see the vulnerability assessment option and then select scan for vulnerabilities. If you have previously run a VA, you can access it by selecting Open existing scan.

It will pop up a window, and then we choose the location where the good results will be saved as shown in the following figure. After you click OK, the process will run.

Here, it will be executed immediately after clicking the OK button above, and the result window will pop up when the execution is complete. Here you can see that there are 6 failed results and 52 passed results in our CzarCms test results. It lists the details of each inspection and gives the corresponding risk rating.

Click on the failure check result of any one in the error list, and we will see more details and corresponding repair steps, and provide a script to fix it (think about whether it is a little exciting). Just open it.

Let's simply choose the second one here, VA1143-'dbo' user should not be used for normal service operation what don't you understand? I don't know how to translate Baidu. What does dbo mean by "users should not be used for normal service operations"? "dbo" or database owner is a user account that implies permission to perform all activities in the database. Members of the sysadmin fixed server role are automatically mapped to dbo. This rule checks that dbo is not the only account that allows access to this database. Note that in the newly created clean database, this rule will fail before another role is created. To sum up, you have to create a separate user for your database to improve security. As shown in the figure:

As you can see below, it describes to us the best practice rules that are not followed and provides a query that we can run to see the results. I really like this feature, and it's a convenient script for later use when evaluating the health of other servers. It even gives us a small copy button to copy out the script and options to open it in the query window.

It's shameful to point out mistakes without giving solutions, so the great Microsoft gives us steps and scripts to fix it. Here we scroll down further and you will see the suggested remediation steps and scripts. If no script is provided, it will provide you with a link to the correct documentation on how to solve the problem. In my opinion, VA does a good job of explaining what is needed to solve the problem. Keep in mind that although this was created by Microsoft, I recommend that you run this vulnerability check and fix it before it is deployed in the production environment.

Note here that you can set the result baseline as shown in the following figure. The baseline allows you to receive the error result in the result report so that the error result does not appear in the error list the next time the vulnerability is scanned.

By marking the result as BASELINE, you tell VA that this error is acceptable in your environment, although it may not meet best practices or regulatory standards. Anything that matches the baseline in the future is marked for delivery in subsequent scans and records the reasons for passing at the custom baseline. The result of this baseline match will be passed in a later vulnerability scan, as follows: I will set the two results to the baseline.

We will see this when I scan again. As shown below, the scan report now shows me with only one failure (I did not fix the problem), and the additional information column shows the baseline of the reason.

SQL Server vulnerability assessment is a very good third-party tool for evaluating data privacy, security, and compliance standards, and is very easy to use.

The above is what the SQL Server database vulnerability assessment shared by the editor is like. If you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.