Get Started. Upgrade to this release. Welcome to SQLsecure

Transcription

1 Get Started Use the fllwing checklist t guide yu thrugh the prcess f getting started with SQLsecure. Check This Item Register the SQL Server instances whse security mdels yu want t assess and audit. Cnfigure snapshts t cllect audit data frm the registered instances. Find security issues using the default All Servers plicy. Create custm plicies t assess cmpliance t specific security regulatins. Save assessments fr plicies yu want t use in yur audit prcess. Cmpare assessments t identify changes ver time. Perfrm frensic analysis f yur security mdel using the Permissins Explrer. Discver vulnerabilities using the built-in reprts. Upgrade t this release Yu can easily and quickly upgrade t the latest versin f SQLsecure. Upgrading will nt delete r alter any existing snapshts r plicies. Fr mre infrmatin abut this release, see what s new. T upgrade: 1. Use an administratr accunt t lg nt the cmputer n which yu previusly deplyed SQLsecure. 2. Clse all pen applicatins. 3. Run Setup.exe in the rt f the installatin kit. 4. Fllw the prmpts, and then click Finish when dne. The setup prgram autmatically upgrades each SQLsecure cmpnent n the target cmputer. 5. If yu have previusly deplyed Reprts, use the Deply Reprts wizard t upgrade yur deplyment. 6. If yur existing plicies include security checks that cite OS and SQL Server versins, yu must manually update the related security checks t include the latest releases, such as SQL Server 2012 RTM. Welcme t SQLsecure SQLsecure identifies security hles and verifies yur SQL Server security mdel by analyzing the effective rights fr any user, n any given bject r access cntrl, acrss SQL Server and Active Directry. Need help using SQLsecure? See the fllwing sectins: Get started with SQLsecure Assess yur security status Explre permissins Reprt n SQL Server security

2 What is SQLsecure? SQL secure is a security analysis slutin that identifies SQL Server security vilatins and ensures security plicies are enfrced. Find ut wh has access t what and identify each user s effective rights acrss all SQL Server bjects. Alert n vilatins f yur crprate plicies, mnitr changes made t security settings, and prvide security audit reprts as well as recmmendatins n hw t imprve yur security mdel. Hw des SQLsecure help me? Because f the many different and cmplex ways t grant access t SQL Server databases including server and database rles, Active Directry and lcal grups, inherited permissins, explicit grants and denies, just t name a few it is virtually impssible t manually analyze a security mdel acrss instances r determine a user s rights n specific database bjects. SQLsecure des this fr yu, answering the imprtant questin Wh can d what, where, and hw n my SQL Servers? SQL secure prvides a cmprehensive, autmated slutin fr analyzing, mnitring, and reprting n security access rights in SQL Server databases. With SQLsecure, yu can: Identify vulnerabilities and harden security acrss yur SQL Servers Diagnse and prtect against vilatins f yur security plicies and security best practices Analyze and manage user permissins acrss all SQL Server bjects with ur pwerful security mdel analysis Create plicies using custmizable templates fr varius security level needs Hw SQLsecure wrks SQLsecure uses a Cllectr t gather permissins infrmatin at scheduled intervals. SQLsecure runs this executable using a SQL Server jb. The Cllectr stres each data set as an audit snapsht in a SQLsecure Repsitry database. The SQLsecure Cnsle cnnects t the Repsitry t view yur permissins data. The fllwing diagram displays the SQLsecure wrkflw.

3 Find answers using this dcumentatin The SQLsecure dcumentatin set includes this cmprehensive, cntext-sensitive nline Help system as well as additinal resurces that supprt yu as yu install and use the prduct. Yu can als search Idera Slutins, available at the Idera Custmer Service Prtal ( Cntact Idera Please cntact us with yur questins and cmments. We lk frward t hearing frm yu. Fr supprt arund the wrld, please cntact us r yur lcal partner. Fr a cmplete list f ur partners, please see ur Web site. Sales GO.IDERA ( ) (nly in the United States and Canada) Sales sales@idera.cm Supprt Web site Dcument cnventins GO.IDERA ( ) (nly in the United States and Canada) Idera dcumentatin uses cnsistent cnventins t help yu identify items thrughut the printed nline library.

4 Cnventin Bld Italics Fixed Fnt Straight brackets, as in [value] Curly braces, as in [value] Lgical OR, as in value 1 value 2 Specifying Windw items Bk and CD titles Variable names New terms File and directry names Cmmands and cde examples Text typed by yu Optinal cmmand parameters Required cmmand parameters Exclusively cmmand parameters where nly ne f the ptins can be specified Abut Idera At Idera, we deliver a new generatin f tls fr managing, administering, and securing yur Micrsft Windws Servers, including SQL Server, SharePint, PwerShell and Micrsft Dynamics. We emply numerus industry experts wrldwide wh are devted t bringing prven slutins t yu, the administratr. Idera prvides slutins that help yu ensure server perfrmance and availability and reduce administrative verhead and expense. Our award-winning prducts install in minutes, cnfigure in hurs and deply wrldwide in days. Idera is a Micrsft Gld Certified Partner headquartered in Hustn, Texas, with ffices in Lndn, UK, Melburne, Australia, and Sa Paul, Brazil. Idera prducts Our tls are engineered t scale - frm managing a single server t enterprise deplyments with thusands f servers. Idera prducts cmbine ease f use with a design that installs in minutes, cnfigure in hurs, and deply wrldwide in days. T learn mre abut Idera prducts, visit ur Web site ( Legal ntice Idera, Inc., DTx, IntelliCmpress, Pint admin tlset, Pintbackup, Pintcheck, PwerShellPlus, SharePint enterprise manager, SharePint security manager, SharePint diagnstic manager, SharePint backup, SharePint perfrmance mnitr, SQLcheck, SQL change manager, SQLcnfig, SQL cmparisn tlset, SQL cmpliance manager, SQLcmpliance, SQLcm, SQL defrag manager, SQL diagnstic manager, SQLdm, SQL mbile manager, SQLpermissins, SQLsafe, SQLsafe Freeware Editin, SQLsafe Lite, SQLscaler, SQLschedule, SQL schema manager, SQLsecure, SQLsmarts, SQLstats, SQLtl, SQL tlbx, SQL virtual database, SQLvdb, virtual database, Idera, BBS Technlgies and the Idera lg are trademarks r registered trademarks f Idera, Inc., r its subsidiaries in the United States and ther jurisdictins. All ther cmpany and prduct names may be trademarks r registered trademarks f their respective cmpanies Idera, Inc., all rights reserved. THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUB- JECT TO THE TERMS OF A LICENSE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREE- MENT, IDERA, INC., PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT

5 ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY TO YOU. YOU ARE ENCOURAGED TO READ THE LICENSE AGREEMENT BEFORE INSTALLING OR USING THIS DOCUMENTATION OR SOFTWARE. Sme cmpanies, names, and data in this dcument are used fr illustratin purpses and may nt represent real cmpanies, individuals, r data. This dcument culd include technical inaccuracies r typgraphical errrs. Changes are peridically made t the infrmatin herein. These changes may be incrprated in new editins f this dcument. Idera, Inc., may make imprvements in r changes t the sftware described in this dcument at any time Idera, Inc., all rights reserved. U.S. Gvernment Restricted Rights: The sftware and the dcumentatin are cmmercial cmputer sftware and dcumentatin develped at private expense. Use, duplicatin, r disclsure by the Gvernment is subject t the terms f the Idera, Inc., standard cmmercial license fr the sftware, and where applicable, the restrictins set frth in the Rights in Technical Data and Cmputer Sftware clauses and any successr rules r regulatins. Installatin and deplyment Yu can install and deply SQLsecure in any sized envirnment. Learn abut the prduct cmpnents and architecture Review the prduct requirements View trial installatin instructins Prduct cmpnents and architecture SQLsecure prvides a rbust, easy-t-use SQL Server audit and reprting slutin. Behind a friendly user interface, SQLsecure ffers a unique architecture that is bth flexible and extremely pwerful. SQLsecure fits yur envirnment, n matter hw simple r cmplex. Prduct cmpnents SQLsecure Cnsle The SQLsecure Cnsle cmpnent is the interface yu use t set up and manage yur SQLsecure cnfiguratin, view and search yur audit snapshts fr user and bject permissins, and generate reprts t display the audit infrmatin that is mst imprtant t yu. SQLsecure Repsitry The SQLsecure Repsitry is where yur audit snapsht infrmatin and SQLsecure cnfiguratin infrmatin is stred. Yu can schedule rutine grming that autmatically delete snapshts lder than a specified date. SQLsecure Cllectr The SQLsecure Cllectr gathers SQL Server permissin infrmatin frm yur audited SQL Server instances (using yur filter criteria) and stres the infrmatin in the SQLsecure Repsitry database.

6 Audited SQL Server Instances The audited SQL Server instances are SQL Server instances that have been registered with SQLsecure. These SQL Server instances are audited peridically at the dates and times yu schedule. The resulting data is stred in the SQLsecure Repsitry and displayed in the SQLsecure Cnsle as a snapsht f yur SQL Server security mdel. Prduct architecture The fllwing diagram illustrates the cmpnents f the SQLsecure architecture. Prduct requirements Yu can easily and quickly install SQLsecure n any cmputer that meets r exceeds the fllwing hardware, sftware, and permissin requirements. Befre installing SQLsecure, als review the prduct cmpnents and architecture as well as hw the prduct wrks. TIPS Idera is beginning t phase ut all Itanium supprt in SQL secure 2.6 and all subsequent 2.x versins. While 2.x will cntinue t perate with Itanium and supprt is available thrugh Nvember 2012, SQL secure 3.0 will nt supprt the Itanium prcessr architecture. SQLsecure 2.7 nw ffers full supprt f SQL Server 2012 RTM. Typical requirements A typical install sets up all SQLsecure cmpnents n the same cmputer. The fllwing table lists the requirements fr a typical installatin. Hardware/Sftware CPU Memry Requirement 2.0 GHz r higher 2 GB

7 Hardware/Sftware Hard Disk Space fr Repsitry 32-bit r 64-bit Operating System Requirement 30 GB Either: Windws 2000 Server SP4 r later Windws Server 2003 SP2 r later Windws XP SP2 r later Windws Vista Business and Enterprise Windws 7 Windws Server 2008 Windws Server 2008 R2 Plus:.NET Framewrk 2.0 SP1 r later MDAC 2.8 r later Micrsft SQL Server fr Repsitry Micrsft SQL Server fr the audited instances Brwser fr nline Help SQL Server 2005 SP1 r later SQL Server 2008 SQL Server 2008 R2 SQL Server 2012 RTM SQL Server 2000 SQL Server 2005 SQL Server 2008 SQL Server 2008 R2 SQL Server 2012 RTM Internet Explrer 7.0 r later Cnsle requirements A cnsle-nly installatin installs the SQLsecure Cnsle. The cnsle-nly installatin assumes that a full installatin has already been cmpleted n anther machine. The fllwing table lists all the requirements fr a cnsle-nly installatin. Hardware/Sftware CPU Memry Requirement 2.0 GHz r higher 2 GB 32-bit r 64-bit Operating System Either: Windws 2000 Server SP4 r later

8 Hardware/Sftware Requirement Windws Server 2003 SP2 r later Windws XP SP2 r later Windws Vista Business and Enterprise Windws 7 Windws Server 2008 Windws Server 2008 R2 Plus:.NET Framewrk 2.0 SP1 r later MDAC 2.8 r later Brwser fr nline Help Internet Explrer 7.0 r later Cllectr permissin requirements The fllwing requirements are necessary fr the SQLsecure Cllectr t access the SQL Server instances yu want t audit. During install, yu can input credentials fr a Windws user accunt r SQL Server lgin. Type Windws permissins SQL Server privileges Requirement A Windws user accunt that has lcal Administratr permissins A Windws user accunt that is a member f the sysadmin fixed server rle n the SQL Server instance Prt requirements SQLsecure uses the default prts pened by the Windws perating system fr lcal and remte cmmunicatins. T learn abut Windws prt assignments, see Article n the Micrsft Supprt site. T better understand hw prt assignments wrk when Windws Firewall has been cnfigured, see "Cnnecting Thrugh Windws Firewall" n the MSDN site. Ensure FIPS cmpliance Yu can use SQLsecure t audit and assess yur SQL Server security in envirnments where Federal Infrmatin Prcessing Standard (FIPS) cmpliance is required. Fr mre infrmatin abut FIPS cmpliance, see the crrespnding Micrsft TechNet Web article (technet.micrsft.cm) and Micrsft Knwledge Base Article # ( Hw d I knw whether my envirnment requires FIPS cmpliance? Ask yur Windws security administratr whether the FIPS system cryptgraphy setting has been enabled in the Lcal Security Plicy r a Grup Plicy that applies t the SQL Server cmputer.

9 Are there additinal prduct requirements t supprt FIPS? N, FIPS cmpliance fr SQLsecure des nt require any additinal sftware t be installed. Hw t install SQLsecure This prcedure guides yu thrugh a typical install f SQLsecure. A typical install sets up all SQLsecure cmpnents n the same cmputer. Use this prcedure fr first-time installs and evaluatin installs. Befre yu begin the installatin prcess, ensure yu review the prduct requirements. Start the setup prgram Yu can install SQLsecure n any cmputer that meets r exceeds the prduct requirements. T start installing SQLsecure: 1. Lg n with an administratr accunt t the cmputer n which yu want t install SQLsecure. 2. Clse all pen applicatins. 3. Run Setup.exe in the rt f the installatin kit. 4. Click All Cmpnentsn the Idera SQLsecure Quick Start windw. 5. On the Welcme windw f the setup prgram, click Next. 6. Review and accept the license agreement by clicking I accept the terms in the license agreement, and then click Next. Chse where yu want t install SQLsecure and wh shuld use the prduct n this cmputer Yu can use the default install lcatin r specify a different lcatin. Fr yur first install, we recmmend using the default lcatin. T chse a different lcatin: Click Change t navigate t the lcatin yu want t use, and then click Next. T restrict access: Chse whether yu want any user r nly the current user t access this applicatin, and then click Next. Chse the type f install yu want t perfrm Fr yur first install, we recmmend using the Typical setup type. This type ensures yu install and cnfigure all required SQLsecure cmpnents, s yu can immediately begin using SQLsecure in yur envirnment. Click Typical, and then click Next. Chse which SQL Server instance yu want t hst the Repsitry database Yu can use a SQL Server instance installed lcally n this cmputer. SQLsecure can cnnect t the selected SQL Server instance using the credentials f yur current Windws lgn accunt r a SQL Server lgin. Fr yur first install, we recmmend using yur current lgn accunt credentials.

10 T chse a different instance: 1. Click Brwse t select the SQL Server instance yu want t use. The Select SQL Server windw lists all available instances in yur current dmain and ther trusted dmains. If yu d nt see yur SQL Server instance in the list, enter the hst name and instance in the space prvided. 2. Click OK. 3. Click Next. T specify a SQL Server lgin: 1. Click Use Micrsft SQL Server authenticatin, and then click Change. 2. Specify the credentials f a lgin with sysadmin privileges n that instance, and then click OK. By default, SQLsecure uses yur Windws credentials when cnnecting t the Repsitry. 3. Click Next. Cmplete the install Indicate that yu are ready t cmplete yur install and apply the cnfiguratins yu specified. After install is cmplete, yu can start the Management Cnsle t immediately begin experiencing the benefits SQLsecure prvides. T cmplete yur install: 1. Click Install. 2. Click Finish. Cnfigure yur deplyment After yur initial installatin and set up, yu may want t perfrm the fllwing tasks t further custmize and streamline yur deplyment. Cnnect t yur SQLsecure Repsitry Set up weak passwrd detectin t audit passwrd health Use filters t specify which data is cllected Use snapshts t cllect audit data Register yur SQL Server instances Cnnect t the SQLsecure Repsitry By default, SQLsecure cnnects t the Repsitry when yu start the Cnsle. Yu may need t recnnect t the Repsitry database under these circumstances: Yu installed multiple Repsitry databases Yu mved the Repsitry database t anther SQL Server instance Yu lst cnnectin t the SQL Server instance hsting the Repsitry and must recnnect Use the Cnnect t Repsitry windw t specify the SQL Server instance that hsts the Repsitry database. Set up weak passwrd detectin Use the Weak Passwrd Detectin windw t set up hw SQLsecure determines and enfrces passwrd health. In general, users shuld nt use blank passwrds, passwrds with cmmn wrds, r passwrds that match a lgin name.

11 Yu can check the passwrds f SQL lgins acrss yur audited SQL Server instances against a list f knwn wrds used in weak passwrds. T ensure passwrds meet crprate security plicies, specify a custm list that includes wrds and phrases yu have restricted. Passwrd detectin is enabled by default fr all SQL Server instances registered with SQLsecure. TIP SQLsecure determines the passwrd health fr all SQL lgins but nt fr Windws user accunts r grups wh have privileges n the audited SQL Server instance. Hw d I set up weak passwrd detectin? 1. Select Enable weak passwrd detectin. 2. If yu want t custmize the passwrd analysis, add specific wrds and phrases r attach a text file (*.txt). Use the fllwing frmats: 3. Click OK. Fr the Additinal Passwrds field, separate specific wrds and phrases with semiclns. Frmat yur Custm List by separating each wrd r phrase n its wn line. 4. Determine which plicy assessments shuld analyze passwrd health. Fr each assessment, review its settings t ensure the Weak Passwrds security check is enabled. 5. Test yur cnfiguratin by taking a snapsht and then reviewing the security check findings fr yur target servers. Hw des weak passwrd detectin wrk? The passwrd analysis is perfrmed during snapsht cllectin. When a snapsht is taken, the passwrds f all SQL lgins n the target SQL Server instances are cllected and then cmpared against the default weak passwrd list as well as any custm lists yu defined. Each passwrd is als cmpared against the name f its lgin. The result (a security check finding) is stred in the Repsitry database but the passwrds themselves are nt stred. What is the Default Weak Passwrds list? The Default Weak Passwrds list was cmpiled by industry experts. This list includes ver 2,400 cmmn wrds and phrases used in passwrds that are cnsidered weak (easy t guess r hack), including blank passwrds. By default, SQLsecure uses this list t analyze yur enterprise's passwrd health, cmparing each SQL lgin passwrd t the list and then reprting the result as a security check finding. Can I use my wn weak passwrd list? Yes. Yu can add specific wrds and phrases t the default list, such as ppular Internet memes like "kitteh" and "duble rainbw". Yu can als add a custm list, such as wrds restricted by yur crprate passwrd plicy. T add specific wrds and phrases, type the targeted wrds int the Additinal Passwrds field, separating each wrd r phrase with a semicln. T add yur wn list, use the Custm List brwse buttn t select the text file (*.txt) yu want t attach. Frmat the text file such that each wrd r phrase is lcated n a separate line. T specify a different text file, click Remve List, and then add the new file. Which security checks enfrce passwrd health? T audit and enfrce passwrd health, enable the Weak Passwrds security check in yur assessment plicies. This security check is enabled by default in the Idera Level 2 and Level 3 plicy templates.

12 What types f passwrd health are detected? As SQLsecure analyzes the passwrd health f yur SQL lgins, it recrds ne f the fllwing results. These findings are displayed in the crrespnding Lgin Prperties windw and the Lgin Vulnerability reprt. Passwrd health result Blank Matches lgin name N/A OK Weak What it means The passwrd fr this lgin is either blank r null, which means n passwrd is required fr authenticatin r successful cnnectin t databases hsted by yur audited SQL Server instances. The passwrd fr this lgin matches the name f the lgin. The passwrd fr this lgin was nt checked, mst likely because either the lgin is a Windws user accunt r weak passwrd detectin is disabled. This lgin mst likely has a strng passwrd because the passwrd des nt match any f the wrds and phrases in the Default Weak Passwrds list r the additinal and custm passwrds yu specified. The passwrd fr this lgin matches ne r mre f the wrds and phrases in the Default Weak Passwrds list r the additinal and custm passwrds yu specified. What happens when passwrd detectin is disabled? When weak passwrd detectin is disabled, SQLsecure stps cllecting passwrd health data. All previusly cllected data remains stred in the SQLsecure Repsitry database and can be evaluated using yur plicy assessments. Fr future assessments, SQLsecure will n lnger reprt n whether any SQL lgin passwrds are cnsidered weak but it will cntinue t reprt n whether a passwrd is blank. If the Weak Passwrds security check is enabled fr a plicy assessment and the snapsht yu selected des nt include passwrd health data, the Snapsht May Be Missing Data security check will warn yu that weak passwrd detectin has been disabled and passwrd health data is nt available t analyze. T stp reprting n passwrd health, als disable the Weak Passwrds security check in yur plicy assessments. Add server t begin auditing The Register a SQL Server wizard allws yu t designate the SQL Server instances that yu want SQLsecure t audit. The Register a SQL Server wizard allws yu t d the fllwing: Select the SQL Server instance yu want t audit with SQLsecure Specify the credentials used t cnnect t yur SQL Server instance and cllect data Select which bjects yu want SQLsecure t audit Schedule cllectin times Cnfigure yur ntificatins When d I need t use the Register a SQL Server wizard? The Register a SQL Server wizard must be cmpleted befre SQL Server instances can be audited by SQLsecure. Fr every SQL Server instance yu wuld like t audit, the Register a SQL Server wizard must be cmpleted. Hw des the Register a SQL Server wizard wrk? The Register a SQL Server Wizard will prmpt yu fr the SQL Server lcatin, credentials t use fr auditing, filter criteria, and

13 then schedule yur audits. Once yu have set up yur SQL Server instance fr auditing, SQLsecure will apply yur settings and display this instance in the Security Summary and Explre Permissins tree panes. These cnfiguratin settings are stred in the Repsitry. Hw d I register a SQL Server using the Register a SQL Server wizard? SQL Server instances must first be added t SQLsecure befre the auditing prcess can begin. T add a SQL Server t SQLsecure: 1. Select File > Register a SQL Server frm the tlbar. 2. Click Next n the Welcme t the Register SQL Server Wizard windw. 3. Type the name f the SQL Server instance in the Server field r click Brwse t lcate the SQL Server instance yu wuld like t register. 4. Select the authenticatin mde SQLsecure shuld use t cnnect t the selected SQL Server instance. If yu select t enter the credentials, click Next and the Enter Credentials windw will pen. Enter the credentials yu wuld like t use fr auditing, re-enter yur passwrd, and then click Next. If the lgin cnfiguratin fr the SQL Server yu wish t audit is case-sensitive, yu must enter yur lgin infrmatin in a case-sensitive frmat n the Credentials windw. 5. Select t either enter snapsht filters manually r t cpy existing filters frm anther server cnfiguratin. If yu want t define the data cllectin filters manually, enter them n the Specify data cllectin filter windw and click Next. If yu want t cpy data cllectin filters frm anther server, select the registered server frm the list and click Next. 6. Verify that the servers yu want t register are listed n the SQL Server Registratin Cmplete windw, and then click Finish Select a SQL Server The Select a SQL Server windw allws yu t specify the SQL Server instance yu want t add t SQLsecure fr auditing. Type the lcatin f the SQL Server instance yu wuld like t audit, r click Brwse t lcate it. TIP Yu can add as many instances as yur SQLsecure license prvides. Fr mre infrmatin, see Managing Yur SQLsecure Licenses. Specify cnnectin credentials The Specify Cnnectin Credentials windw allws yu t designate the credentials that SQLsecure uses t access the SQL Server instance yu are adding. Yu can specify either SQL Server lgin r Windws accunt credentials. Yu can later change which cnnectin credentials SQLsecure uses. When yu change credentials, SQLsecure identifies ther audited SQL Server instances that use the same accunt and then lets yu change their cnnectin credentials as well. Item SQL Server credentials t cnnect t Descriptin Select SQL Server Agent credentials t use the default credentials f yur SQL Server

14 Item audited SQL Server Windws Credentials t gather Operating System and Active Directry bjects Descriptin Agent r click Windws Authenticatin and enter the credentials in the fields prvided. Check the Use same Windws Authenticatin as abve bx r specify the accunt SQLsecure shuld use t gather infrmatin abut OS and AD bjects. TIP If the lgin cnfiguratin fr the SQL Server yu want t audit is case-sensitive, yu must enter yur lgin credentials in the case-sensitive frmat. The SQL Server lgin must belng t the sysadmin fixed rle n the target instance, and the Windws accunt must have Windws Administratr privileges n the target instance t cllect grup membership infrmatin. Select SQL Server bjects t audit The Select SQL Server Objects t Audit windw allws yu t specify the bjects abut which SQLsecure shuld cllect security infrmatin. By default, SQLsecure audits all SQL Server bjects. TIP When yu are selecting bjects t audit, be aware that yu need t include all the bjects that yur plicies need t apprpriately assess security risks. Hw d I select bjects t audit? 1. Check the bjects in the list. 2. Fr thse bjects that have scpe ptins, click the blue text in the Scpe matches clumn and select the apprpriate ptin. 3. Fr thse bjects that have naming ptins, click the blue text in the Name matches sectin, and enter the apprpriate matching cnventin. Schedule snapshts fr rutine data cllectin The Schedule Snapshts windw allws yu t chse the best times t cllect data frm yur SQL Server instance. By default, snapshts are scheduled t run at midnight every Sunday mrning (using the lcal time f the cmputer hsting the SQLsecure Repsitry). TIP SQLsecure requires that a user be lgged in as the SQLsecure Administratr t view snapsht schedules. Hw d I use the Schedule Snapshts windw? The Schedule Snapshts windw cntains the data cllectin schedule that is currently being used fr the SQL Server selected instance. T change the schedule, click Change and select the new time and frequency. What times shuld I schedule my snapsht cllectins? When pssible, schedule snapshts t run during nn-peak r ff-hur times. What can I d n the Schedule Snapshts windw? Item Change Descriptin Click this buttn t edit yur audit snapsht cllectin schedule.

15 Item Enable Scheduling Keep snapsht fr [number] days Descriptin Select this ptin t specify the audit snapsht schedule. Specify the number f days that yu want t stre snapshts in the SQLsecure Repsitry. Hw d I view snapsht prperties? T view the prperties f a specific snapsht, right-click the snapsht in the Snapshts windw and then select Prperties frm the cntext menu. Hw can I view a list f snapshts n my audited SQL Server? T view a list f snapshts and baselines fr a specific SQL Server, select the Audit Histry tab n the Explre Permissins view. When is the first snapsht taken? The first snapsht is taken at the first scheduled snapsht cllectin time. Yu can manually take a snapsht at any time by rightclicking the SQL Server instance in the Explre Permissins view and then selecting Take Snapsht frm the cntext menu. Enable ntificatin The Cnfigure Ntificatin windw allws yu t cnfigure the way ntificatins are sent after a snapsht is cllected. Yu can select t have ntificatins sent after a snapsht is cllected successfully, r nly if there are warnings r errrs. Yu can als select t have ntificatins sent depending n the level f the security risks discvered. Once yu have cnfigured when ntificatins are sent, specify wh shuld receive these s by specifying the apprpriate address in the Recipient field. T enter multiple addresses, separate each address with a semi-cln. TIP If yu d nt want t receive ntificatins fr snapsht status r security finding, unchecked the assciated ptin. ntificatins cannt be sent until SQLsecure has been cnfigured t cmmunicatin with yur SMTP prvider. Yu can cnfigure these settings by selecting Tls >Cnfigure SMTP frm the menu bar. Fr mre infrmatin, see Cnfigure Settings. Add server t existing plicies The Add t Plicies windw allws yu t include yur newly registered instance t any existing custm plicies. This windw displays nly when yu have created plicies whse server membership has been explicitly defined. Fr example, if yu created a plicy that included nly yur test SQL Server 2005 instance (rather than, fr example, all SQL Server 2005 instances), this windw will list that plicy and allw yu t include the newly registered instance.

16 Chse t take snapsht nw The Take Snapsht windw gives yu the ptin t cllect audit data at the end f the registratin prcess. Chse this ptin when yu want t immediately perfrm a security assessment n the newly registered instance. Nte that yu can als manually take a snapsht later by selecting Take Snapsht n the Explre Permissins view. If yu are adding several SQL Server instances t SQLsecure, yu may nt want t take a snapsht at the end f the Register SQL Server wizard prcess. Taking a snapsht frm mre than ne instance at a time can degrade the Cnsle perfrmance. Review registratin summary Review the prvided summary fr the instance yu are adding t SQLsecure, and then click Finish. When yu finish this wizard, SQLsecure enables auditing n the selected SQL Server instance. If yu want t change a setting nw, click Back t return t the apprpriate windw. Yu can als change audit settings later using the Audited SQL Server Prperties windw. Use filters t specify which data is cllected SQLsecure uses snapsht filters t cntrl the data cllected frm yur audited SQL Server instances. Each filter rule defines which data, such as permissins n user tables in a specific database, is cllected and included in the snapsht. By default, SQLsecure cllects all available audit data. Yu can edit this default filter rule r delete it after yu have defined yur custm filter. Custm filters are applied at the instance level and are unique t that instance. Yu can create a different filter fr each instance. Yu can als create mre than ne filter, depending n yur assessment needs. When multiple filters are defined, SQLsecure aggregates them, cllecting all data identified by all the filters assciated with this instance. TIP T cllect data abut the passwrd health f yur SQL lgins, enable weak passwrd detectin. Add new filter The Add Filter wizard allws yu t chse the apprpriate criteria t use when cllecting snapsht infrmatin. By default, SQLsecure cllects all security infrmatin. TIP Cnsider using the default filter settings in yur initial plicy assessments until yu knw exactly which data yur plicies will require. Using the default filter settings ensures that all the data required by yur plicies is cllected. Hw d I access this wizard? T pen the Add Filter wizard: 1. Right-click the server yu want t edit, and select Prperties. 2. Select the Filters tab. 3. Click New Filter. What des the Add Filter wizard d? The Add Filter wizard lets yu designate what types f permissin and security data will be cllected.

17 Hw des the Add Filter wizard wrk? The Add Filter wizard stres yur filters in the Repsitry database, which are then used by SQLsecure when taking snapshts. Specify filter prperties This windw allws yu t name yur filter and give it a descriptin. It is imprtant t give yur filter a name yu can easily distinguish. Fr mre infrmatin, see Use the Add Filter Wizard. Specify databases and bjects This windw allws yu t select which databases yu want t audit. Optin User databases and System databases Database names matching Descriptin Select either r bth f these database types t include in yur snapsht Select Any t include databases in yur snapsht. Select Like and enter a matching string fr the databases yu wuld like t include in yur filter. Edit filter settings The Filter Prperties windw allws yu t edit the prperties f yur snapsht filter. Yu can edit the name and descriptin f yur filter, see when it was last mdified, and chse which audit data yu want t cllect in yur snapshts. TIP Cnsider using the default filter settings in yur initial plicy assessments until yu knw exactly which data yur plicies will require. Using the default filter settings ensures that all the data required by yur plicies is cllected. Hw d I access this windw? 1. Right-click a SQL Server instance in the Plicy Servers tree n the Security Summary view and select Prperties. 2. On the Filter tab f the Audited SQL Server Prperties windw, click Prperties. Use snapshts t cllect audit data SQLsecure uses audit snapshts t capture SQL Server user and bject permissin settings. These snapshts are listed in Explre Permissins tree. A snapsht is a set f audit data that SQLsecure has cllected frm a specific SQL Server instance. Yu can cnfigure snapsht filters t select which SQL Server bjects yu want t audit. Yu can take snapshts manually, as yu need fresh data, r schedule snapshts t be taken at regular intervals. The Snapsht Summary tab prvides detailed infrmatin abut yur snapsht, including the time it was taken, the cllectin statistics, audit filter infrmatin, and a listing f any Suspect Windws accunts r unavailable databases that were encuntered while the Snapsht was being taken. Fr mre infrmatin n unreslved Windws accunts, see Identify Suspect Windws Accunts. Fr mre infrmatin n unavailable databases, see Identify Unavailable Databases.

18 TIP T cllect and review data abut the passwrd health f yur SQL lgins, enable weak passwrd detectin. What data is lcated n the Snapsht Summary? The Snapsht Summary cntains the fllwing types f infrmatin: Snapsht Prperties Prvides the basic status f the selected snapsht, the time it was cllected, hw lng the cllectin tk t cmplete, whether r nt it has been selected as a baseline, and any cmments assciated with it. Audit Summary Lists the statistics f the snapsht. These statistics include the number f bjects, permissins, databases, lgins, Windws accunts, and Windws well-knwn grups assciated with the snapsht. Windws Accunts Prvides a partial list f the Windws users and grups that have access t the selected SQL Server instance. OS Windws Accunts Prvides a partial list f the Windws users and grups that have access t OS bjects but d nt interact with SQL Server bjects. Filters Prvides the filter infrmatin assciated with the selected snapsht. Fr mre infrmatin, see Filters. Suspect Windws Accunts Lists the Accunts that SQLsecure was unable t cllect data n. This can ccur when SQLsecure des nt have the prper rights t cllect infrmatin n these users, r if the accunt was deleted. Fr mre infrmatin, see Suspect Windws Accunts. Suspect OS Windws Accunts Lists the Accunts that SQLsecure was unable t cllect data n. This can ccur when SQLsecure des nt have the prper rights t cllect infrmatin n these users, r if the accunt was deleted. Fr mre infrmatin, see Suspect Windws Accunts. Unavailable Databases Lists the databases that SQLsecure was unable t cllect SQL Server security data n. This can happen when a database is unavailable during SQLsecure data cllectin. Fr mre infrmatin, see Unavailable Databases. Take snapsht T immediately cllect a data snapsht (audit a SQL Server instance), right-click the server t audit and select Take Snapsht frm the cntext menu. Yur audit data is nw updated. Fr mre infrmatin n data cllectin, see Audited SQL Server Windw. Schedule snapshts fr rutine data cllectin The Schedule Snapshts windw allws yu t chse the best times t cllect data frm yur SQL Server instance.

19 By default, snapshts are scheduled t run at midnight every Sunday mrning (using the lcal time f the cmputer hsting the SQLsecure Repsitry). TIP SQLsecure requires that a user be lgged in as the SQLsecure Administratr t view snapsht schedules. Hw d I use the Schedule Snapshts windw? The Schedule Snapshts windw cntains the data cllectin schedule that is currently being used fr the SQL Server selected instance. T change the schedule, click Change and select the new time and frequency. What times shuld I schedule my snapsht cllectins? When pssible, schedule snapshts t run during nn-peak r ff-hur times. What can I d n the Schedule Snapshts windw? Item Change Enable Scheduling Keep snapsht fr [number] days Descriptin Click this buttn t edit yur audit snapsht cllectin schedule. Select this ptin t specify the audit snapsht schedule. Specify the number f days that yu want t stre snapshts in the SQLsecure Repsitry. Hw d I view snapsht prperties? T view the prperties f a specific snapsht, right-click the snapsht in the Snapshts windw and then select Prperties frm the cntext menu. Hw can I view a list f snapshts n my audited SQL Server? T view a list f snapshts and baselines fr a specific SQL Server, select the Audit Histry tab n the Explre Permissins view. When is the first snapsht taken? The first snapsht is taken at the first scheduled snapsht cllectin time. Yu can manually take a snapsht at any time by rightclicking the SQL Server instance in the Explre Permissins view and then selecting Take Snapsht frm the cntext menu. Designate a baseline snapsht A baseline snapsht will nt be deleted in the nrmal SQLsecure grming prcess. T mark a snapsht as a baseline, right-click the snapsht in the Snapshts windw, and then select Mark as Baseline. When the cnfirmatin windw displays, click OK t cntinue. Set snapsht grming schedule Grming is the prcess f deleting audit snapshts frm the SQLsecure Repsitry. Grming allws yu t keep nly the permissins data yu need fr future reprting. SQLsecure allws yu t schedule snapsht grming at the enterprise and at the individual SQL Server instance levels. Keep in mind that baseline snapshts and snapshts assciated with saved assessments cannt be grmed. TIP T keep a snapsht, mark it as a baseline. Fr mre infrmatin, see Designate a baseline snapsht.

20 Hw d I set a grming schedule at the enterprise level? Yu can cnfigure the enterprise level grming schedule n the Grming schedule windw. In additin t rutine snapsht grming, the grming prcess deletes all the snapshts that are assciated with any SQL Server instances yu have remved frm the SQLsecure Cnsle. T pen the Grming Schedule windw, select Snapshts > Grming Schedule frm the tlbar. T schedule grming at the enterprise level: 1. Select Snapshts > Grming Schedule frm the tlbar. 2. Click Change. 3. Edit the schedule. 4. Click OK t save. When d I need t schedule grming? Grming shuld be scheduled fr ff-peak hurs s that it des nt interfere with yur nrmal business peratin. Hw d I set a grming schedule at the SQL Server instance level? Snapsht retentin is the number f days SQLsecure will cntinue t stre all yur nn-baseline audit snapshts in the SQLsecure Repsitry. T schedule grming at the SQL Server instance level: 1. Right-click the SQL Server instance in the Explre Permissins tree yu want t cnfigure and select Prperties. 2. Select the Schedule tab. 3. Click Change. The Jb Schedule windw pens. 4. Select the frequency f yur grming jb. 5. Click OK t save changes.

21 Explre Security Settings SQLsecure allws yu t view the permissin settings f individual users, rles, and bjects, at a particular pint in time, fr each SQL Server instance that has been added t SQLsecure fr auditing. The Explre Permissins view allws yu t review the fllwing security infrmatin: Enterprise level permissins SQL Server level permissins Individual user permissins Hw d I analyze permissins? It is imprtant t understand that when analyzing a user s permissins, SQLsecure shws multiple permissins when users have inherited bject permissins frm a parent rle n the server. Fr example; User A has been given explicit delete permissins at the server, database, schema, and table levels. Yur cmpany is nw restricting the rights t a particular table and yu need t revke User A s right t delete. T accmplish this task, revke the user s right t delete at the particular table level and als at the parent levels. The fllwing illustratin depicts an example permissins scenari: What irregularities culd I run int when searching user and bject permissins? There may be times when it seems as thugh the permissins fr a user r table have changed drastically, when n changes have actually ccurred. The fllwing table lists sme f the pssible causes:

22 Cause A user r table is deleted and then the same name is used again in the future. A user r table name is changed A user r table is deleted frm the system Slutin Make sure that best practices are used when adding and deleting user and table names, r prperly nte the change t avid cnfusin. Prperly nte the change t avid cnfusin. Prperly nte the change t avid cnfusin. Which SQL Server permissins can I audit? SQLsecure allws yu t audit all users and bject permissins n SQL Server instances that have been registered with SQLsecure. Fr mre infrmatin abut SQL Server permissins, see Micrsft Bks Online. What are SQL Server permissins? SQL Server permissins are the rights given t a user r grup f users wh will interact with a database bject. Every SQL Server peratin r actin requires that the user initiating the peratin r actin has the apprpriate permissins. What are the different types f SQL Server permissins? Assigned permissins are permissins that are explicitly granted r denied t a user, grup, r rle fr a particular server r database bject. A user, grup, r rle can have mre than ne assigned permissin. Effective permissins are the net effect f assigned permissins, permissins inherited frm the grup r rle membership, and cvering permissins (SQL Server 2005 and later). Explre bject permissins Select the Object Permissins tab t explre SQL Server permissin infrmatin fr all database and server bjects, as well as the passwrd health f SQL lgins. Hw d I find a particular bject? T find the permissins fr a particular bject, select the Object Permissins tab n the Explre Permissins view. Use the tree structure t navigate t the bject fr which yu need permissins infrmatin, and click it. Permissins infrmatin fr that bject will display. What permissins are available? Yu can view permissins infrmatin fr every bject that was included in yur snapsht filter. Hw d I view the prperties f the SQL Server bject? Frm the Object Permissins tab, right-click the bject yu want mre infrmatin n, and then select Prperties. The Object Prperties windw displays and lists infrmatin relevant t the bject type selected. Fr example, when yu view Lgin Prperties, yu can review the security settings applied t this lgin plus its mst recent passwrd health. TIP It culd take up t a minute, depending n yur specific cnfiguratin, t ppulate the Object Prperties windw. View database prperties The Database Prperties windw displays the permissins infrmatin assciated with the selected database. Yu can view:

23 The wner and status f the selected database Whether the guest SQL Server lgin is enabled n this database The accunt r lgin (grantee) that was granted r denied permissins n the database The type f permissin, and whether it was granted r denied The accunt r lgin (grantr) granting r denying this permissin The surce permissin, bject, and type frm which the effective permissin was inherited What can I d n the Database Prperties windw? Yu can view explicit permissins nly, r include the fixed rle and inherited permissins, by checking the apprpriate ptin and clicking Shw Permissins. Yu can als save r print the database bject permissins infrmatin by clicking the apprpriate icn abve the permissins table. View SQL lgin prperties Use the Lgin Prperties windw t review the SQL lgin security prperties fr the selected lgin as well as its mst recent passwrd health. What des passwrd health mean? Passwrd health indicates whether r nt the passwrd assciated with the accunt is cnsidered weak. Yu can cnfigure hw SQLsecure detects weak passwrds. By default, the Idera Level 2 and Level 3 plicy templates enfrce passwrd health. Pssible passwrd health states include: Passwrd health state Blank Matches lgin name N/A OK Weak What it means The passwrd fr this lgin is either blank r null, which means n passwrd is required fr authenticatin r successful cnnectin t databases hsted by yur audited SQL Server instances. The passwrd fr this lgin matches the name f the lgin. The passwrd fr this lgin was nt checked, mst likely because the lgin is a Windws user accunt. This lgin mst likely has a strng passwrd because the passwrd des nt match any f the wrds and phrases in the Default Weak Passwrds list r the additinal and custm passwrds yu specified. The passwrd fr this lgin matches ne r mre f the wrds and phrases in the Default Weak Passwrds list r the additinal and custm passwrds yu specified. What infrmatin des the General tab prvide? The General tab summarizes the key security settings and lgin prperties typically fund n the General, Server Rle, and Status tabs in the Micrsft SQL Server client. Fr mre infrmatin, see Micrsft Server Bks Online. What infrmatin des the Permissins tab prvide? The Permissins tab summarizes the key security settings and lgin prperties typically fund n the Explicit Permissins pane f the Securables tab f the Micrsft SQL Server client. Fr mre infrmatin, see Micrsft Server Bks Online.

24 Explre rle permissins The Rle Permissins windw allws yu t explre SQL Server permissin infrmatin fr specific rles n audited SQL Servers in yur enterprise. Hw d I find rle permissins fr a particular database? Yu can either type the database name int the database field r click the Brwse buttn t lcate it. Once yu have selected the database t search, select the rle t analyze by either typing the name int the rle field r by clicking the Brwse buttn t lcate it. Click the Shw Permissins buttn t see the results. Hw d I change the audit data I want t explre? T change which audit data yu are explring, click the hyperlink text that lists the date and time f the currently selected snapsht (by default, this date and time represents the last successful snapsht). Rle permissins summary The Summary tab n the Rle Summary tab includes SQL Server permissin settings fr the rle yu specified in the Rle Permissins search criteria. Hw d I use the Summary tab? Use the Summary tab t view the Rle prperties and membership, including specific lgins. Assigned rle permissins The Assigned Permissins tab lists all the explicitly defined and inherited permissins that apply t calculating the rle members' effective permissins. Yu can view permissins infrmatin fr the selected rle and any parent rle t which it belngs. Effective rle permissins The Effective Permissins tab lists all the effective permissins the selected rle has n bjects in the target database. Effective permissins are the net effect f assigned permissins and permissins inherited frm any parent rles. Be aware that calculating effective permissins can take several minutes t run. What infrmatin is n the Effective Permissins tab? The Effective Permissins tab cntains server and database permissin infrmatin fr the selected rle. This includes the bject names and types, the type f access granted t the rle members, and wh granted these permissins. What d I d n the Effective Permissins tab? Click Calculate Effective Permissins t view all the effective permissins the selected rle has (at the time the data cllectin was taken) n the SQL Server instance being audited. What d I d next? Yu can save the permissins infrmatin t an Excel spreadsheet, print the permissins search, r select a different user t search fr.

25 T save r print the permissins infrmatin, right-click the grid and chse the apprpriate ptin. Explre user permissins The Explre User Permissins windw allws yu t explre SQL Server permissin infrmatin fr specific users n audited SQL Servers in yur enterprise. Hw d I find permissins fr a particular user r user grup? SQLsecure prvides the ptin f simply typing in the name f the user fr whm yu wuld like t search permissins, r using a brwse buttn that lets yu view all the users and grups cntained in the cllected audit data (snapsht). Hw d I change the audit data I want t explre? T change which audit data yu are explring, click the hyperlink text that lists the date and time f the currently selected snapsht (by default, this date and time represents the last successful snapsht). Hw d I find the permissins assciated with a particular user? 1. Select the SQL Server instance yu wuld like t search frm the Audited SQL Servers list. 2. Select t search fr a user by either their Windws user name r SQL Lgin accunt. 3. Enter the accunt name f the user t search fr r click the Brwse buttn t lcate the specific user. 4. Enter the database t search r click the Brwse t select the apprpriate database. 5. Click Shw Permissins. User Permissin infrmatin appears n the bttm half f the windw. The infrmatin is displayed n fur separate tabs: Server Lgins, Database Users, Assigned Permissins, and Effective Permissins. 6. Click Save t save yur results r Print t print ut a listing f the user s permissins. Fr mre infrmatin n permissins, see Explre Permissins. Hw d I check the passwrd health f a user's lgin? Use the Object Permissins tab t check the passwrd health a specific SQL lgin. Yu can als cnfigure hw SQLsecure detects and enfrces passwrd health. Assigned user permissins The Assigned Permissins tab lists all the explicitly defined permissins that apply t calculating the users effective permissins. This includes grups, rles, and aliases as well as cvering permissins available in SQL Server 2005 r later. Effective user permissins The Effective Permissins tab lists all the effective permissins the user has n server and database bjects (cntained within the audit filter criteria setup by the user). Effective permissins are the net effect f assigned permissins, permissins inherited frm the grup r rle membership, and cvering permissins (SQL Server 2005 and later). Be aware that calculating effective permissins can take several minutes t run, depending n the number f permissins that have been granted and the cmplexity f yur security mdel. What infrmatin is n the Effective Permissins tab?

26 The Effective Permissins tab cntains server and database permissin infrmatin fr the selected user. This includes the bject names and types, the type f access granted t the user, and wh granted these permissins. What d I d n the Effective Permissins tab? Click Calculate Effective Permissins t view all the effective permissins the selected user has (at the time the data cllectin was taken) n the SQL Server instance being audited. What d I d next? Yu can save the permissins infrmatin t an Excel spreadsheet, print the permissins search, r select a different user t search fr. T save r print the permissins infrmatin, right-click the grid and chse the apprpriate ptin. User permissins summary The Summary tab f the User Permissins Explrer cntains SQL Server permissin settings fr the Windws accunt r SQL Server lgin yu specified in the User Permissins search criteria. Use the Summary tab t view which lgin permissins the individual user has, including the SQL Server rles t which the user belngs, and then print r save the results t an Excel spreadsheet. Select a Windws accunt The Select Windws User windw lists all the Windws users cntained in the snapsht yu are explring. Select the Windws accunt whse permissins yu want t explre, and then click OK. Hw d I search this list fr a particular accunt? Yur list may include many users and grups. SQLsecure makes the prcess f finding particular users easy. Click the Filter icn that is present in each clumn n the Select Windws User windw, and then either select the grup frm the list r click Custm t srt the list using the fllwing criteria: Srting Optin Starts with Cntains Ends with Des nt start with Des nt cntain Des nt end with Des nt match Nt Like Descriptin Enter the first character r characters in the clumn t filter yur list Enter a cmbinatin f letters r a name t filter yur clumn list Enter the last character r characters in the clumn t filter yur list Enter the first character r characters in the clumn t mit frm yur listing Enter a cmbinatin f letters r name t mit frm yur list Enter the last character r characters in the clumn yu want t mit frm the listing Enter the title yu wuld like t mit frm yur clumn listing Enter the name in the clumn yu wuld like t mit frm yur clumn listing and all thse names that are similar

27 Hw d I search Active Directry instead? Click Brwse Active Directry t search Active Directry fr the target Windws accunt r grup. This actin allws yu t select the user r grup frm yur Active Directry dmain cntrller rather than frm the selected snapsht. It is pssible the user r grup yu select has nt been granted permissins n the audited SQL Server instance. TIP T successfully view the user permissins, ensure yur lgin accunt has permissin t access the Active Directry dmain cntrller. Select a SQL Server lgin The Select SQL Server Lgin windw lists all f the SQL lgins cntained in the snapsht yu are explring. Select the lgin whse permissins yu want t explre, and then click OK. View all audited servers Use the Audited SQL Servers view t review which SQL Server instances and databases are being audited by SQLsecure. Clumns Audit Status Prvides the status f the last snapsht taken fr this instance. Database Prvides the name f each database hsted n the selected instance. Guest Enabled Indicates whether the guest accunt is enabled n the database. Last Audit Prvides the date and time when audit data was last cllected fr this instance. Owner Prvides the name f the wner fr each database. Server Prvides the name f the SQL Server instance. Status Prvides the status f each database, such as whether the database is available r ffline. Versin Prvides the versin f SQL Server that is running n each instance. View single server summary The Server Summary windw allws yu t view the fllwing: General SQL Server prperties Auditing status f the SQL Server instance

28 Audit histry What kind f infrmatin is cntained in SQL Server Prperties? SQL Server Prperties displays the name f the instance, the versin f SQL Server being used, and the Windws Operating System the SQL Server instance is perating n. What kind f infrmatin is cntained in Auditing Status? Auditing Status displays the status f the last cllectin, the date and time f the next scheduled cllectin, and basic statistics fr the latest snapsht. What kind f infrmatin is cntained in Audit Histry Audit Histry prvides detailed infrmatin abut yur snapsht, including the time it was taken, the cllectin statistics, audit filter infrmatin, and a listing f any suspect Windws accunts r unavailable databases that were encuntered while the Snapsht was being taken. Fr mre infrmatin n suspect Windws accunts, see Identify Suspect Windws Accunts. Fr mre infrmatin n unavailable databases, see Identify Unavailable Databases. The fllwing table describes the infrmatin displayed in each f the clumns: Item Date/Time Status Cmments Baseline Objects Permissins Lgins Grup Members Descriptin The date and time when the snapsht was taken The status f the snapsht (audit data cllectin) Descriptin f any issues the cllectr encuntered Whether r nt the snapsht is marked as a baseline The number f bjects audited in the snapsht The number f permissins cllected in the snapsht The number f lgins cllected in the snapsht The number f grup members cllected in the snapsht View snapsht summary The Snapsht Summary tab lists statistics and ther infrmatin abut the selected snapsht. TIP Lgin cunts may differ frm what is displayed in SQL Server 2005 r later. This cunt displays the number f Server Principles cllected. In SQL Server 2005 r later, Server Principles include Lgins, Server Rles, and Certificates, while in SQL Server 2000, principles include nly Lgins. What are snapshts? Each snapsht is a listing f permissin settings n a SQL Server instance at a particular pint in time. Yu can filter and schedule yur snapshts frm the Audit SQL Server Prperties windw. Cnsider taking snapshts n a rutine, scheduled basis. Because snapshts are taken ver time, they can be viewed t see when changes are made t user r bject permissins. Fr mre infrmatin n cnfiguring yur snapshts, see Audited SQL Server Prperties windw. What d I need t cnfigure befre cllecting snapshts?

29 Befre snapshts are taken, yu must tell SQLsecure what permissin data yu wuld like t cllect and when yu want SQLsecure t cllect it. Snapshts are cnfigured n the Audit Filters tab in the SQL Server Prperties windw. The Audit Filters tab allws yu t chse the permissin data that is mst imprtant t yu. After yu chse the apprpriate settings, yu can schedule the snapsht cllectin times n the Schedule tab. T cllect data abut SQL lgin passwrd health, use the Cnfigure Weak Passwrd Detectin windw. Hw d snapshts help me? Snapsht help yu assess and manage yur security settings. Snapshts represent the state f yur SQL Server security at a given pint in time. This prvides a pwerful tl yu can use t diagnse security prblems and quickly see where changes ccur. Hw d snapshts wrk? SQLsecure uses snapshts t capture security permissin settings n SQL Server instances at cnfigured intervals. At the scheduled time, a SQLsecure jb is executed and data is cllected frm the SQL Server instance t the Repsitry database. This data set represents a single snapsht and is accessed directly by the SQLsecure Cnsle. Hw d I manage my snapsht list? Snapshts are managed thrugh the grming prcess. Grming allws yu t determine which snapshts shuld be deleted frm the SQLsecure Repsitry. Yu can schedule grming t ccur n a rutine basis, ensuring yu keep nly the snapshts yu need. Fr mre infrmatin, see Grming. Keep in mind that snapshts assciated with saved assessments cannt be grmed. Be aware that snapshts that have been marked as baselines are nt grmed. Why d I need t mark a snapsht as a baseline? Baseline snapshts are snapshts that will nt be deleted in the grming prcess. When snapsht shuld be marked as baseline When yu take yur first snapsht At the end f the mnth, quarter, r year When yu implement a new security mdel When yu ntice prblems r irregularities in permissin settings in a snapsht Imprtance T have a starting pint t use t identify changes t permissins ver time T track cmpliance t yur database security plicies T identify unwanted changes r issues with the new mdel T analyze the issue t crrect prblems and change permissins settings Hw d I use snapshts? Use the fllwing tasks t cnfigure and manage yur snapshts. Cnfigure snapshts n the Audited SQL Server Prperties windw Schedule snapsht cllectin times n the Audited SQL Server Prperties windw Explre user permissins n the Explre Permissins view Mark a snapsht as a baseline frm the Audit Histry tab n the Explre Permissins view Delete snapshts that yu d nt want t keep frm the Audit Histry tab n the Explre Permissins view Cllect audit data manually by selecting Take Snapsht Nw frm the File menu

30 Hw d I reslve grup names and grup memberships acrss multiple dmains? Using a single accunt t reslve grup names and enumerate grup memberships can be prblematic when SQL Server grants permissins t accunts acrss multiple externally trusted dmains. In this situatin, the server accunt specified n the Audited SQL Server Prperties windw shuld be an accunt that has been granted access t these external dmains. This can be accmplished by either setting up tw-way trusts between the accunt's dmain and the external dmains, r by creating pass-thrugh accunts n all the external dmains. View Windws accunts in snapsht The Windws Accunts tab lists the cllected Active Directry users and grups that have permissins n SQL Server bjects such as database tables. This tab als displays the assciated dmain, accunt name, type, and access infrmatin fr each accunt. What is the difference between Windws and OS Windws accunts? Windws Accunts Users and grups that have access t SQL Server bjects, such as database tables, either thrugh assciatin with a SQL lgin r permissins inherited frm grup membership OS Windws Accunts Users and grups that have access t OS bjects, such as registry keys r files, either thrugh direct permissin assignment r grup membership View OS Windws accunts in snapsht The OS Windws Accunts tab lists the cllected Active Directry users and grups that have permissins n OS bjects such as registry keys. This tab als displays the assciated dmain, accunt name, type, and access infrmatin fr each accunt. What is the difference between Windws and OS Windws accunts? Windws Accunts Users and grups that have access t SQL Server bjects, such as database tables, either thrugh assciatin with a SQL lgin r permissins inherited frm grup membership OS Windws Accunts Users and grups that have access t OS bjects, such as registry keys r files,either thrugh direct permissin assignment r grup membership Identify suspect Windws accunts The Suspect Windws Accunts tab lists the Windws user accunts abut which SQLsecure was unable t retrieve infrmatin when the snapsht was taken. Windws accunts are Active Directry users and grups that have permissins n SQL Server bjects. What infrmatin is available abut suspect Windws accunts? Fr each suspect accunt, the fllwing infrmatin is available:

31 Clumn Descriptin Dmain Accunt Type Lists the dmain the suspect accunt resides in Lists the name f the accunt Lists the type f accunt that is suspect What ptins can I set n this tab? Yu can set ne f the fllwing ptins: Optin Grup By Save as Excel File Print Descriptin Allws yu t rganize the list by the clumn headers Allws yu t save yur suspect windws accunts list t an Excel file Allws yu t print ut yur list When des SQLsecure cnsider an accunt suspect? A Windws accunt is cnsidered suspect when SQLsecure cannt validate the accunt in Active Directry. Sme cmmn causes are: The user accunt has been deleted The cllectin credentials d nt have sufficient permissins t access Active Directry A ne-way trust exists between the dmain f the cllectin credentials and the dmain f the Windws accunt The accunt is a well-knwn grup, such as Everyne r Terminal Server User, whse membership is hidden by Active Directry and therefre cannt be cllected Yu can cnfigure SQLsecure t use a pass-thrugh accunt t successfully cllect Windws accunt infrmatin when encuntering ne-way trusted dmains. A pass-thrugh accunt is an accunt that has the same name and passwrd as the accunt specified fr gathering grup membership infrmatin. A pass-thrugh accunt des nt require elevated Windws privileges in the trusted dmain. Fr mre infrmatin, search fr "pass-thrugh accunt" n the Micrsft Help and Supprt Web site (supprt.micrsft.cm). Identify suspect OS Windws accunts The Suspect OS Windws Accunts tab lists the Windws user accunts abut which SQLsecure was unable t retrieve infrmatin when the snapsht was taken. OS Windws accunts are Active Directry users and grups that have permissins n OS bjects such as registry keys. What infrmatin is available abut suspect OS Windws accunts? Fr each suspect accunt, the fllwing infrmatin is available: Clumn Dmain Descriptin Lists the dmain the suspect accunt resides in

32 Clumn Accunt Type Descriptin Lists the name f the accunt Lists the type f accunt that is suspect What ptins can I set n this tab? Yu can set ne f the fllwing ptins: Optin Grup By Save as Excel File Print Descriptin Allws yu t rganize the list by the clumn headers Allws yu t save yur suspect windws accunts list t an Excel file Allws yu t print ut yur list When des SQLsecure cnsider an accunt suspect? An OS Windws accunt is cnsidered suspect when SQLsecure cannt validate the accunt in Active Directry. Sme cmmn causes are: The user accunt has been deleted The cllectin credentials d nt have sufficient permissins t access Active Directry A ne-way trust exists between the dmain f the cllectin credentials and the dmain f the Windws accunt The accunt is a well-knwn grup, such as Everyne r Terminal Server User, whse membership is hidden by Active Directry and therefre cannt be cllected Yu can cnfigure SQLsecure t use a pass-thrugh accunt t successfully cllect Windws accunt infrmatin when encuntering ne-way trusted dmains. A pass-thrugh accunt is an accunt that has the same name and passwrd as the accunt specified fr gathering grup membership infrmatin. A pass-thrugh accunt des nt require elevated Windws privileges in the trusted dmain. Fr mre infrmatin, search fr "pass-thrugh accunt" n the Micrsft Help and Supprt Web site (supprt.micrsft.cm). Identify unavailable databases The Unavailable Databases tab lists the databases abut which SQLsecure was unable t cllect SQL Server security data. What des the database status mean? SQLsecure displays ne f the fllwing status messages fr each database listed: Status Message Database is lading r exclusively lcked Suspect Nt Accessible Descriptin SQLsecure is unable t audit the database because it is either being backed up r has been therwise lcked. SQLsecure is unable t reprt any data n the database. SQLsecure is unable t access the database. This culd be because the database has been mved r deleted.

33 What ptins can I set n this tab? Yu can set ne f the fllwing ptins: Optin Grup By Save as Excel File Print Descriptin This buttn allws yu t rganize the list by the clumn headers This buttn allws yu t save yur suspect windws accunts list t an Excel file This buttn allws yu t print ut yur list View filters fr a snapsht The Filter tab lists the cllectin filters that SQLsecure uses t cllect audit data frm yur registered SQL Server instances and create a snapsht. Each filter rule defines which data, such as permissins n user tables in a specific database, is cllected and included in this snapsht. Fr mre infrmatin abut hw filters wrk, see Use Filters t Specify which Data is Cllected. Viewing snapsht prperties The Snapsht Prperties windw cntains detailed infrmatin abut yur snapsht, including: date and time audit data was cllected, and the status cllectin statistics hw audit data was filtered during cllectin listing f any suspect Windws accunts r unavailable databases Hw d I access the Snapsht Prperties windw? Yu can access the Snapsht Prperties windw by right-clicking a snapsht n the Explre Permissins view.

34 Assess Yur Security Mdel The Security Summary view allws yu t check the status f yur security plicies at the enterprise and SQL Server instance levels. This view includes the verall plicy status, a security reprt card that lists security risks, the settings f each f yur SQL Server instances, and the assciated user accunts. What type f infrmatin is available at the enterprise level? The Security Summary view includes the fllwing enterprise-level infrmatin: Plicy Status Displays the number f security risks assciated with the selected plicy and a break dwn f the risk levels. Enterprise Security Reprt Card Displays the risks fund n all SQL Server instances assigned t the selected plicy. Enterprise Settings Allws yu t view and cmpare general and security-related settings acrss yur SQL Server instances. Enterprise Users Lists the user accunts and accunt settings fr the SQL Server instances assigned t the selected plicy. What type f infrmatin is available the server level? The Security Summary view includes the fllwing server-level infrmatin: Server Status Displays the number f security risks fund by yur plicy n selected SQL Server instance. Server Security Reprt Card Displays all risks discvered n a specific SQL Server instance assigned t the selected plicy. Server Settings Lists the general and security-related settings fr yur SQL Server instance. Server Users Lists the user accunts and accunt settings fr the assciated SQL Server instance. Select audit data fr assessment Use the Select Audit Data windw t change which audit data (snapshts) the selected plicy is using t perfrm the assigned security checks. Chsing a different set f audit data may alter the plicy findings. After yu chse a new data set, SQLsecure updates the plicy. By default, SQLsecure always uses the mst recent audit data available. When shuld I select different audit data? Cnsider refreshing the audit data when:

35 Yur envirnment has changed and yu need t re-run the assessment against the mst recent audit data Yu have respnded t a high r medium risk by adjusting a security setting in yur envirnment and thus need t validate yur change Yu want t run the same plicy against a pint in time in the past, such as last week r last mnth Why wuld I use baseline snapshts nly? Baseline snapshts can be used as a guide abut hw yur SQL Server security mdel shuld be cnfigured. By running yur plicy against baseline snapshts nly, yu can test the thrughness f this guide. Analyze enterprise security The Enterprise Security Summary displays the status f yur security plicies at the enterprise level. By default, SQLsecure displays the All Servers plicy assessment. TIP By default, the All Servers plicy enfrces the Idera Level 2 - Balanced template. Fr mre infrmatin, see hw plicy templates can help yu achieve yur SQL Server security gals. T see the Enterprise Security Summary fr a specific plicy, select the plicy frm the Plicies tree n the Security Summary view. The fllwing infrmatin is available frm the Enterprise Security Summary: Enterprise Security Reprt Card Enterprise Security Settings Enterprise Security Users View Enterprise Reprt Card The Enterprise Security Reprt Card lists the security check findings fr all SQL Server instances that have been assigned t the selected plicy. Hw are the risks rganized n the Enterprise Security Reprt Card? The default view f the Security Reprt Card displays all the assciated security findings, frm highest t lwest risk, as cnfigured in yur plicy. Yu can select security risk categries alng the left side f the reprt card t filter the reprt card accrdingly. What is the Server Status? The Server Status sectin lists the number f security check vilatins fund alng with the level f risks assciated with these findings. This status includes findings fr all servers assciated with the selected plicy. Hw can I get mre infrmatin n discvered risks? The fllwing areas f SQLsecure can prvide detailed infrmatin n the assciated risks: Settings The Settings tab f the Security Summary lists the detailed SQL Server settings assciated with the SQL Server instances assigned t yur plicy.

36 Users The Users tab f the Security Summary lists the security settings f the SQL Server lgins and Windws accunts assciated with the SQL Server instances assigned t yur plicy. View settings acrss all servers The Settings tab lists the security settings cllected fr all SQL Server instances assciated with this plicy. By default, SQLsecure srts this data by setting name. T srt by instance name, click By Server in the grid menu bar. Yu can view a mre detailed list f settings, and edit the way SQLsecure cllects data frm a SQL Server instance, by duble-clicking the SQL Server instance frm the By Server list. View user security acrss all serverss The Users tab allws yu t view all the user accunts assciated with the SQL Server instances assigned t the selected plicy. TIP Yu can right click n a particular user accunt rw and select Shw Permissins t explre user permissins and see mre detailed security infrmatin abut the selected accunt. What infrmatin is displayed n the Users tab? The fllwing infrmatin is displayed n the Users tab: Lgin Name The full lgin name f the assciated accunt SQL Server Type Name f the SQL Server instance the lgin is assciated with Lgin permissin type (Windws Grup r SQL Lgin) Server Access Whether r nt the user has access n the SQL Server instance Server Deny Whether r nt the user is denied access t the SQL Server instance Disabled Whether r nt the user accunt is disabled Expiratin Checked Whether r nt the passwrd expiratin is checked Plicy Checked Whether r nt the assciated plicy is checks fr this user accunt Passwrd Health Whether r nt the passwrd assciated with the accunt is cnsidered weak. Yu can cnfigure hw SQLsecure detects weak passwrds. Pssible passwrd health states include:

37 Passwrd health state Blank Matches lgin name N/A OK Weak What it means The passwrd fr this lgin is either blank r null, which means n passwrd is required fr authenticatin r successful cnnectin t databases hsted by yur audited SQL Server instances. The passwrd fr this lgin matches the name f the lgin. The passwrd fr this lgin was nt checked, mst likely because the lgin is a Windws user accunt. This lgin mst likely has a strng passwrd because the passwrd des nt match any f the wrds and phrases in the Default Weak Passwrds list r the additinal and custm passwrds yu specified. The passwrd fr this lgin matches ne r mre f the wrds and phrases in the Default Weak Passwrds list r the additinal and custm passwrds yu specified. Default Language The language that is set as the default fr the user accunt Default Database The database that this lgin cnnects t and queries when n ther database is specified Analyze server security The Server Security Summary displays the status f yur security plicies at the instance level. T see the Server Security Summary fr a plicy, expand the crrespnding plicy nde in Servers in Plicy tree, and then select the target SQL Server instance. The fllwing infrmatin is available frm the Server Security Summary: Server Security Reprt Card Server Security Settings Server Security Users View Server Reprt Card The Server Security Reprt Card lists the security checks evaluated fr the selected SQL Server instance.

38 Hw are the risks rganized n the Server Security Reprt Card? The default view f the Security Reprt Card displays all the assciated security findings, frm highest t lwest risk, as cnfigured in yur plicy. Yu can select security risk categries alng the left side f the reprt card t filter the reprt card accrdingly. What is the Server Status? The Server Status sectin lists the number f security check vilatins fund alng with the level f risk assciated with these findings. This status reflects the findings fr the selected instance nly. Hw can I get mre infrmatin n discvered risks? The fllwing areas f SQLsecure can prvide detailed infrmatin n the assciated risks: Settings The Settings tab f the Security Summary lists the detailed SQL Server settings assciated with the selected SQL Server instance. Users The Users tab f the Security Summary lists the lgins assciated with the plicy alng with accunt infrmatin. View settings n this instance Yu can view a mre detailed list f settings, and edit the way SQLsecure cllects data frm a SQL Server instance, by duble-clicking the SQL Server instance frm the By Server list. View user security n this instance The Users tab allws yu t view all the user accunts assciated with the selected SQL Server instance. TIP Yu can right click n a particular user accunt rw and select Shw Permissins t explre user permissins and see mre detailed security infrmatin abut the selected accunt. What infrmatin is displayed n the Users tab? The fllwing infrmatin is displayed n the Users tab: Lgin Name Type The full lgin name f the assciated accunt Type f lgin (SQL Lgin, Windws User, Windws Grup, and Certificate Mapped Lgin) Server Access Whether r nt the user has access n the SQL Server instance Server Deny Whether r nt the user is denied access t the SQL Server instance Disabled Whether r nt the user accunt is disabled

39 Expiratin Checked Whether r nt the passwrd expiratin is checked Plicy Checked Whether r nt the assciated plicy is checks fr this user accunt Passwrd Health Whether r nt the passwrd assciated with the accunt is cnsidered weak. Yu can cnfigure hw SQLsecure detects weak passwrds. Pssible passwrd health states include: Passwrd health result Blank Matches lgin name N/A OK Weak What it means The passwrd fr this lgin is either blank r null, which means n passwrd is required fr authenticatin r successful cnnectin t databases hsted by yur audited SQL Server instances. The passwrd fr this lgin matches the name f the lgin. The passwrd fr this lgin was nt checked, mst likely because either the lgin is a Windws user accunt r weak passwrd detectin is disabled. This lgin mst likely has a strng passwrd because the passwrd des nt match any f the wrds and phrases in the Default Weak Passwrds list r the additinal and custm passwrds yu specified. The passwrd fr this lgin matches ne r mre f the wrds and phrases in the Default Weak Passwrds list r the additinal and custm passwrds yu specified. Default Language The language that is set as the default fr the user accunt Default Database The database that this lgin cnnects t and queries when n ther database is specified Define plicies fr custm assessments Plicies are security standards implemented t mnitr specific risks n ne r mre SQL Server instances. SQLsecure uses plicies t assess yur SQL Server security mdels by perfrming specific security checks. Each security check has a default value and assciated risk level based n knwn industry regulatins and best-practices. Yu can add, remve, r edit security checks in any plicy. Once a plicy is cnfigured, SQLsecure examines yur audit data and displays any fund risks n the Security Summary view. Yu can create multiple security plicies, allwing yu the flexibility t have several different standards that cver the varying security needs f yur envirnment. Cnsider using the built-in plicy templates t create plicies that enfrce industry standards and bestpractice security guidelines. TIP Yu can cnfigure SQLsecure t send ntificatins as security risks are fund. Fr example, yu can receive ntificatins when high and medium risks are fund. Fr mre infrmatin, see Ntificatins. Yu can perfrm the fllwing actins:

40 Create Plicies Edit Plicy Settings Imprt Plicies Exprt Plicies Use plicy templates t harden yur security mdel Yu can use the built-in Idera and industry standard plicy templates t further harden yur SQL Server security mdel. By creating plicies frm these templates, yu can enfrce cnsistent security settings acrss yur enterprise, and practively assess when and where vulnerabilities exist. Yu can als custmize new plicies based n these templates t further address yur specific security needs. When shuld I use plicy templates? Cnsider using plicy templates when yu: Must enfrce an industry standard such as CIS, SRR, HIPAA, r PCI Need a mre rbust and cmprehensive assessment f yur security mdel than what Micrsft Best Practices can ffer What are the available templates? Idera Level 1 - Basic Prtectin Establishes a realistic entry-level baseline fr SQL Server databases whse third-party applicatins d nt interface with the Wrld Wide Web. This template enfrces MSBPA guidelines as well as additinal security checks fr lgins, permissins, and ther vulnerabilities. Idera Level 2 - Balanced Prtectin Establishes a mre secure baseline fr prductin SQL Server databases that are cnfigured t supprt external cnnectivity while prtecting against the mst ppular intrusin tactics. This template cmbines the CIS and MSBPA guidelines as well as additinal security checks fr permissins, cnfiguratins, and ther vulnerabilities. Idera Level 3 - Strng Prtectin Enables the maximum security checks fr missin-critical SQL Server databases that supprt Web-based, B2B, B2C, r external clients t prevent unauthrized disclsure and data tampering. This template cmbines Idera Level 1 and Level 2 guidelines with SRR regulatins. Als included are additinal security checks fr auditing, permissins, surface area cnfiguratins, and ther vulnerabilities. CIS fr SQL Server 2000 Enfrces security check settings derived frm the Center fr Internet Security - Security Cnfiguratin Benchmark fr Micrsft SQL Server 2000, V 1.0, December, CIS fr SQL Server 2005 r later Enfrces security check settings derived frm the Center fr Internet Security - Security Cnfiguratin Benchmark fr Micrsft SQL Server 2005, V 1.2.0, January 12, This versin can als be applied t SQL Server 2008 and later.

41 HIPAA Guidelines fr SQL Server Leverages the Health Insurance Prtability and Accuntability Act (HIPAA) guideline as well as the Department f Defense Database Security Technical Implementatin Guide (STIG) versin 8 release 1.7. These guidelines target cnditins that undermine the integrity f security, cntribute t inefficient security peratins and administratin, r may lead t interruptin f prductin peratins fr health infrmatin that resides n Micrsft SQL Server. MS Best Practices Analyzer Enfrces security check settings derived frm the Micrsft SQL Server 2005 Best Practices Analyzer Security Recmmendatins. PCI 2.0 Guidelines fr SQL Server Enfrces security check settings derived frm the Payment Card Industry (PCI) v2.0 regulatry standard. This standard applies t missin critical databases hsted by internal r external services that stre payment card infrmatin. SNAC fr SQL 2000 Enfrces security check settings derived frm the Guide t the Secure Cnfiguratin and Administratin f Micrsft SQL Server 2000, Netwrk Applicatins Team f the Systems and Netwrk Attack Center (SNAC). SRR Checklist fr SQL Server 2000 Enfrces security check settings derived frm the DISA fr a security readiness review (SRR) f a Micrsft SQL Server RDBMS installed in a Windws NT r Windws 2000 hst peratin system envirnment. SRR Checklist fr SQL Server 2005 r later Enfrces security check settings derived frm the Database Security Readiness Review (SRR) v8 r1.7. This SRR targets cnditins the undermine the integrity f security, cntribute t inefficient security peratins and administratin, and may lead t interruptin f prductin peratins. This versin can als be applied t SQL Server 2008 and later. Hw d I knw which Idera template t pick? Use the industry standard plicy templates, such as the CIS fr SQL Server 2005 template, when yur envirnment needs t meet the exact security criteria defined by that regulatry rganizatin. Hwever, yur envirnment may cntain SQL Server instances that nly need t fllw yur crprate security plicies. In thse cases, yu can create new r enhance existing crprate plicies based n the built-in Idera security level templates. The Idera Level 1, Level 2, and Level 3 templates allw yu t mature yur SQL Server security mdel ver time, graduating frm a slid baseline t an intermediate level t a mre advanced and hardened apprach. Each level is based n regulatry mdels and industry best-practices as well as additinal security checks that identify vulnerabilities ther standards d nt address. The default All Servers plicy enfrces the Idera Level 2 - Balanced template. Use the fllwing table t determine which Idera security level template fits yur current security needs and hw yur envirnment fits int the verall security maturatin mdel. Idera Level Maturatin Level Security Level Types f SQL Server Instances Types f Business Regulatry Mdel Unique Security Checks 1 - Basic Prtectin Beginner Baseline Test, develpment, and lw-risk prductin instances Services internal grups by hsting data fr third-party applicatins and des nt require cnnectins t external clients MSBPA plus additinal checks SA accunt has blank passwrd Any SQL

42 Idera Level Maturatin Level Security Level Types f SQL Server Instances Types f Business Regulatry Mdel Unique Security Checks Server lgin has blank passwrd Public server rle has been granted permissins 2 - Balanced Prtectin Intermediate Medium Average prductin instances Services internal and external grups that require external cnnectivity t hsted data CIS and MSBPA plus additinal checks Sysadmins wn trustwrthy databases Public server rle has been granted permissins File permissins n executables are nt acceptable SQL lgins have weak passwrds 3 - Strng Prtectin Advanced High Missin-critical, sensitive, and high-risk prductin instances Services internal and external grups by hsting data fr Web-based, B2B, B2C, r external clients CIS, MSBPA, and SRR, plus additinal checks and auditing Required administrative accunts d nt exist xp_cmdshell prxy accunt exists SA accunt is nt using passwrd plicy Public database rle has unacceptable permissins SSIS data-

43 Idera Level Maturatin Level Security Level Types f SQL Server Instances Types f Business Regulatry Mdel Unique Security Checks base rle and stred prcedure permissins OS versin is at acceptable level Add new nlicy The Create Plicy wizard allws yu t add a custm plicy t SQLsecure. As a part f this wizard, yu will name the plicy, select the security checks and their assciated risk levels, assign the SQL Server instances yu want t assess, and specify additinal internal review ntes t include in the Risk Assessment reprt. When yu create a plicy, yu can chse ne f the built-in templates based n knwn industry regulatins and best-practices. TIP Individual SQL Server instances can belng t multiple security plicies. Fr mre infrmatin n adding SQL Server instances t a plicy, see Assign SQL Servers t Plicy. Hw d plicies wrk? By default, SQLsecure assesses the latest audit data fr each SQL Server instance, using the plicy's security check criteria t identify issues. Yu can als chse t assess audit data frm a histrical pint in time. Review the plicy assessment in the fllwing ways: Security Summary The Enterprise and Server Security Summary display the results f yur plicy assessments. Reprts Yu can run reprts, such as the Risk Assessment reprt, n the plicy r n specific SQL Server instances. Ntificatins Yu can cnfigure ntificatins t be sent, at each scheduled snapsht, when security risks are encuntered. Hw d I pen the SQLsecure Create Plicy wizard? Click Create a Plicy n the Plicy Actins ribbn (n the Summary tab f the Security Summary). Select plicy template The Select the Plicy Template windw allws yu t chse t create a new plicy "frm scratch" r base yur plicy n a built-in template. What are plicy templates? Plicy templates are bilerplate plicies whse security check definitins reflect knwn industry regulatins and security best-

44 practices. Althugh yu may chse t start with a template, yu can later add, edit, r remve security checks as needed. Fr mre infrmatin, see hw plicy templates can help yu achieve yur SQL Server security gals. Can I create my wn templates? Yes. Yu can create plicy templates by exprting cnfiguratin settings frm a specific plicy t an XML file. Then, yu can later reuse these settings by creating new plicies based n this template. Fr mre infrmatin, see Imprt Plicy. Specify plicy prperties The Name the Plicy windw allws yu t give yur plicy a name and a descriptin. It is imprtant t give yur plicies easily identifiable names and prvide descriptins that help yu select the apprpriate plicy during audits. The plicy name and descriptin can be changed later using the Plicy Prperties windw. Select security checks The Cnfigure the Plicy windw allws yu the define the security checks this plicy shuld use t evaluate yur audit data. Security checks assess the vulnerability f specific Windws OS and SQL Server bjects based n yur criteria. After security checks are cnfigured and yur SQL Server instances are assigned t the plicy, yu can view the assessment results n the Security Summary view and n the Risk Assessment Reprt. In additin, yu can cnfigure ntificatins t be sent ut when a particular risk level has been passed. Fr mre infrmatin, see Cnfigure Ntificatins. TIP When security checks are setup fr yur plicies, it is imprtant that accurate criteria is entered. Fr example, a typ in the Windws Operating System Versin metric criteria culd cause errneus findings. What security check settings can I cnfigure? Reprt Text This text displays n yur plicy reprts, such as the Risk Assessment reprt. By default, SQLsecure prvides a reprt text questin fr each security check. Yu can edit this questin s that it better fits yur audit reprting needs. Fr example, the Prtcls security check includes the reprt text Are unexpected Prtcls enabled?. If unexpected prtcls are enabled, the reprt displays this questin as well as the SQL Server instances n which the vulnerability was fund. External Crss Reference This field allws yu t crss reference a security vulnerability included in yur reprt t a number r name cntained in an external security standard, such as a specific HIPAA regulatin. Risk Level This ptin allws yu t set the severity f the risk psed by this finding. The risk level is imprtant because it reflects hw severe r risky a particular security finding is fr yur envirnment, allwing yu t further custmize security checks t meet yur exact auditing needs. Fr example, finding an enabled Guest accunt n ne instance may be a high risk, but n anther instance it may be a lw risk. The risk level als determines where the crrespnding security finding appears n the plicy r assessment Reprt Card and whether r nt ntificatins will be sent.

45 Criteria Sme security checks allw yu t cnfigure the assessment criteria, such as specific user accunts, stred prcedures, r the lgin audit level. Text entered in this field must use the exact spelling f the bject being checked. If the criteria fr this check is entered incrrectly, it may fail t crrectly display its finding in the Reprt Card. TIP Sme security check criteria supprt using the percent wildcard character (%) t specify bjects whse names apply a naming cnventin. Fr example, t specify all users whse lgn starts with sql, enter the fllwing syntax: dmain\sql%. When I am creating a new plicy "frm scratch", why are security checks already enabled? Even thugh yu are creating a plicy "frm scratch", SQLsecure has enabled several cmmn security checks yu may need, t help yu cnfigure yur plicy quickly and easily. These security checks are als included in the default All Servers plicy. Yu can add, edit, r disable any security check as needed. TIP By default, the All Servers plicy enfrces the Idera Level 2 - Balanced template. Fr mre infrmatin, see hw plicy templates can help yu achieve yur SQL Server security gals. What is the Imprt Settings ptin? This ptin allws yu t imprt security check definitins frm either a built-in plicy template r an existing plicy whse settings yu previusly exprted. Assign SQL Servers The Assign SQL Servers t the Plicy windw allws yu t chse the registered SQL Server instances yu want t audit and add them t the plicy yu are creating. Each registered SQL Server instance can belng t multiple plicies. Later, yu can use Audited SQL Servers tab f the Plicy Prperties windw t change which instances belng t this plicy. Fr mre infrmatin, see Audited SQL Servers. Enter Internal Review Ntes Use the Internal Review Ntes windw t specify text r questins that SQLsecure shuld include in yur Risk Assessment and Assessment Cmparisn reprts.these ntes can serve as a questinnaire t be used fr manually gathering additinal data that may be required in yur assessment. Review plicy summary The Cmpleting SQLsecure New Plicy Wizard windw lists all the details f the plicy yu are creating. Click Finish t add yur plicy t SQLsecure. Yur new plicy will nw display in the Plicies tree n the Security Summary where yu can see the assigned SQL Server instances and determine their cmpliance with yur plicy. Edit plicy settings The Plicy Prperties windw allws yu t quickly edit yur plicy settings. Changes made n the Plicy Prperties windw are instantly applied t yur plicy. The fllwing windws are available n the Plicy Prperties windw:

46 General Plicy Settings Security Checks Audited SQL Servers Internal Review Ntes Change plicy prperties The General tab f the Plicy Prperties windw allws yu t update the name and descriptin f the selected plicy. The plicy name appears n the Security Summary windw and in the Plicies tree. Change plicy security checks Security checks assess the vulnerability f specific Windws OS and SQL Server bjects based n yur criteria. After security checks are cnfigured and yur SQL Server instances are assigned t the plicy, yu can view the results n the Security Overview windw and n the Risk Assessment Reprt. In additin, yu can cnfigure ntificatins t be sent ut when a particular risk level has been passed. Fr mre infrmatin, see Cnfigure Settings. TIP When security checks are setup fr yur plicies, it is imprtant that accurate criteria is entered. Fr example, a typ in the Windws Operating System Versin metric criteria culd cause errneus findings. Fields Yu can update the fllwing fields: Criteria Sme security checks allw yu t enter criteria the plicy will check fr, such as specific user accunts, stred prcedures, r the lgin audit level. Text entered int these fields must be the exact spelling f the bject r user being checked. If the criteria fr any given security check is entered incrrectly, the risk will appear in the Security Reprt Card. Select the risk and yu can see the crrect criteria names in the Details sectin. Open the Plicy details windw and enter the crrect name n the Security Checks tab. TIP Sme security check criteria supprt using the percent wildcard character (%) t specify bjects whse names apply a naming cnventin. Fr example, t specify all users whse lgn starts with sql, enter the fllwing syntax: dmain\sql%. External Crss Reference Allws yu t crss reference a security vulnerability included in yur reprt t a number r name cntained in an external security standard. Reprt Text The text entered in this field appears n yur plicy reprts. Fr example, the Prtcls security check includes the reprt text Are unexpected Prtcls enabled?.when unexpected prtcls are enabled, the reprt displays the SQL Server instances where the risk is encuntered.

47 Risk Level Allws yu t set the severity f the risk psed by this finding. The risk level is imprtant because it reflects hw severe r risky a particular security finding is fr yur envirnment, allwing yu t further custmize security checks t meet yur exact auditing needs. Fr example, finding an enabled Guest accunt n ne instance may be a high risk, but n anther instance it may be a lw risk. The risk level als determines where the crrespnding security finding appears n the plicy r assessment Reprt Card and whether r nt ntificatins will be sent. Change SQL Servers audited by plicy The Audited SQL Servers tab allws yu t change which registered SQL Server instances are assigned t this plicy. Yu can add r remve instances frm this plicy t better match yur auditing needs. Each registered SQL Server instance can belng t multiple plicies. Edit the instance list, and the click OK. SQLsecure autmatically re-assesses the plicy based n this new scpe. Change Internal Review Ntes in plicy The Internal Review Ntes tab allws yu t edit the manually-cllected data applied t yur plicy. Manually-cllected data is security infrmatin that cannt be gathered and assessed thrugh SQLsecure. SQLsecure includes yur Internal Review Ntes t the Risk Assessment reprt, prviding a fuller picture f yur security status. These ntes can als serve as a questinnaire t be used fr manually gathering additinal data that may be required t fully enfrce yur plicy. T edit these ntes, click inside the prvided text bx and enter yur changes. Exprt plicies The Exprt Plicy windw allws yu t save the currently selected plicy as a template t base ther plicies n. T exprt yur plicy, brwse t the desired lcatin yu want t stre yur plicy template, enter a file name, and click Save. Imprt plicies The Imprt Plicy windw allws yu t chse t either add a plicy template r previusly exprted plicy t the Plicy tree. Once the plicy is selected, yu can then cnfigure the plicy and select the SQL Server instances t add t the plicy. Hw d I imprt a plicy? 1. If yu want t imprt frm a plicy template, select the Imprt frm plicy template bx, select the template t imprt, and then click OK. Fr mre infrmatin, see hw plicy templates can help yu achieve yur SQL Server security gals. If yu want t imprt a previusly exprted template, select the Imprt previusly exprted plicy bx and click Brwse t lcate the plicy template. 2. Select each f the tabs n the Imprt Plicy windws and perfrm the fllwing actins t cnfigure the plicy. Plicy assessments By creating and cmparing plicy assessments, yu can integrate yur SQLsecure plicies int yur existing audit prcess.

48 What is the recmmended assessment wrkflw? 1. Save as draft. 2. Publish assessment. 3. Apprve assessment. Hw d I use saved assessments in my existing audit prcess? Yur Audit Prcess Step Prepare fr upcming audit. Set up the security requirements requested by the auditrs. Get yur security status and findings. Identify differences frm last time this audit was perfrmed. Distribute the assessment findings t an internal team t investigate any new vilatins r discrepancies. Cnfirm that vilatins were fixed. Dcument any discrepancies as knwn issues. Give assessment t auditrs. Apply feedback frm auditrs. Obtain "sign-ff". Crrespnding Assessment Step Create a draft assessment frm an existing plicy r previusly apprved assessment. Update the draft assessments t address the audit requirements. Yu can change the security check settings, chse different audit data, and add r remve SQL Server instances. Run the draft assessment using audit data frm a specific pint in time. Cmpare the draft assessment t a previusly apprved assessment. Publish the assessment and distribute t the team. T distribute the assessment, run the Risk Assessment reprt, and then print r save the results. Take a new snapsht and then run the published assessment using yur new audit data. Add an explanatin nte fr each security check finding that is a knwn issue. Run the Risk Assessment reprt, and then print r save the results. Update the published assessment t address the auditrs' feedback. Yu can change the security check settings, add r remve explanatin ntes, and change which instances are being audited. Apprve the assessment. Save new assessment Use the Save as New Assessment windw t create a new assessment that uses the same audit data and settings f an existing assessment. Specify a unique name and descriptin fr this new assessment, and then click OK. TIP Cnsider using a name and descriptin whse details will help yu later when yu refer back t this assessment. Explanatin ntes assciated with security checks in the selected assessment are nt cpied t the new assessment. T transfer ntes frm ne assessment t anther, cmpare the assessment security checks and then select which explanatin ntes yu want t cpy.

49 Refresh audit data Use the Refresh Audit Data windw t change which audit data (snapshts) this assessment is using t perfrm the assigned security checks. Chsing a different set f audit data may alter the assessment findings. After yu chse a new data set, SQLsecure updates the assessment. When shuld I refresh the audit data? Cnsider refreshing the audit data when: Yur envirnment has changed and yu need t re-run the assessment against the mst recent audit data Yu have respnded t a high r medium finding by adjusting a security setting in yur envirnment and need t validate yur change Yu want t run the same assessment against a pint in time in the past, such as last week r last mnth Why wuld I use baseline snapshts nly? Baseline snapshts can be used as a guide abut hw yur SQL Server security mdel shuld be cnfigured. By running yur plicy against baseline snapshts nly, yu can test the thrughness f this guide. Hw d I view which snapshts SQLsecure will use t analyze my security settings? Click View Snapshts t see a list f the snapshts SQLsecure will use. This list includes all available snapshts that were cllected up t the specified time perid. Edit Assessments Use the Edit Assessment windw t change basic prperties r hw the assessment perfrms its security evaluatin. Yu can: Edit prperties, such as the descriptin Chse different security checks Change which SQL Server instances are audited by this assessment Edit the internal review ntes assciated with this assessment Click the apprpriate tab, make the apprpriate changes, and then click OK. Change assessment prperties The General tab f the Assessment Prperties windw allws yu t update the name and descriptin f the selected assessment as well as any ntes yu want t prvide. The Ntes field allws yu t enter ntes, questins, and ther infrmatin abut this assessment. Use these ntes as a cheat sheet t remember details abut yur envirnment r security assessment frm ne audit t anther. This apprach ensures yu gather all the data yu need.

50 Change assessment security checks Security checks assess the vulnerability f specific Windws OS and SQL Server bjects based n yur criteria. The security checks perfrmed by the selected assessment were cpied frm the plicy assciated with this assessment. Yu can mdify the criteria f these checks t better fit yur auditing needs fr this assessment. Changes made t the assessment security checks will nt affect the assciated plicy. Fields Yu can update the fllwing fields: Criteria Sme security checks allw yu t enter criteria the plicy will check fr, such as specific user accunts, stred prcedures, r the lgin audit level. Text entered int these fields must be the exact spelling f the bject r user being checked. If the criteria fr any given security check is entered incrrectly, the risk will appear in the Security Reprt Card. Select the risk and yu can see the crrect criteria names in the Details sectin. Open the Plicy details windw and enter the crrect name n the Security Checks tab. TIP Sme security check criteria supprt using the percent wildcard character (%) t specify bjects whse names apply a naming cnventin. Fr example, t specify all users whse lgn starts with sql, enter the fllwing syntax: dmain\sql%. External Crss Reference Allws yu t crss reference a security vulnerability included in yur reprt t a number r label cntained in an external plicy, industry standard, r gvernment regulatin. Reprt Text The text entered in this field appears n yur plicy reprts. Fr example, the Prtcls security check includes the reprt text Are unexpected Prtcls enabled?. When unexpected prtcls are enabled, the reprt displays the SQL Server instances where the risk is encuntered. Risk Level Allws yu t set the severity f the risk psed by this finding. The risk level is imprtant because it reflects hw severe r risky a particular security finding is fr yur envirnment, allwing yu t further custmize security checks t meet yur exact auditing needs. Fr example, finding an enabled Guest accunt n ne instance may be a high risk, but n anther instance it may be a lw risk. The risk level als determines where the crrespnding security finding appears n the plicy r assessment Reprt Card and whether r nt ntificatins will be sent. Change Internal Review Ntes in assessment The Internal Review Ntes tab allws yu t edit the manually-cllected data applied t yur assessment. Manually-cllected data is security infrmatin that cannt be gathered and assessed thrugh SQLsecure. SQLsecure adds yur Internal Review Ntes t the Risk Assessment reprt, prviding a fuller picture f yur assessment status. These ntes can als serve as a questinnaire t be used fr manually gathering additinal data that may be required in yur assessment. T edit these ntes, click inside the prvided text bx and enter yur changes.

51 Edit explanatin ntes Use the Edit Explanatin Ntes windw t add r change the explanatin ntes assciated with this security check. Yu can specify a different explanatin nte fr each finding n each affected SQL Server instance. Explanatin ntes let yu clarify why a specific finding has been fund. Fr example, yu may need t justify why a high r medium risk finding shuld be ignred due t a special cnfiguratin r need in yur envirnment. When a finding is explained, SQLsecure regards the finding as "k" and changes the status f the security check in the assessment reprt card. If yu d nt want the finding t be regarded as "k", enter the apprpriate nte but leave the Explained ptin unchecked. TIP Yu can cpy explanatin ntes frm ne assessment t anther when yu cmpare the assessment security checks. Fields Server Risk Prvides the name f the SQL Server instance n which the security check fund a vilatin. Prvides the level f risk set fr this security check (high, medium, r lw). Explained Indicates whether this security check finding has been explained fr the specified instance. Ntes Displays the nte that has been entered abut each finding, per each affected SQL Server instance. Wrking with draft assessments Use draft assessments t fine-tune yur data and settings when yu begin yur audit prcess. Fr mre infrmatin abut hw t use saved assessments in yur audit prcess, see Save Assessments. What is a draft assessment? A draft assessment represents the first step, r stage, in the audit prcess. Draft assessments typically cntain yur initial findings, including any discrepancies that shuld be investigated befre yur review. When yu save a new assessment, it is autmatically set t draft mde. Yu can update and change draft assessments as ften as yu want. Hwever, changes made in draft mde are nt tracked. Use the draft mde t set up yur assessment cnfiguratin settings t reflect the gals and requirements f yur upcming audit, identify discrepancies, and btain internal feedback n yur findings. Why wuld I publish an assessment? Publishing a draft assessment allws yu t begin tracking any changes made t the assessment settings and findings. This Change Lg prvides an electrnic trail that lets yu ensure yur audit data and resultant assessment is crrect and accurate, and validate any updates. When shuld I publish an assessment?

52 Publish a draft assessment when it is ready fr internal r external review by the audit team. Actins and Tasks Cmpare Assessments Allws yu t cmpare the findings and settings f this assessment against anther saved assessment r the riginal plicy. Yu can cmpare different types f assessments (draft, published, r apprved). When yu cmpare this assessment against the riginal plicy frm which it was saved, yu can identify changes that have ccurred since the assessment had been saved. Edit r View Assessment Settings Allws yu t edit r view the cnfiguratin settings fr this assessment, such the security checks this assessment perfrms. If yur SQLsecure lgin des nt have administratr permissins, yu can nly view assessment settings. Publish Allws yu t publish this assessment. Publishing an assessment lets yu safely distribute yur findings and explanatin ntes. When an assessment is published, SQLsecure begins tracking each subsequent change applied t the assessment. Use the Change Lg tab t review this activity. Refresh Audit Data Allws yu t re-run this assessment using different audit data (up t a specific pint in time). Remve Assessment Permanently deletes the selected assessment frm the SQLsecure Repsitry. Remve frm Assessment Remves the selected SQL Server instance frm the assessment. This ptin is available when yu have selected a registered instance frm the Servers in Plicy tree. Save as New Assessment Allws yu t create a new assessment that uses the same settings and audit data as the selected assessment. When yu save a new assessment, SQLsecure lists the assessment in the Draft Assessment flder under the assciated plicy in the Plicies tree. Wrking with published assessments Use published assessments t apprise internal r external auditrs f yur security status and settings. Fr mre infrmatin abut hw t use saved assessments in yur audit prcess, see Save Assessments. What is a published assessment? A published assessment represents the review phase f yur audit prcess. Published assessments typically cntain the required security checks and an accurate security status fr yur audited instances, as well as any explanatin ntes regarding knwn vilatins r discrepancies. When yu publish an assessment, it is autmatically set t the published mde. SQLsecure begins tracking each subsequent change applied t the assessment. Use the Change Lg tab t review this activity.

53 Use the published mde t create and maintain a histrical electrnic trail f change activity, ensuring yu can validate and dcument when, hw, and why changes were made. Why wuld I apprve a published assessment? Apprving an assessment lets yu safely archive yur assessment fr future reference. An apprved assessment prves yu are in cmpliance with specific crprate and gvernment regulatins, and have successfully cmpleted an audit. Fr each subsequent audit, yu can start (save) a new assessment using the apprved assessment as a template. When shuld I apprve a published assessment? Apprve an assessment when the internal r external audit team has "signed ff" n yur assessment and it is ready t be archived. Apprved assessments accurately represent yur security status at a specific pint in time and n lnger require changes. Actins and Tasks Apprve Allws yu t apprve this assessment. Apprving an assessment lets yu safely archive a final versin f this assessment, preserving yur findings and explanatin ntes. When an assessment is apprved, SQLsecure lcks the assessment, preventing yu frm changing r deleting the assessment settings as well as the assciated audit data. Hwever, yu can manually add r remve ntes abut an apprved assessment by editing the Ntes field n the Assessment Prperties windw.yu can als cntinue t use the Change Lg tab t review activity that previusly ccurred n this assessment. Cmpare Assessments Allws yu t cmpare the findings and settings f this assessment against anther saved assessment r the riginal plicy. Yu can cmpare different types f assessments (draft, published, r apprved). When yu cmpare this assessment against the riginal plicy frm which it was saved, yu can identify changes that have ccurred since the assessment had been saved. Edit r View Assessment Settings Allws yu t edit r view the cnfiguratin settings fr this assessment, such the security checks this assessment perfrms. If yur SQLsecure lgin des nt have administratr permissins, yu can nly view assessment settings. Refresh Audit Data Allws yu t re-run this assessment using different audit data (up t a specific pint in time). Remve Assessment Permanently deletes the selected assessment frm the SQLsecure Repsitry. Remve frm Assessment Remves the selected SQL Server instance frm the assessment. This ptin is available when yu have selected a registered instance frm the Servers in Plicy tree. Save as New Assessment Allws yu t create a new assessment that uses the same settings and audit data as the selected assessment. When yu save a new assessment, SQLsecure lists the assessment in the Draft Assessment flder under the assciated plicy in the Plicies tree.

54 Wrking with apprved assessments Apprved assessments accurately represent yur security status at a specific pint in time. Fr mre infrmatin abut hw t use saved assessments in yur audit prcess, see Save Assessments. What is an apprved assessment? An apprved assessment represents the final step, r stage, in yur audit prcess. Apprved assessments typically cntain yur accepted and fficial security status in respnse t an audit. When yu apprve an assessment, it is autmatically lcked and set t apprved mde. In the apprved mde, yu can manually add r remve ntes abut an apprved assessment by editing the Ntes field n the Assessment Prperties windw.yu can als cntinue t use the Change Lg tab t review activity that previusly ccurred n this assessment. Hwever, n ther changes are allwed. Use the apprved mde t safely archive the assessment, preserving yur findings and explanatin ntes. Actins and Tasks Cmpare Assessments Allws yu t cmpare the findings and settings f this assessment against anther saved assessment r the riginal plicy. Yu can cmpare different types f assessments (draft, published, r apprved). When yu cmpare this assessment against the riginal plicy frm which it was saved, yu can identify changes that have ccurred since the assessment had been saved. Save as New Assessment Allws yu t create a new assessment that uses the same settings and audit data as the selected assessment. When yu save a new assessment, SQLsecure lists the assessment in the Draft Assessment flder under the assciated plicy in the Plicies tree. View Assessment Settings Allws yu t view the cnfiguratin settings fr this assessment, such as the security checks this assessment perfrmed. View assessment change lg The Change Lg tab lists all changes that have been made t the selected assessment. After yu publish an assessment, SQLsecure begins tracking any change that has been made t the assessment's settings. These changes may include the additin r remval f audited instances as well mdificatins t the security checks t be perfrmed by the assessment. This change lg gives yu an electrnic, "paper trail" that dcuments exactly hw an assessment is being prcessed during an internal r external audit review. Fields Changed At Prvides the date and time at which the change ccurred.

55 Assessment Status Indicates the assessment status (published r apprved) at the time f this change. Once an assessment is apprved, nly the assessments ntes can be changed. Changes are nt tracked when an assessment is in the draft status. Changed By Prvides the name f the SQLsecure lgin wh applied the change. Change Describes what change was applied. Cmpare assessments Use the Assessment Cmparisn windw t cmpare any tw assessments saved frm the same plicy. Yu can cmpare assessments previusly saved frm the default All Servers plicy r frm any custm plicy yu created. Fr example, yu may want t cmpare a draft assessment f this quarter's All Servers audit t an apprved assessment f last quarter's All Servers audit. Frm this windw, click the apprpriate tab t cmpare: Status and summary Security Checks Internal Review Ntes Fr mre infrmatin abut hw t use assessments in yur existing audit prcess, see Save Assessments. Cmpare assessment summaries Use the Cmpare Summaries tab n the Assessment Cmparisn windw t identify any differences in the security status f the tw selected assessments. SQLsecure highlights each difference in yellw, and shws where findings are equal (=) r nt equal ( ). Frm this tab, yu can: Identify changes in risk level Cmpare security check findings Mnitr whether security checks have been enabled r disabled Mnitr whether SQL Server instances have been added r remved Review security status fr all instances audited by each assessment Fr a detailed cmparisn f each security check, see the Cmpare Security Checks tab. Fr mre infrmatin, see Cmpare Assessments. Cmpare assessment security checks Use the Cmpare Security Checks tab n the Assessment Cmparisn windw t identify any differences in the security check settings f the tw selected assessments. SQLsecure identifies each difference using yellw highlights and bld blue text, and shws where security settings are equal (=) r nt equal ( ). Which security check settings can I cmpare?

56 Findings Displays the findings returned by the selected security check when run by each assessment. The findings als display in the Details tab f the assessment Reprt Card at the enterprise and server levels. Explanatin Ntes Indicates whether an explanatin nte has been entered fr this security check. Explanatin ntes are available frm the assessment Reprt Card at the enterprise and server levels. T enter r edit an explanatin nte, select the target security check frm the Reprt Card, and then click the Explanatin Ntes tab. Display Settings Prvides the Risk Level, Reprt Text, and External Crss Reference assigned t this security check. Fr mre infrmatin abut these settings, see Select Security Checks. Criteria Prvides the criteria used t assess whether yur audited instances are in cmpliance with this security check. Fr a cmparisn f the verall security status, see the Cmpare Summaries tab. Fr mre infrmatin, see Cmpare Assessments. Cmpare Internal Review Ntes Use the Cmpare Internal Review Ntes tab n the Assessment Cmparisn windw t identify any differences in the internal review ntes assciated with the tw selected assessments. SQLsecure displays bth ntes and identifies whether ntes are equal (=) r nt equal ( ). Fr mre infrmatin, see Cmpare Assessments.

57 Reprt n SQL Server Security The Reprts cmpnent f SQLsecure allws yu t generate reprts n SQL Server permissins. Use reprts t cnfirm regulatry cmpliance and enfrce security plicies. SQLsecure cntains tw different ways t access reprts. Quick Reprts are reprts that have been built int SQLsecure t allw yu t quickly generate reprts that answer the mst cmmn SQL Server security questins. Yu can als generate reprts using Micrsft Reprting Services. Micrsft Reprting Services allws yu t build pwerful, custm reprts fr a cmprehensive auditing slutin. SQLsecure allws yu t: Generate reprts within the SQLsecure interface Generate Reprts using Micrsft Reprting Services Hw t use the Deply Reprts wizard Yu can deply the SQLsecure Reprts t yur existing Micrsft Reprting Services installatin. If yu previusly deplyed SQLsecure Reprts, verify which versin f Reprting Services is currently running in yur envirnment. SQLsecure supprts Reprting Services versin 2005 r later. TIP If yu are upgrading reprts frm SQLsecure 2.0, delete all f the previusly installed SQLsecure reprts befre deplying the new reprts. Cnnect t Reprting Services The Cnnect t Reprting Services tab allws yu t specify the Reprt Server t which yu want t deply the SQLsecure Reprts. The Deply Reprts wizard autmatically applies cnnectin settings based n a default Micrsft Reprting Services installatin. Yu can use the default cnnectin settings, r specify custm cnnectin settings. T specify cnnectin settings, click Shw advanced cnnectin ptins, and then enter the apprpriate settings. Click Next t cntinue. Specify Repsitry as reprts data surce The SQLsecure Repsitry tab allws yu t specify which Windws user accunt SQLsecure shuld use t cnnect t the Repsitry. Yu can use the same accunt that the Cllectin Service runs under, r yu can specify a different accunt. Specify the name f the SQL Server instance that hsts the Repsitry, enter the apprpriate accunt credentials, and then click Next. Specify the reprts virtual directry This Reprt Deplyment Lcatin tab allws yu t specify the name f the flder where the reprts shuld be stred. This flder belngs t the Virtual Directry specified in the Reprting Services cnnectin settings, and is displayed when yu access the reprts using the Reprt Manager interface.

58 Yu can als specify whether yu want t verwrite existing reprts. By verwriting existing reprts, yu ensure all deplyed reprts are current. If yu decide nt t verwrite existing reprts, the Deply Reprts wizard installs nly the reprts that are new r updated in this versin f SQLsecure. Finish the Reprts deplyment Review the prvided summary, and then click Finish. When yu finish this wizard, SQLsecure installs the crrespnding RDL files in the specified virtual directry n yur Reprt Server. If yu want t change a setting nw, click Back t return t the apprpriate windw. Yu can als change yur deplyment settings later thrugh the Reprt Manager interface installed with Micrsft Reprting Services. Use the Cnsle t generate reprts SQLsecure includes built-in reprts which have been specially designed t generate cmmnly requested audit reprts using the SQL Server permissin data cllected in yur snapshts. SQLsecure built-in reprts allw yu t quickly and easily meet the demands f n-the-spt audits, rutine audits, and lng-term event trending. Each reprt gives detailed infrmatin abut events in yur SQL Server envirnment. TIP Using the Cnsle t generate reprts against large audit data sets can result in degraded perfrmance. Fr example, when the selected snapsht is large (cntains thusands f bjects and permissins), the reprt perfrmance may be impacted. If yu experience degraded perfrmance, try increasing the Cnsle timeut value and, if the perfrmance issues cntinue, run the reprt with Micrsft Reprting Services instead. What general reprts are available? Reprt Name Crss Server Lgin Check Audited SQL Servers Data Cllectin Filters Risk Assessment Activity Histry SQLsecure Users Reprt Descriptin Displays all SQL Server instances where a selected user has access Displays all the SQL Server instances that are being audited by SQLsecure Displays the data cllectin filters fr all SQL Server instances Displays all plicy and risk assessment results. Yu can custmize this text using the Plicy Prperties windw. Fr mre infrmatin, see Internal Review Ntes. Displays all SQLsecure activity histry Displays all SQLsecure users What entitlement reprts are available? Reprt Name Server Lgins and User Mappings Suspect Windws Accunts Reprt Descriptin Displays all Server Lgins and assciated Database User Mappings fr each SQL Server instance being audited Displays all the suspect Windws Accunts that have Server Lgins. Fr mre infrmatin, see Suspect Windws accunts.

59 Reprt Name User Permissins All User Permissins Server Rles Database Rles Reprt Descriptin Displays permissins fr a user acrss all SQL Server instances Displays all bjects with permissins in the database fr all SQL Server instances Displays all direct members f Server Rles n all SQL Server instances Displays all direct members f Database Rles n all SQL Server instances What vulnerability reprts are available? Reprt Name Mixed Mde Authenticatin Guest Enabled Databases OS Vulnerability via XSPs Vulnerable Fixed Rles System Administratr Vulnerability Dangerus Windws Grups Database Chaining Enabled Mail Vulnerability Lgin Vulnerability Reprt Descriptin Displays all SQL Server instances where Windws Authenticatin is nt the nly lgin methd Displays all databases n a SQL Server instance where the Guest user has access Displays all extended stred prcedures that allw access t perating system features that culd cmprmise system security Displays all SQL Server instances that cntain fixed rles assigned t public r guest Displays all SQL Server instances that include built-in Administratrs as members f the sysadmin rle Displays all SQL Server instances that grant access t any OS cntrlled Windws Grup Display all SQL Server instances that have crss-database wnership chaining enabled Displays all SQL Server instances with SQL Mail stred prcedures Displays any SQL lgins that have weak (easily guessed r hacked) passwrds and lists their security prperties, including the state f their passwrd health. What cmparisn reprts are available? Reprt Name Assessment Cmparisn Snapsht Cmparisn Reprt Descriptin Displays any differences identified in the security settings and findings f tw assessments. Displays any differences identified in the cnfiguratin settings and audit data f tw snapshts. Hw d I generate a reprt? T reprt n audit data: 1. In the cnsle tree pane, click Reprts. 2. In the view pane, select the reprt yu want t generate. 3. Specify the apprpriate parameters fr the selected reprt and then click Apply.

60 Use Reprting Services t generate reprts SQLsecure includes the ability t take the existing built-in SQLsecure reprts and seamlessly integrate them int Micrsft Reprting Services. Fr each built-in SQLsecure reprt, the Deply Reprts wizard installs a Reprt Definitin Language (RDL) file. These RDL files define the reprt layut and parameters, using the data surce (SQLsecure Repsitry) yu specified during install. Reprting Services autmatically acknwledges these files, allwing yu t immediately generate and view reprts n audit data using the Reprts Manager Web interface. Yu can view, custmize, and develp new reprts based n any f the built-in SQLsecure reprts t fit yur unique auditing needs. Reprts can be viewed in an existing SQL Server envirnment that uses a dedicated Reprt Server. If yu decide t use Micrsft Reprting Services, cnsider the fllwing best practices: Save yur new and mdified reprts t a separate flder Use a different filename fr mdified reprts Fr mre infrmatin abut the Reprting Services architecture, see the Reprting Services Bks Online. Fr mre infrmatin abut develping custm reprts using Micrsft Reprting Tls, see the Reprting Services Bks Online. Hw des Micrsft Reprting Services wrk with SQLsecure? Yu can implement Reprts n any cmputer running Reprting Services. The fllwing installatin scenari illustrates hw yu can implement Micrsft Reprting Services reprts in an existing SQL Server envirnment that uses a dedicated Reprt Server. What permissins des Micrsft Reprting Services require? Micrsft Reprting Services Reprts leverage the existing rle-based security mdel prvided with Reprting Services. These