-
May 30th, 2007, 01:11 PM
#1
Member
Vulnerability Scanner Software for MS SQL
I need to test the integrity of an MS SQL Server that is on our network. What would be the best vulscan to use to check if this server is secure?
Would there be software to perform port scans on this server as well?
Thanks
B
.....I rather not say....
-
May 30th, 2007, 03:12 PM
#2
What do you want to test? The database or the server itself?
For the server you could use nmap and/or nessus.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
June 3rd, 2007, 09:42 AM
#3
Member
I have been asked to test the integriity and security of the database. The application being used is built on top of the database. I am not sure how the DB is administered.
I need something that can test how secure that database is and its easy to crack open.
PS. this is new to me so go easy with critism
Thanks in advance for help
.....I rather not say....
-
June 4th, 2007, 01:00 AM
#4
Being that you are self proclaimed inexperienced:
Check out Nessus and Nmap. Nessus is a vulnerability assessment tool that will use plugins that detect known vulnerabilities on the system, MS-SQL included. It will also use a port scan in the process, which you can use to find unnecessary services.
The configuration of the database and the access it will allow the application is also a serious issue, (permissions to tables and actions)
-
June 6th, 2007, 04:26 PM
#5
Nessus and Nmap are probably the best to test it yes. You can also try manually performing SQL injection attacks.
-
June 13th, 2007, 10:55 AM
#6
Testing for SQL injection and some source code auditting should be done on the application. But don't forget to check the permissions on the tables and databases as d34dI0k1 noted.
Big warning as this is one of the biggest issues with third party apps:
DO NOT ALLOW THE APPLICATION TO USE THE (MS-SQL) SA ACCOUNT!
There are basicly 3 different things you need to audit:
1) The server/OS itself, needs to be hardened, basic rule: if you don't need/use something, disable or preferably remove it.
2) The application, source code audit (SQL injection, fuzzing, buffer overflows etc.)
3) The database, accounts/permissions on tables/databases (LPR; Least Privilege Required).
Last edited by SirDice; June 13th, 2007 at 10:58 AM.
Oliver's Law:
Experience is something you don't get until just after you need it.
Similar Threads
-
By mohaughn in forum Microsoft Security Discussions
Replies: 2
Last Post: October 13th, 2004, 04:31 AM
-
By SDK in forum Microsoft Security Discussions
Replies: 0
Last Post: September 3rd, 2004, 01:12 PM
-
By SDK in forum Microsoft Security Discussions
Replies: 0
Last Post: April 9th, 2004, 08:27 PM
-
By Soda_Popinsky in forum Web Security
Replies: 5
Last Post: February 15th, 2004, 03:19 AM
-
By hatebreed2000 in forum AntiOnline's General Chit Chat
Replies: 1
Last Post: March 14th, 2003, 06:36 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|