Infrastructure at your Service

Stéphane Savorgnano

SQL Server Management Studio 17.4: Vulnerability Assessment

SQL Server Management Studio is a well know integrated environment used to manage SQL Server infrastructure.
This new version 17.4 can support SQL Server from 2008 up to 2017. It enhances existing features like Showplan, XE Profiler (complete list here) but also add an interesting one which is the Vulnerability Assessment.

Vulnerability Assessment will scan a database in order to help you to track security holes and deviations. Rules to define those deviations are based on Microsoft SQL Server best practices.
Let’s have a look to this new feature.

Once SSMS 17.4 installed, just choose the database you want to scan, right click on the database and select Task, Vulnerability Assessment and Scan For Vulnerabilities…:

VAss1

Select where you want to save the scan report and click OK:

VAss2

Once you clicked OK the scan is starting:

VAss3

At the end of the scan a Vulnerability Assessment Results is displayed:

VAss4

The report is displayed in a Management studio pane with the number of checks that have been run, how many issues have been found with different level of risk from Low to High and provide also some links about SQL Server security best practices.
Review all failed checks to validate that there are really security issues for your environment and go through results.
For each failed issue you will have a description of the issue, the impact, also the rule query applied and a possible remediation script:

VAss5

There is also a possibility to accept results even if there are considered as Potential Risk as a baseline. This will validate results that match the baseline.

VAss6

Once issues are solved or Baseline settled, the Vulnerability Assessment can be run again to see the result of the performed actions:

VAss7

This new feature integrated in Management Studio gives the ability to check that all your databases have a good level of security but also to keep this level.
Great new feature ;-)

Leave a Reply

Stéphane Savorgnano
Stéphane Savorgnano

Consultant