DBSecure's SQL Auditor Locks Down Microsoft Sequel Server

As the SQL Server 6.5 database from Microsoft Corp. penetrates more and more enterprise back rooms, its native security services are increasingly coming under fire. To help database administrators (DBA) augment the security of their SQL Server database environments, DBSecure (Jersey City, N.J., www.sqlauditor.com) introduced SQLAuditor, a SQL Server security analysis tool that purports to lock down the SQL Server database environment.

According to Rick Jones, a sales marketing manager with DBSecure, the SQL Server database market is poised for a solution such as SQLAuditor. "Basically, what we notice is that out of all of the database management systems out there, Microsoft’s SQL Server is definitely growing in popularity," Jones explains. "SQL Server is cheaper, Microsoft is aggressively pricing it, and with the onset of SQL Server 7.0, Microsoft is making a big push against Oracle and Sybase for enterprise back rooms. Security is going to become more important than ever."

Security is an aspect of SQL Server 6.5 that has previously been an afterthought for many system administrators and DBAs who weren’t even charged with implementing the Microsoft database in the first place. SQL Server often first penetrates many enterprises at the departmental level, with a department manager, for example, introducing a Windows NT/SQL Server combination to serve as a back end for a new department-specific software package that he or she wants to implement. After SQL Server is in place, however, it becomes IT’s problem.

The result, says Marc Riddle, a senior network engineer and Microsoft SQL Server DBA with Twentieth Century Insurance (Woodland Hills, Calif.), is IT departments without any SQL Server experience left in charge of the Microsoft database’s administration. "There are a lot of places running SQL Server with people that don't know anything about it doing the administration on it," he says.

Out of the box, SQL Server 6.5 is about as secure as vanilla Windows NT -- which is to say, not very secure at all. For example, SQL Server 6.5 configured in its default standard mode stores user passwords in clear text in the Windows NT system registry. Potential hackers have only to search the system registry for password information to breach a SQL Server-based system configured for standard and not integrated security.

"With SQL Server out of the box there are things like guest accounts that are easily attacked and there are extended store procedures such as an XP command shell," observes DBSecure’s Jones. "As long as you can use [the XP command shell extended] store procedure, you can basically run command-line commands on an NT Server, so you can add users or delete directories however you like."

SQLAuditor lets IT departments develop, implement and maintain SQL Server security strategies, policies and procedures according to a number of predefined settings. SQL Auditor’s most secure setting, "Top Secret," implements policy settings that lock down many aspects of the SQL Server database and enables SQL Server 6.5’s integrated security mode, which features integration with the Windows NT Security Accounts Manager user database. SQL Auditor’s "Confidential" security policy setting provides for moderate security, and its "Secure" mode facilitates SQLAuditor’s least stringent security settings.

SQL Auditor can also coordinate account creation, access control, account suspensions and renewals, as well as examine and monitor critical procedures and relevant system settings. For IT managers or DBAs unfamiliar with Microsoft’s Service Pack or hotfix patch system, SQLAuditor can manage the application of database upgrades, patches and hot fixes.

Although himself a certified Microsoft SQL DBA, Twentieth Century Insurance’s Riddle can see where SQLAuditor could be a useful tool for many organizations who choose to deploy Microsoft SQL Server. "I haven't encountered too many security issues with SQL Server, but with its growing popularity, and the fact that many shops don't want to hire dedicated DBAs and actually hand off a lot of the [SQL Server] administration to NT administrators, I can see where [SQLAuditor] would be useful," Riddle says. "In fact, any product that does SQL administration -- security, tuning, etc. -- automatically, without much SQL knowledge being necessary, will probably be in demand."