For

Database administrators are a paranoid lot. Even hinting that the databases in their care might not be totally secure is fighting talk. So if you are a DBA, how can I possibly recommend a product that scans your databases looking for security problems?

Easy. You may be the DBA, you may even have the sole administrator login to the database, but there are still some aspects of security that are outside your control. Take that finance system, for example; you didn't write it, you didn't even choose it, but you are responsible if one of the users accidentally deletes an entire database because of the 'Everyone' hole (see below). Or take those users. Sure, you've told them to use strong passwords but do they actually bother? You can't reverse engineer the password file so you really have no idea - but Database Scanner will tell you. So, even perfect DBAs, like you and me, need this product.

How Does It Work?
You choose the database engine that you want to scan and buy the software and license. One good feature of this product is that it installs entirely on a client; all you need on the database box is an administrator login. Installation is painless except for an exasperating and inexcusable inability to deal with long file names.

The first time you fire up Database Scanner it looks for databases and you choose which to scan. You also select the level of security policy (see below) against which any security issues are judged. Then you let it rip and it will run for ... well, it depends on the size of the database applications, number of users and so on, but certainly for minutes leading to hours so it makes sense to run this at a slack time.

The scan looks at a huge range of different aspects of security and all or a range of these may be viewed on screen and/or printed. Very conveniently, there is a summary of violations section that highlights the problem areas; this is just as well because the full printout can be well in excess of 120 pages (the actual length varying with the number of problems).

And when you start reading the report another excellent feature makes itself apparent. It not only highlights the specific security issues for a given database, it also explains the background to the problem and how to fix it. Take the Windows NT file security (NTFS) section. This details how the Everyone group (members of which may have no login to the database itself) often ends up with rights to database files themselves - these rights including 'write', 'take ownership' and 'delete'. It even lists all of the files concerned and finally tells you how to convert a partition to NTFS.

Policy Level

Of course, not all databases are equal; some need to be kept much more secure than others. So Database Scanner allows you to select the level of security policy against which the database is measured. There are three policy levels by default (minimum, medium and maximum). The same scan is always performed against the database, but the report varies depending upon the policy level selected. Take encrypted objects as an example. In SQL Server it is possible to encrypt stored procedures, triggers and views. This takes some effort but ensures that users cannot see the logic therein. If you set the policy to minimum, the report still displays all the unencrypted objects, but is happy that this is in compliance with policy. Set the policy to maximum and the unencrypted objects are reported as a security problem. In either case, incidentally, you are told how to encrypt the objects. You can also hand-tweak the policy level if none of the three defaults are exactly the right shade for your particular needs.

It ought to be clear by now that one of the great strengths of this product is that it seeks to inform as well as simply report. I would love to tell you that I knew all of the stuff that Database Scanner told me, but I didn't. So it has educated me as well as showing me holes in my security.

And what of the security issues that I did understand before I used Database Scanner? Well, I could have checked for them all myself, but in practice I hadn't. Not because I didn't understand but because I have never quite got around to it. Or I checked when the database was set up, but haven't bothered since. Meanwhile the database (and the NT box) has been quietly evolving away...

And there is another aspect to this software. As a database consultant I can use it to run security checks against databases belonging to clients and present said clients with a comprehensive, written report on security that they have some chance, not only of reading, but also of doing something about. The only difficult, moral, question is, how much should I charge them for such an easy task?

So, Does it Have Any Flaws?
Well, the interface is a little awkward and the error messages can be weird (I used the wrong administrator password and was told I couldn't resize a minimized or maximized window…) but the functionality offered far outweighs these considerations. If your job is to look after any of the supported databases (SQL Server, Oracle, Sybase) and you are a perfect DBA, then you don't need this product. Mere mortals should check out www.iss.net.
  

SC On-Line
SC Magazine
www.scmagazine.com