Scanning for SQL vulnerabilities

I'm preparing for a security audit next week and have been tasks with checking for SQL vulnerabilities.  I've compiled a list of all the various SQL servers on the LAN and I'm looing for some type of (free) utility that will let me scan them for known security issues.  Can you recommend one that may help with the audit?
LVL 1
First LastAsked:
Who is Participating?
 
First LastAuthor Commented:
I found a good one though it wasn't free:  Secure Auditor by Secure Bytes
0
 
Barry CunneyCommented:
May be worth looking into Policy Based Management in SQL Server itself
http://msdn.microsoft.com/en-us/security/Video/ee216343
0
 
First LastAuthor Commented:
That looks like a cool way to lock things down across multiple SQL servers but really for now I just need a way to find out where I'm vulnerable in order to lock it down for the audit.  I'll definately look into that one once things have settled down next week.
0
 
Barry CunneyCommented:
Here is an article on SQL Server Security Best Practices - I think if you examine each of the areas discussed in this article you should have most areas covered for the audit.

http://www.greensql.com/content/sql-server-security-best-practices

Examine the 'sa' profile - best if it is disabled but if it is used make sure only privileged persons are using it and it has a very strong password - make sure it is not used in connection strings or other login configurations in apps.

You can also use SQL Profiler to monitor who/what is connecting to the SQL Server's - may be worth doing this to try and identify items that may need to be locked down.

Also you can administer multiple servers from one single server using CMS
http://www.brentozar.com/archive/2008/08/sql-server-2008s-new-central-management-server/
0
 
First LastAuthor Commented:
Found my own
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.