Evaluate database security using database Scanning System

This article uses a database scanning system obtained from a database security manufacturer. The version is not up-to-date, but it may represent the product design ideas and technical strength in related fields.

In the initial stage of database scanning, the scope of evaluation is generally confirmed, and this product is no exception. There are two ways to add a task: one is to directly enter the database details, the other is to scan the network to confirm the total number of databases in the network.

Compared with online evaluation tools such as Nessus and Nmap, this database scan product is more like a security test tool, because when evaluating the security of databases, not only do you need to enter a common IP address and port, but you also need to enter the account of the database system, or even the account of the operating system (in this way, you can review the security of logging on to the database system with the system account ).

The scanning speed is naturally quite fast, because in terms of technology, there are not as many database vulnerabilities as the host, and there are not so many detection items, so the scanning speed is faster. The following is an evaluation report. Of course, this is only a major description, not a detailed description.

It is a detection item of the database scanning system. It should be said that it basically covers the vast majority of database security inspection items.

The following is a detailed description named "audit level settings ":

Vulnerability description:

Check whether the audit level complies with the security policy. You can set Microsoft SQL server to provide audit trail records for Logon successes or failures. The audit log provides information such as the logon ID, logon attempt, success or failure, standard connection, trust, time, and date. The correct audit level can be used to strictly detect expired logins, logon attacks, and logon time violations.

Vulnerability Source:

Audit is an important part of the security of the database management system. Through audit, all operations related to the database security can be recorded. As long as the audit records are detected, the system security personnel can know the database usage status. How to Set audit levels: non-audit, successful audit, failure audit, all audit.

Repair suggestions:

Change the audit level. For SQL Server 6.x( using Enterprise Manager): 1. right-click Service 2. select Settings 3 from the pop-up menu. select security options for SQL Server 2000 and (using Enterprise Manager): 1. right-click Service 2. select attribute option 3. select security page to Change audit level for SQL Server 2005 (using SQL Server Management studio): 1. right-click Service 2. select attribute option 3. select security page to Change audit level


The vulnerability description, vulnerability source, and repair suggestions are described in detail and can instruct the database administrator to effectively check and review the security of the database system.

Of course, compared to some database scanning systems, MySQL is not supported (Why is MySQL not supported? Because most people use the free version ?), This software supports Microsoft SQL Server, Oracle, MySQL, and Sybase databases. I have no support for dB/2 or infomix in this version. Do I know if the new version is supported?

In general, the product is good, especially in the market where there are few database vulnerability scanning products, and the hierarchical protection and hierarchical protection clarify the database security, this product should be very market-oriented.

Author: Source of reprinted by Zhang baichuan (Web Ranger) www.youxia.org! Thank you.

Http://www.youxia.org/youxia-DBScanner-Try/