ISS Database Scanner review

Database security is an important issue. Setting up a watertight security regime is a time-consuming and painstaking business: one wonders how many database administrators can devote the necessary hours to this task with users calling for faster queries, new groups, rollback to yesterday at 13.17pm and 'I've been on holiday and forgotten my password...'

Any aid to improving security is likely to be appreciated and this latest release of ISS Database Scanner (version 4.0.1, build 098) is most welcome. It's a highly flexible tool that will search out any vulnerable areas in your security setup and, even better, tell you how to increase protection in the light of what it finds. The results are presented in a report that can be printed or saved to a file as required.

Database Scanner is available for the database engines of Microsoft's SQL Server, Oracle and Sybase and you purchase the software and licences as appropriate - I tried the SQL Server version. The complete installation can be performed on a client machine - a very useful feature - with an administrator login being all that's required by the database server. The only installation problem I encountered was Database Scanner's inability to cope with long file names; there's no excuse for truncation and tildes these days. When run for the first time, Database Scanner compiles a list of databases so you can choose one to work with. Here you can also determine the security level at which you're aiming.

Database Scanner offers three pre-determined levels of security policy, reflecting the fact that security needs differ between databases. The levels are Minimum, Medium and Maximum and, although exactly the same scan is performed regardless of the policy level chosen, the report is generated to different levels of detail. For instance, in your existing database you may have decided to hide, by means of encryption, the logic of triggers, views and stored procedures from users of your SQL Server database. Running with the Minimum security policy level set will identify all such objects that remain unencrypted but will not classify them as problematic. With the Maximum security policy, however, they'll be identified and flagged as a potential problem. Furthermore, if the default security policies don't meet the needs of your databases, you can fine-tune the definitions as required.

The scan looks at many security aspects such as active and stale logins, password ageing, backups and unauthorised objects. Password Strength Analysis lets you growl at users who persist in using 'password' as their password. The process may take minutes or hours, according to, among several factors, the size of the database application and number of users.

Once the scan is complete, you can select those aspects of security on which you wish to view a report. The length of the result depends on the number of problems found: a full report on a database can run to over 120 pages. Selecting the useful Summary of Violations option gives a concise overview of problem areas. Database Scanner's reports are more than bald statements of potential problems. Security issues are, of course, pinpointed, but the background to an issue is given as is the method of closing the loophole. The information is presented clearly under sensible headings, though the default font, as seen in the screen shots, is annoyingly difficult to read. Findings that benefit from graphical treatment are displayed as charts.

A report is likely to throw out security issues that are already known to the database administrator, but knowing a loophole exists and getting round to plugging it are two different things. That the report gives the fix is handy in these cases, but in instances where the security issue is not already familiar to the DBA, having the solution readily accessible saves hours sifting through manuals.