SQL Server Database Vulnerability Assessment

With all the security breaches in the news these days it’s important to run a vulnerability assessment on your SQL Server database. SQL Server Management Studio makes doing so simple and straight forward. Starting with SSMS 17.4 you can run an automated scan directly from the database menu.

Vulnerability Assessment Limitations

While the automated scan will run through nearly sixty different tests, you are unable to add in your own rules at this time. Like all automated tests, passing is not a guarantee that your database is fully secure. You should look at the assessment as a set of guidelines to use in addition to your own approach to securing your database. It is possible that future releases will allow developers to add their own additional custom rules.

How to Run A SQL Server Vulnerability Scan

Running a vulnerability scan in SQL Server is straight forward. First, you’re going to need at least SQL Server 2012 or later and SSMS v17.4 or later. Next, right click your database and look for the Tasks menu, then go to Vulnerability Assessment followed by Scan For Vulnerabilities.

SQL Server Vulnerability Scan Menu
SQL Server Vulnerability Scan Menu

The scan can take several minutes. When it’s done you are going to see a screen like the one below:

SQL Server Vulnerability Assessment Result
SQL Server Vulnerability Assessment Result

SQL Server Vulnerability Assessment Results

When the assessment is done it will display a summary of the results. You’ll see on some rules a value “No baseline set” in the Additional Information column. The baseline is a way to set a passable current state for the database. If you set for example the above as a baseline, then the columns found in VA1287 would not be considered as a violation of the test and future tests would pass for this rule.

The vulnerability assessment can also be run in azure. Go to Advanced Data Security under the Security menu and then click it to enable it. From there click on Vulnerability Assessment. You’ll need to configure a storage account to store the scan results. For more information in running it in Azure see the Microsoft documentation.

Sean Leitzinger

Solutions Architect at Edgeside Solutions
.NET and C# aficionado with an interest in architecture, patterns, practices, and more. Microsoft fanatic.

Latest posts by Sean Leitzinger (see all)

Leave a Reply

Your email address will not be published. Required fields are marked *