Set Up MS SQL Server Authentication

You need the instance name assigned to the TCP/IP port (by default this is set to MSSQLSERVER). This is NOT the host name that is assigned to the MS SQL Server instance name. Learn more

Controls posted for the MS SQL Server 2008 host technology are applicable for both MS SQL Server 2008 and MS SQL Server 2008 R2.

- Go to Scans > Authentication.

- Create a MS SQL record for the database instance. Go to New > Databases > MS SQL.

It is recommended you define a dedicated user account for MS SQL Server authentication. You have the option to use a MS SQL Server database account, or a Windows operating system account that is associated with a SQL Server database account. See our Scanning Tips docs under Quick Links (also available under Help > Resources).

Choose the type of authentication you want to perform: Windows or Database. If you choose Windows, provide the name of the Windows domain where the account is stored. The domain name is required because the scanning engine must associate the operating system account with the MS SQL Server database account for authentication.

- If you are using VM then only Windows Authentication is required.

- If you are using PC or SCA, then MS SQL Authentication is used. You can optionally use Windows authentication record for auto-discovery of Instance, Database, and Port.

Use the Auto discover options and we'll automatically find database instances on your target hosts, so you don't have to provide database information in your record. This is recommended if you have multiple instances on the same host. (If you select Auto discover for Instance or Port then Windows authentication is also required. Make sure the IPs assigned to the MS SQL record are also configured for a Windows record.)

You can create a single record for all MS SQL server targets that are members of your domain. To use domain based support, provide your active directory or NetBIOS domain name on the "IPs or Domain Tab" in the Member Domain field.

When Member Domain is provided:

- We'll auto discover all MS SQL server targets in the domain.

- It's not possible to provide IP addresses for the same record.

Our scanners will attempt authentication to your target hosts using one of the authentication protocols selected in the record, starting with the most secure protocol to the least secure protocol. We support these protocols: Kerberos, NTLMv2 and NTLMv1.

Select the target compliance hosts (IPs) to authenticate to. Each IP may be included in one MS SQL Server record.

We support integration with multiple third party password vaults. Just go to Scans > Authentication > Vaults and tell us about your vault system. Then choose Authentication Vault in your record and select your vault name. At scan time, we'll authenticate to hosts using the account name in your record and the password we find in your vault.

When a Unit Manager edits a record, the Unit Manager only sees the IPs in the record that they have permission to. Any changes made by the Unit Manager to the record settings will apply to all hosts defined in the record, regardless of whether all hosts belong to the user's business unit. The record may contain more IPs that are not visible to the Unit Manager.