Each MS SQL Server record identifies account login credentials, database information (unless you use auto discovery) and targets.
This record type is only available in accounts with PC or SCA and is only supported for compliance scans.
Which technologies are supported?
For the most current list of supported authentication technologies and the versions that have been certified for VM and PC by record type, please refer to the following article:
Authentication Technologies Matrix
MS SQL Server 2008 or MS SQL Server 2008 R2?
Controls posted for the MS SQL Server 2008 host technology are applicable for both MS SQL Server 2008 and MS SQL Server 2008 R2.
How do I get started?
Go to Scans > Authentication, and then New > Databases > MS SQL.
Login Credentials
What login credentials are required?
It is recommended you define a dedicated user account for MS SQL Server authentication.
You have the option to use a MS SQL Server database account, or a Windows operating system account that is associated with a SQL Server database account. See our Authenticated Scanning Tips docs to learn more.
Want to access the account password from your password vault?
We support integration with multiple third party password vaults. Just go to Scans > Authentication > Vaults and tell us about your vault system. Then choose Authentication Vault in your MS SQL record and pick the vault type, the vault record title, and provide other required details specific to the type of vault you selected (see the vault help). At scan time, we'll authenticate to hosts using the account name in your record and the password we find in your vault.
Authentication Type and Authentication OS Type
Choose the type of authentication you want to perform: Windows or Database.
Authentication Type: Windows
When you choose Windows, you'll also need to provide the name of the Windows domain where the account is stored. The domain name is required because the scanning engine must associate the operating system account with the MS SQL Server database account for authentication.
Authentication Type: Database
When you choose Database, then you'll also need to pick the Authentication OS type: Windows or Unix. We support MS SQL database authentication for both OS types.
For Unix, specify this additional information:
- Unix Instance Directory Path: the path to the MS SQL Server instance directory on your Unix hosts (e.g. /var/opt/mssql)
- Unix Configuration File Path: the path to the MS SQL Server configuration file on your Unix hosts (e.g. /var/opt/mssql/mssq.conf).
Using VM?
- If you are using VM, then only Windows Authentication is required for MS SQL databases on Windows.
- If you are using PC or SCA, then MS SQL Authentication is used. You can optionally use Windows authentication record for auto-discovery of Instance, Database, and Port.
Choose authentication protocols (Windows only)
You'll pick authentication protocols when:
- Authentication Type is Windows
- Authentication Type is Database and Authentication OS Type is Windows
Our scanners will attempt authentication to your target hosts using one of the authentication protocols selected in the record, starting with the most secure protocol to the least secure protocol. We support these protocols: Kerberos, NTLMv2 and NTLMv1.
Database Information
Tell us the database instance to authenticate to. You can define a single instance by providing the instance name, database name and port, or choose from the Auto discover options and let us find the matching instances.
Not sure how to find the instance name?
You need the instance name assigned to the TCP/IP port (by default this is set to MSSQLSERVER). This is NOT the host name that is assigned to the MS SQL Server instance name. Learn how to find this on a Windows system
Auto discover options
Use the Auto discover options and we'll automatically find matching database instances on your target hosts, so you don't have to provide database information in your record. This is recommended if you have multiple instances on the same host.
For Windows, we provide Auto discover options for Instance, Database and Port. If you select Auto discover for Instance or Port, then Windows authentication is also required. Make sure the IPs assigned to the MS SQL record are also configured for a Windows record.
For Unix, we provide Auto discover options for Database and Port. You are required to provide the Instance name. If you select Auto discover for Port, then Unix authentication is also required. Make sure the IPs assigned to the MS SQL record are also configured for a Unix record.
IPs or Member Domain
Which IPs should I add to my record?
Select the target compliance hosts (IPs) to authenticate to. Each IP may be included in one MS SQL Server record.
Member Domain (Windows only)
You can create a single record for all MS SQL server targets that are members of your domain. To use domain based support, provide your active directory or NetBIOS domain name on the "IPs or Member Domain Tab" in the Member Domain field. Note that this field only appears when Authentication Type or Authentication OS Type is set to Windows on the Login Credentials tab in the record.
When Member Domain is provided:
- We'll auto discover all MS SQL server targets in the domain.
- It's not possible to provide IP addresses for the same record.
Important Notes for Unit Managers
When a Unit Manager edits a record, the Unit Manager only sees the IPs in the record that they have permission to. Any changes made by the Unit Manager to the record settings will apply to all hosts defined in the record, regardless of whether all hosts belong to the user's business unit. The record may contain more IPs that are not visible to the Unit Manager.