Overview

This guide will walk through scanning a non-domain joined Microsoft SQL Database using CIS-CAT Pro Assessor v4. If the Database is domain joined, please see the this guide: https://cisecurity.atlassian.net/wiki/spaces/SCFKB/pages/2721284097

Requirements

Enable SQL Server and Windows Authentication mode
Use a SQL sysadmin account for the assessment (https://cisecurity.atlassian.net/wiki/spaces/SCFKB/pages/1932918873 )

Change Server Authentication Mode in SSM
1. In SQL Server Management Studio Object Explorer, right-click the server, and then click Properties.
2. On the Security page, under Server authentication, select the SQL Server and Windows Authentication mode, and then click OK.
3. In the SQL Server Management Studio dialog box, click OK to acknowledge the requirement to restart SQL Server.
4. In Object Explorer, right-click your server, and then click Restart. If SQL Server Agent is running, it must also be restarted.

2. For a local assessment, use the following JDBC string format (Using a SQL admin account):

jdbc:sqlserver://hostname;user=MyUserName;password=******;

For a remote assessment, use the following JDBC string format (Using a SQL admin account):

jdbc:sqlserver://CIS-SERVER:1433;databaseName=TestDB;user=db_user;password=db_pass;instanceName=TestInstance;

3. Run the assessment using the GUI or CLI. See this section of the documentation for Workflow steps

If the scan is unsuccessful, check the SQL logs for a ’Login failed for user' message that matches the username in your JDBC string. Here’s a way to get SQL logs: https://docs.microsoft.com/en-us/sql/relational-databases/performance/view-the-sql-server-error-log-sql-server-management-studio?view=sql-server-ver15