Overview

This guide will walk through remotely scanning a domain-joined Microsoft SQL Database using CIS-CAT Pro Assessor v4 GUI. If the Database is not domain joined, please see the this guide: https://cisecurity.atlassian.net/l/cp/cgtfNpKt

Requirements

• Windows target machine hosting the SQL server is domain-joined

• SQL Authentication Mode is set to Mixed Mode (SQL and Windows Authentication)

• User conducting scan has sysadmin permissions

Implementation Steps

Open the GUI

Select Advanced → Add remote or local target system

Fill out the appropriate information as shown below:

Open

Scroll down and add the Benchmark. Once you select the Benchmark and press ‘Add’ you will be prompted for the JDBC string:

Open

An example connection string could look like below:

Once the JDBC string is built and the Test Connection is successful, select OK

Select ‘Save’ on the bottom right to move to the Target Systems page

Select ‘Next’ on the bottom right to move to the final page

On the final page, select the reporting options and logging level:

Once the options are configured to your liking, select next and the scan will begin

Troubleshooting Steps

If the scan is unsuccessful, check the SQL logs for a ’Login failed for user' message that matches the username in your JDBC string. Here’s a way to get SQL logs: View the SQL Server error log (SSMS) - SQL Server

Check that the WinRM connection is properly configured: WinRM troubleshooting for remote CIS-CAT Pro assessment of a Windows target system

Copyright © 2022 Center for Internet Security® Privacy Policy