Overview

This guide will walk through scanning a non-domain joined Microsoft SQL Database using CIS-CAT Pro Assessor v4. If the Database is domain joined, please see the this guide: Quick Start Guide: MSSQL Database Scanning w/ Integrated Security (GUI)

Requirements

• Enable SQL Server and Windows Authentication mode

• Use a SQL sysadmin account for the assessment (Minimum login permissions for SQL assessment )

Implementation Steps

1. Change Server Authentication Mode in SSM

   1. In SQL Server Management Studio Object Explorer, right-click the server, and then click Properties.

   2. On the Security page, under Server authentication, select the SQL Server and Windows Authentication mode, and then click OK.

   3. In the SQL Server Management Studio dialog box, click OK to acknowledge the requirement to restart SQL Server.

   4. In Object Explorer, right-click your server, and then click Restart. If SQL Server Agent is running, it must also be restarted.

   5. Open

      

2. For a local assessment, use the following JDBC string format (Using a SQL admin account):

For a remote assessment, use the following JDBC string format (Using a SQL admin account):

3. Run the assessment using the GUI or CLI. See this section of the documentation for Workflow steps

Troubleshooting Steps

If the scan is unsuccessful, check the SQL logs for a ’Login failed for user' message that matches the username in your JDBC string. Here’s a way to get SQL logs: View the SQL Server error log (SSMS) - SQL Server

Copyright © 2022 Center for Internet Security® Privacy Policy