Database Scanner archives all test results in a Microsoft Access database on the client workstation so that you can view and track improvements in your security implementation. You need to compact the Access database occasionally, and Database Scanner provides an automated way to do this task through the Maintenance tab on the Options menu.
Make Your Server a Stronghold
Security violations usually occur on improperly configured servers or networks or on servers or networks with unenforced security policies—or no security policies at all. Database Scanner helps you avoid such problems. The tool finds improper configurations and helps you establish and enforce any level of security you want. Not only does Database Scanner find the security holes in your SQL Server systems, but it uses its reports to explain how to fix the holes.
I thought I was security-minded, but Database Scanner proved me wrong. On my server, Database Scanner found several passwords in clear text and several other passwords that the product easily cracked. The tool also provides reports showing orphaned User IDs (UIDs) and stale logins (logins that haven't been used in a long time and that you can probably delete). Database Scanner finds registry entries that contain passwords and checks the file permissions on your files to make sure they're secure. The tool also summarizes each database's configuration and size and performs a trend analysis of your security policies to show whether anyone has repaired the reported security violations since the tool produced a given report.
Pricing for Database Scanner begins at $995 per server. You must have a license for every server you want to scan with Database Scanner, and in some parts of the application, such as the penetration test, the server name is case-sensitive. If you don't enter the server name in the exact case you used when you entered the name in the license screen, the program returns an error saying that you don't have the appropriate number of licenses, which can get annoying. ISS says that the next version of Database Scanner, 4.1, will support SQL Server 2000. The upgrade to the new version, which ISS says will be available this month, is free for current Database Scanner customers who have maintenance contracts.
Database Scanner can help you replace a high-priced security consultant or help you become a better, more efficient consultant or security administrator yourself. Although the GUI isn't always easy to use, I believe the ISS programmers spent their time programming the right thing: a killer security-scanning application that is never out-of-date.