Friday, March 23, 2012

DISA auditing of a SQL 2005 Express database

On my upcoming trip, I have to audit a SQL 2005 Express database and hold it accountable to the DISA SQL Server 2005 checklist.  I know that there are parts of the checklist that will be "Not Applicable" as Express just doesn't have all of the features that Server has.  My plan is to run the Microsoft SQL Server SRRs against the database, then connect and check as many of the manual checks as possible.

To connect to the database, I plan on use OSQL.  In this case, my command will be:

osql -E   - which will connect me to the database (assuming that it is the default.)

osql -E -S \instance name     - I'll use this if they have changed the instance name.

Upon connecting, I should be able to run any of the manual sql that is listed in the checklist in order to answer the controls.

(In an unclassified environment, I would bring along QueryExpress.exe and connect to the database that way to run queries.)


  1. Hello friends,

    Microsoft SQL Server is a relational database server, developed by Microsoft, it is a software product whose primary function is to store and retrieve data as requested by other software applications, be it those on the same computer or those running on another computer across a network. Thanks a lot....

  2. Nightmares in Applicaton SecurityMay 3, 2012 at 11:15 AM

    So, how successful were you in getting scan results? Was the scan successful? Were the results useful or just full of junk?

    I've wondered if anybody has succeeded in getting decent scan results from either the SRRs or AppDetective against a version of SQL Server that wasn't necessarily a full-blown version.

    This could be the solution to a couple of my problems. It's hard to implement "trust, but verify" when you can't necessarily verify independently.

  3. I had no problem with the SRRs. And, using osql, I was able to gather the results of the manual checks. Bear in mind that the machine was configured such that the SRRs ran without a problem. Quite possibly, if the machine was more locked down, results would vary.

    I did not run AppDetective at all. I knew I was going to run the SRRs and do the manual checks. I knew I was covering the entire checklists.

    There are some findings that will really need analyzing as the results returned do not really apply to a desktop SQL environment. There are controls where it is hard to evaluate a desktop SQL installation verses a regular production server.