Presentation is loading. Please wait.

Presentation is loading. Please wait.

Internet Security Systems (ISS) Database Scanner

Published byRosamund Neal Modified over 5 years ago

Similar presentations

Presentation on theme: "Internet Security Systems (ISS) Database Scanner"— Presentation transcript:

1 Internet Security Systems (ISS) Database Scanner
Alex Mack

2 Table of Contents Intro Database Scanner Features
Database Security Checks Database Scanner Operating Systems How to Install Database Scanner? How Database Scanner differs from standard database security tools? References

3 Intro The Database Scanner identifies security threats in database applications. Measures policy compliance and automates the process of securing critical online business data Generates detailed reports with all the information needed to correctly configure and secure databases

4 Intro (cont) The ISS security intelligence team constantly updates Database Scanner, so it can maintain a current defense against new attack methods

5 Database Scanner Features
Database Scanner can perform two types of database scans: Audit scan Penetration test Database Scanner checks passwords against a dictionary of known and easily guessed passwords, as well as check their length and characters, to determine their strength in a database and its related services and applications.

6 Audit scan Database auditing is an "inside-out" approach that accesses the database with an administrator-level account and password. Database Scanner's auditing feature allows users to know exactly what objects are in their database, who has access to them, and what they have been doing and could do.

7 Audit scan (cont) Administrators can quickly identify weaknesses that could allow database users to extend and escalate their privileges to other objects and roles in the database.

8 Penetration test Penetration testing is an "outside-in" approach that attempts to gain access to a database the way a hacker would. Database Scanner attempts to enter the database by using known default passwords and password guessing Penetration tests can also make use of operating system-level information to try to gain access to the database.

9 Database Security Checks
Authentication checks - Encompass all of the settings verifying each user’s claimed identity within the database management system Authorization checks - Focus on how an authenticated user is permitted to use specific resources within the system System Integrity checks - Settings focus on the coordination and control of system resources of the database system

10 Authentication checks
Password Aging Blank Passwords Same as Login ID Reverse of Login ID Login IDs Appended with Numbers Common Proper Names Common Date Formats Common Keystrokes Sequential Letters and Numbers Dictionary of 30,000 Easily Guessed Passwords Password in Install Files

11 Authorization checks Logon Hours Violations Account Permissions
Role Permissions Unauthorized Object Owners Remote Login and Servers System Table Permissions Extended Stored Procedures Cross Database Ownership Chaining Authentication Login Attacks Stale Login Ids Security of Administrative Accounts Excessive Administrative Actions

12 System Integrity checks
Trojan Horses Auditing Trail Auditing Configuration Buffer Overflow in Database Link Buffer Overflow in User Name EXTRPOC Service Running Resource Usage checks File System integrity checks

13 Database Scanner Operating Systems
Windows XP SP1 Windows 2000 Professional SP2 Windows NT Workstation SP6a Oracle 9i Sybase Adaptive Server 12.5 SQL Server 2000 SP3 and SP3a

14 How to Install Database Scanner?
Installing from Database Scanner CD-ROM Installing on Oracle Libraries Installing on Sybase Libraries Installing from a Downloaded File

15 Installing from Database Scanner CD-ROM
1. Log onto the computer as Administrator or as a user in the Administrator group. 2. Insert the CD-ROM into the drive. 3. Select Start→Programs→Windows NT Explorer from the Windows task bar to open Windows NT Explorer. 4. Click the drive letter that corresponds to your CD-ROM. Explorer displays the CD-ROM contents in the right pane. 5. Double-click the NT_ISS folder. The Database Scanner installation files appear. 6. Double-click the setup.exe file. The Welcome to Database Scanner 4.2 window appears. 7. Click Next. The User/License Information window appears. 8. Type your Name and your Company name. 9. Click Next. The Software License Agreement window appears. 10. Click Yes.

16 Installing on Oracle Libraries
To scan Oracle databases, you must install Oracle SQL*Net or Net8 Client Libraries from your Oracle installation disk or from Take one of the following actions: Click Back to return to the Software License Agreement window. Click Next to display the Sybase Installation Requirements window and proceed with the installation. Click Cancel to stop the installation program. On the next window, click Exit Setup

17 Installing on Sybase Libraries
To scan Sybase databases, you must install Sybase ODBC Drivers and Sybase Open Client Libraries from your Sybase installation disk or from Take one of the following actions: Click Back to return to the Software License Agreement window. Click Next to proceed with the installation. Click Cancel to stop the installation program. On the next window, click Exit Setup

18 Installing from a Downloaded File
1. Log onto the computer as Administrator or a user in the Administrator group 2. Select Start→Programs→Windows NT Explorer from the Windows task bar to open Windows NT Explorer. 3. Click the drive letter that contains the installation file. 4. Double-click the DBS.EXE file (DBS_MP.EXE if you used the multipart download) on your computer. The setup files are expanded into the folder containing the DBS.EXE file. Tip: If you have difficulty finding this file, select Tools→Find Files or Folders from the Windows task bar to search for the file. 5. From the folder into which the files were expanded, double-click the SETUP.EXE file. The Welcome to Database Scanner 4.2 window appears. 6. Click Next. The User/License Information window appears. 7. Type your Name and your Company name. 8. Click Next. The Software License Agreement window appears. 9. Click Yes

19 How Database Scanner differs from standard database security tools?
Database Scanner is a standalone application that does not require users to install agents or other software on their database servers. Database Scanner provides security checks that are not available in the standard security mechanisms of most relational databases. Regular testing of password strength on every login account is crucial to data integrity and security. Most relational database systems don’t require users to have any password, or one that is difficult to guess.

20 References

Download ppt "Internet Security Systems (ISS) Database Scanner"

Similar presentations

This course is designed for system managers/administrators to better understand the SAAZ Desktop and Server Management components Students will learn.

This course is designed for system managers/administrators to better understand the SAAZ Desktop and Server Management components Students will learn.
Computer Security set of slides 10 Dr Alexei Vernitski.

Computer Security set of slides 10 Dr Alexei Vernitski.
Understand Database Security Concepts

Understand Database Security Concepts
Module 1: Installing Windows XP Professional

Module 1: Installing Windows XP Professional
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Hands-On Microsoft Windows Server 2003 Chapter 2 Installing Windows Server 2003, Standard Edition.

Hands-On Microsoft Windows Server 2003 Chapter 2 Installing Windows Server 2003, Standard Edition.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Database Security Managing Users and Security Models.

Database Security Managing Users and Security Models.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
1 Client/Server Database Tutorial. SQL Server Connection through MS Access FACBUSAD1 SQL server MS Access MGD B106 Computer or your own PC Remote SQL.

1 Client/Server Database Tutorial. SQL Server Connection through MS Access FACBUSAD1 SQL server MS Access MGD B106 Computer or your own PC Remote SQL.
Module 8: Implementing Administrative Templates and Audit Policy.

Module 8: Implementing Administrative Templates and Audit Policy.
Overview What is SQL Server? Creating databases Administration Security Backup.

Overview What is SQL Server? Creating databases Administration Security Backup.
Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.

Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.
Air Force Association (AFA) 1. 1.Access Control 2.Four Steps to Access 3.How Does it Work? 4.User and Guest Accounts 5.Administrator Accounts 6.Threat.

Air Force Association (AFA) 1. 1.Access Control 2.Four Steps to Access 3.How Does it Work? 4.User and Guest Accounts 5.Administrator Accounts 6.Threat.
Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.

Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.
1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.

1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.
Chapter Six Windows XP Security and Access Controls.

Chapter Six Windows XP Security and Access Controls.
Module 10: Configuring Windows XP Professional to Operate in Microsoft Networks.

Module 10: Configuring Windows XP Professional to Operate in Microsoft Networks.
CSE 4481 Computer Security Lab Mark Shtern. INTRODUCTION.

CSE 4481 Computer Security Lab Mark Shtern. INTRODUCTION.
Module 14: Configuring Server Security Compliance

Module 14: Configuring Server Security Compliance

Similar presentations

Ads by Google