When I heard about DbSecure's SQL Auditor in September 1998, I downloaded the beta and was really impressed. Here was a utility that essentially performed a security audit on individual servers and their databases. I couldn't believe the holes SQL Auditor uncovered—not only on my development servers but also on servers at a client's site. Although I'm not a card-carrying member of Paranoids Anonymous, I do consider myself security conscious, so I was chagrined to learn that I had missed some basic things. After I did the inevitable soul searching ("How could I have missed this?"), I realized I probably wasn't alone.
In December 1998, Internet Security Systems (ISS) announced its version of SQL Auditor based on technology it acquired from DbSecure. ISS renamed the product Database Scanner and shipped version 2.0 in February, leaving SQL Server 6.x support unchanged but adding support for Sybase Adaptive Server. ISS expected to ship a new version of Database Scanner for SQL Server 7.0 in first quarter 1999, but as of press time, the product still hadn't shipped. ISS also offers SAFEsuite, a family of vulnerability- and intrusion-detection products; SAFEsuite's Internet Scanner particularly impresses me.
In addition, ISS hosts the extremely useful ntsecurity newsgroup. To subscribe to the daily digest version, include "subscribe ntsecurity-digest" in the body of a mail message to majordomo@iss.net. In SQL Server 7.0, Microsoft replaced SQL Server 6.x's three security modes—integrated, standard, and mixed—with Windows NT-only authentication or combined SQL Server and NT login authentication. NT-only authentication corresponds to integrated security, and SQL Server and NT login authentication corresponds to mixed security. Windows 9x users will have to use mixed security, which corresponds to SQL Server 6.5's mixed-security mode.
Other changes include new server and database roles and a lot of hole-closing related to the default systems administrator (sa) login. Because the sa is a special login that exists mainly for backward compatibility with all earlier versions of SQL Server, you will always get an sa login after installing SQL Server without a password. You cannot change or delete the sa, but you need to set up an sa password. If you don't replace the empty password with one of your own, someone familar with SQL Server could sign on as the sa and gain illegal access to your server. You can manage logins by right clicking Logins, which takes you to the enterprise Manager's Security folder.