Control Compliance Suite Vulnerability Manager CCSVM : MS-SQL database aren't not enumerated or scanned when the Scan Engine is not part of the domain

book

Article ID: 157474

calendar_today

Updated On:

Products

Control Compliance Suite Vulnerability Manager

Issue/Introduction

 When you are scanning an MS-SQL database by a scan engine which is not located in the same domain. The databases are not enumerated or vulnerability results are not avalaliable.

 The databases area under the scan results are blank.

Cause

 The MS-SQL Brower service is not avaliable to the scan engine. As such it can not find MS-SQL servers running on non- standard ports (ie. 1433).

Resolution

 There are two options that you can use:

Note: You will need to create a new scanning template, or copy then modify an existing template.

Option 1:

If you know what ports your MS-SQL Server is running on. You can modify the scan template to include this ports as part of the discovery phase of the scan.

  1. Navigate to the following area within the Security Console.
    1. Administration > Scan Templates > Manage
    2. Select the scan template you wish to modify and click on Edit
    3. Click on the Service Discovery part of the template.
    4. In the 'TCP scanning' go to the 'Additional Ports' field and add the ports MS-SQL is running on. Use a comma to deliminate them.
    5. Click on Save.
  2. Run the scan to check that you now can scan the database.

Option 2:

If you don't know what ports the MS-SQL database is running on.

 

  1. Navigate to the following area within the Security Console.
    1. Administration > Scan Templates > Manage
    2. Select the scan template you wish to modify and click on Edit
    3. Click on the Service Discovery part of the template.
    4. In the 'TCP scanning' use the drop down box of the 'Ports to Scan' and select 'All possible ports (1-65535).
    5. Click on Save.
  2. Run the scan to check that you now can scan the database.

Best Practise:

It would be advisable to create an asset group with just your MS-SQL servers in them, so you only run an all ports discovery scan on those servers. As this will increase the time it takes to scan.

 


Applies To

 A linux scan engine or windows scan engine which is not part of the same domain as the MS-SQL Server.