When you are scanning an MS-SQL database by a scan engine which is not located in the same domain. The databases are not enumerated or vulnerability results are not avalaliable.

 The databases area under the scan results are blank.

 The MS-SQL Brower service is not avaliable to the scan engine. As such it can not find MS-SQL servers running on non- standard ports (ie. 1433).

 There are two options that you can use:

Note: You will need to create a new scanning template, or copy then modify an existing template.

Option 1:

If you know what ports your MS-SQL Server is running on. You can modify the scan template to include this ports as part of the discovery phase of the scan.

1. Navigate to the following area within the Security Console.
   1. Administration > Scan Templates > Manage
   2. Select the scan template you wish to modify and click on Edit
   3. Click on the Service Discovery part of the template.
   4. In the 'TCP scanning' go to the 'Additional Ports' field and add the ports MS-SQL is running on. Use a comma to deliminate them.
   5. Click on Save.
2. Run the scan to check that you now can scan the database.

Option 2:

If you don't know what ports the MS-SQL database is running on.

1. Navigate to the following area within the Security Console.
   1. Administration > Scan Templates > Manage
   2. Select the scan template you wish to modify and click on Edit
   3. Click on the Service Discovery part of the template.
   4. In the 'TCP scanning' use the drop down box of the 'Ports to Scan' and select 'All possible ports (1-65535).
   5. Click on Save.
2. Run the scan to check that you now can scan the database.

Best Practise:

It would be advisable to create an asset group with just your MS-SQL servers in them, so you only run an all ports discovery scan on those servers. As this will increase the time it takes to scan.

Applies To

 A linux scan engine or windows scan engine which is not part of the same domain as the MS-SQL Server.