[Previous entry: "WebGoat an excellent application for testing web security"] [Next entry: "SQL Injection, Are Your Web Applications Vulnerable?"]

06/19/2006: "Chip Andrews SQL lock down script"

Well its been some time since I have written on this SQL Server blog. I have been very busy of late but I am planning to try and keep this blog more up to date from now on. I have made a few notes of links and information I would like to blog about.

Lets start the ball rolling. I was surfing the net last week and found Chip Andrews lockdown script for SQL Server. This is on a page titled "Lockdown Script". I downloaded this script and had a look. This script is a great idea. It aims to bring a SQL Server database up to a basic level of security. This script is run and it checks and hardens by chnaging settings. The script is updated and follows an 80/20 rule to cover off the biggest lump of issues.

Whilst this is a great script i do have some concerns. There are other lockdown tools such as this available on the net for other peices of software but generally these types of scripts are not available for database software. Why is this? - in general database software is complex and suitable for many different applications and purposes. This is a great feature of database software, its generic use. Having a fixed lockdown script that hardens all databases in the same way can unfortunatly break some applications that have been written to use the weak or insecure feature.

I personally would always go with the audit/review/fix cycle rather than a straight fix first. That said this script is very useful though for anyone to make simple changes to harden their SQL Server database.