SSMS 17.4 Vulnerability Assessment

SSMS 17.5 is out as of February 2018, but the the Vulnerability Assessment (VA) was released in SSMS 7.4

It seems that the Microsoft tools team is trying to build us better tools that come with the platform. There are good third parties that build tools, such as my employer, Redgate Software, but I am glad that Microsoft is also providing a little more value. This is especially welcome in the area of security.

In SSMS 17.4, the upgrade came with one goodie: the VA. This is an analysis that will help you determine if you potentially have issues with your instances and databases. This is an assessment of a database, but there are server implications as well.

Once you install or upgrade SSMS, you can right click on a database and choose Tasks, Vulnerability Assessment.

2018-02-23 17_37_53-

This is actually a menu of a couple items. You have the choice to run a scan or open an existing scan that you might have saved on your system.

2018-02-23 17_38_29-SQLQuery4.sql - (local)_SQL2016.AdventureWorks2014 (PLATO_Steve (70)) - Microsof

When you run a scan, a new dialog opens that asks you where to save the scan. You can change the path, and once you click OK, the scan runs.

2018-02-23 17_39_14-Scan For Vulnerabilities

A new tab opens in the query window space with the results of your scan. This gives you the bad news first. Those items you failed. In my case, I had 5 items.

2018-02-23 17_50_17-Vulnerability Assessment - BaseballStats - 2_23_2018 5_39_26 PM - Microsoft SQL  

These items are listed as high, medium, or low risk. I haven’t dug into these too deeply, so I won’t comment on the appropriateness, but look for more information at SQLServerCentral soon.

I did better on the passing side, 49 items.

2018-02-23 17_50_25-Vulnerability Assessment - BaseballStats - 2_23_2018 5_39_26 PM - Microsoft SQL

If I pick an item, I can mark this as approved as the baseline setting. For example, on this instance, I want Remote Admin connections.

2018-02-23 17_52_32-Vulnerability Assessment - BaseballStats - 2_23_2018 5_39_26 PM - Microsoft SQL

If I click “Approve as Baseline”, I get a dialog. I’ll say yes.

2018-02-23 17_52_38-Approve as Baseline

This item now has a baseline marked, or rather, the absence of a baseline removed. I also get a note that there are changes near the top.

2018-02-23 17_53_26-Vulnerability Assessment - BaseballStats - 2_23_2018 5_39_26 PM - Microsoft SQL

If I run a new scan, this issue doesn’t appear.

2018-02-23 17_54_24-Vulnerability Assessment - BaseballStats - 2_23_2018 5_53_44 PM - Microsoft SQL

This is now an item in the Passed tab.

2018-02-23 17_54_52-Vulnerability Assessment - BaseballStats - 2_23_2018 5_53_44 PM - Microsoft SQL

This is simple, and perhaps trivial, but having this built into a tool means that you can now start to see if things change. There is likely lots of opportunity to build on top of this and perhaps aggregate data or make it more consumable. Look for other companies to add to this, but for now, it’s nice that Microsoft is adding security help to SSMS.

You can read more about the Vulnerability Assessment on

About way0utwest

Editor, SQLServerCentral
This entry was posted in Blog and tagged , , . Bookmark the permalink.