SSMS 17.5 is out as of February 2018, but the the Vulnerability Assessment (VA) was released in SSMS 7.4
It seems that the Microsoft tools team is trying to build us better tools that come with the platform. There are good third parties that build tools, such as my employer, Redgate Software, but I am glad that Microsoft is also providing a little more value. This is especially welcome in the area of security.
In SSMS 17.4, the upgrade came with one goodie: the VA. This is an analysis that will help you determine if you potentially have issues with your instances and databases. This is an assessment of a database, but there are server implications as well.
Once you install or upgrade SSMS, you can right click on a database and choose Tasks, Vulnerability Assessment.
This is actually a menu of a couple items. You have the choice to run a scan or open an existing scan that you might have saved on your system.
When you run a scan, a new dialog opens that asks you where to save the scan. You can change the path, and once you click OK, the scan runs.
A new tab opens in the query window space with the results of your scan. This gives you the bad news first. Those items you failed. In my case, I had 5 items.
These items are listed as high, medium, or low risk. I haven’t dug into these too deeply, so I won’t comment on the appropriateness, but look for more information at SQLServerCentral soon.
I did better on the passing side, 49 items.
If I pick an item, I can mark this as approved as the baseline setting. For example, on this instance, I want Remote Admin connections.
If I click “Approve as Baseline”, I get a dialog. I’ll say yes.
This item now has a baseline marked, or rather, the absence of a baseline removed. I also get a note that there are changes near the top.
If I run a new scan, this issue doesn’t appear.
This is now an item in the Passed tab.
This is simple, and perhaps trivial, but having this built into a tool means that you can now start to see if things change. There is likely lots of opportunity to build on top of this and perhaps aggregate data or make it more consumable. Look for other companies to add to this, but for now, it’s nice that Microsoft is adding security help to SSMS.
You can read more about the Vulnerability Assessment on docs.microsoft.com.