What’s new in SSMS 17.4: SQL Vulnerability Assessment

This post is authored by Ronit Reger, Senior Program Manager, SQL Data Security and Alan Yu, Program Manager, SQL Server

We are excited to announce the release of SQL Server Management Studio (SSMS) 17.4!

Download SSMS 17.4 and review the Release Notes to get started.

SSMS 17.4 provides support for almost all feature areas on SQL Server 2008 through the latest SQL Server 2017, which is now generally available.

In addition to enhancements and bug fixes, SSMS 17.4 comes with an exciting new feature: SQL Vulnerability Assessment!

What is Vulnerability Assessment?

SQL Vulnerability Assessment (VA) is your one-stop-shop to discover, track and remediate potential database vulnerabilities. It can be used as an excellent preventative security measure, providing visibility into your security state and offering actionable steps to investigate, manage and resolve security issues and enhance your database fortifications. It is designed to be usable even for non-security-experts – getting started and seeing an initial actionable report takes only a few seconds.

Vulnerability Assessment report in SSMS

VA truly enables you to focus your attention on the highest impact actions you can take to proactively improve your database security stature! In addition, if you have data privacy requirements, or need to comply with data protection regulations like the EU GDPR – then VA is your built-in solution to simplify these processes and monitor your database protection status. For dynamic database environments where changes are frequent and hard to track, VA is invaluable in detecting the settings that can leave your database vulnerable to attack.

How does Vulnerability Assessment work?

The VA service runs a scan directly on your SQL database or server. VA employs a knowledge base of rules that flag security vulnerabilities and deviations from best practices, such as misconfigurations, excessive permissions, and exposed sensitive data. The rule base grows and evolves over time, to reflect the latest security best practices recommended by Microsoft.

Results of the assessment include actionable steps to resolve each issue and provide customized remediation scripts where applicable. An assessment report can be customized for each customer environment and tailored to specific requirements. This process is managed by defining a security Baseline for the assessment results, such that only deviations from the custom Baseline are reported.

VA is supported for SQL Server 2012 and later, and can also be run on Azure SQL Database.

Get started now!

To gain the benefits of a Vulnerability Assessment on your database, all you need to do is run a Scan, which will scan your database for vulnerabilities. The scan is lightweight and safe. It takes a few seconds to run and is entirely read-only. It does not make any changes to your database!

To learn more about VA, check out this demo on Channel 9:

Also, take a look at Getting Started with Vulnerability Assessment for more details on how to run and manage your assessment.

Try it out, and let us know what you think!