IBM Security Guardium

Guardium Experts,

We are starting to use the Guardium VA feature for MSSQL DB Technology.
When read the documentation of script to create user it says it has to be SQL authenticated.
We have generic account which is windows authenticated across all SQL DB Servers and would like to leverage that account only.
Does anyone has any experience/method on how we can leverage the windows authenticated account to run VA scan for MSSQL instead of using SQL authenticated account.

------------------------------
Rohit Goyal
------------------------------

You can use Windows authentication and encrypted protocol connection for SQL Server - you would specify this in the data source connection property:
for example:
my connection property >>>>>>   domain=encore;AuthenticationMethod=ntlm2java;encryptionMethod=SSL;validateServerCertificate=false

See the data source documentation here: https://www.ibm.com/docs/en/guardium/11.3?topic=datasource-ms-sql-server-datadirect

------------------------------
Leila Johannesen
------------------------------

Original Message:
Sent: Mon May 10, 2021 12:18 PM
From: Rohit Goyal
Subject: Vulnerability Assessment for MSSQL using Windows Authenticated account

Guardium Experts,

We are starting to use the Guardium VA feature for MSSQL DB Technology.
When read the documentation of script to create user it says it has to be SQL authenticated.
We have generic account which is windows authenticated across all SQL DB Servers and would like to leverage that account only.
Does anyone has any experience/method on how we can leverage the windows authenticated account to run VA scan for MSSQL instead of using SQL authenticated account.

------------------------------
Rohit Goyal
------------------------------

------------------------------
Walter York
------------------------------

Original Message:
Sent: Mon May 10, 2021 12:18 PM
From: Rohit Goyal
Subject: Vulnerability Assessment for MSSQL using Windows Authenticated account

Guardium Experts,

We are starting to use the Guardium VA feature for MSSQL DB Technology.
When read the documentation of script to create user it says it has to be SQL authenticated.
We have generic account which is windows authenticated across all SQL DB Servers and would like to leverage that account only.
Does anyone has any experience/method on how we can leverage the windows authenticated account to run VA scan for MSSQL instead of using SQL authenticated account.

------------------------------
Rohit Goyal
------------------------------

Thanks Walter and Leila for your response.

I am able to connect using Windows Authenticated account

------------------------------
Rohit Goyal
------------------------------

Original Message:
Sent: Tue May 11, 2021 09:02 AM
From: Walter York
Subject: Vulnerability Assessment for MSSQL using Windows Authenticated account

see the example screenshot.
Your scan account should have the privileges assigned on SQL to be able to scan.  The easiest permission is sysadmin as there are about 7 tests that cannot scan if you don't grant sysadmin.  For username and password, you would use the active directory/computer account (without domain/computer name appended)  The computer name/domain name would be used in the domain= field value in the connection property field.

AuthenticationMethod=ntlm2java;encryptionMethod=SSL;validateServerCertificate=false;IntegratedSecurity=false;domain=TEST

There would be a different configuration on the screenshot if you're using dynamic port.

------------------------------
Walter York

Original Message:
Sent: Mon May 10, 2021 12:18 PM
From: Rohit Goyal
Subject: Vulnerability Assessment for MSSQL using Windows Authenticated account

Guardium Experts,

We are starting to use the Guardium VA feature for MSSQL DB Technology.
When read the documentation of script to create user it says it has to be SQL authenticated.
We have generic account which is windows authenticated across all SQL DB Servers and would like to leverage that account only.
Does anyone has any experience/method on how we can leverage the windows authenticated account to run VA scan for MSSQL instead of using SQL authenticated account.

------------------------------
Rohit Goyal
------------------------------