The SQL Vulnerability Assessment (VA) feature in now available in SSMS (SQL Server Management Studio)! I blogged about this feature in Azure recently, and hinted that SQL Vulnerability Assessment Available in SSMS would be coming soon. Well, today is that day!
Go here to download the latest version of SSMS. You will need version 17.4 for the VA feature. Once you are up and running, all you need to do is right-click to start a scan, like this:
When the scan is complete you get the results:
From there, you can select a row and examine the T-SQL used:
And you can set this result to be your baseline (see upper left, ‘Approve as Baseline’ button). And here is one of my favorite features for you to play with right now, you can see a list of columns that are candidates for enhanced security such as Dynamic Data Masking or Always Encrypted:
I will leave scanning the master database as an exercise for the reader.
You may have noticed that there is an ID column in the results, with a six character tag similar to “VA1285”. This would imply that there is a master list of items that VA is scanning for. I am not able to find any such list online at this time. I’m hopeful Microsoft will publish something soon. For now, I can point you to the main page for more information. That’s the page where you will find nuggets of info like “Vulnerability Assessment is supported for SQL Server 2012 and later”. Keep an eye on that page for future details.
To me, SSMS 17.4 is *HUGE* for two reasons. First, the VA feature. This is a wonderful thing. Even more wonderful is that we didn’t need to wait for a service pack in order to get this feature into SSMS. This is why decoupling SSMS from the installer was a step in the right direction. We get wonderful features, delivered faster.