Planning database security
Audit the database
In addition to the protection built into the Sophos Enterprise Console databases, we recommend setting additional protection at the SQL Server instance level (if not already in place) to audit user activities and changes on your SQL Server.
For example, if you are using an Enterprise edition of SQL Server, you can use the SQL Server Audit feature. Versions of SQL Server earlier than SQL Server 2008 support login auditing, trigger-based auditing, and event auditing by using a built-in trace facility.
For more information about features that you can use for auditing activities and changes on your SQL Server system, see the documentation for your version of SQL Server.
- Security Center for SQL Server Database Engine
- SQL Server Audit (Database Engine)
Encrypt connections to the database
We strongly recommend that you encrypt connections between any clients and the Sophos Enterprise Console databases.
- Enable Encrypted Connections to the Database Engine (SQL Server Configuration Manager)
- How to enable SSL encryption for an instance of SQL Server by using Microsoft Management Console
Control access to the database backups
Ensure proper, restrictive access control to any database backups or copies. This will ensure that unauthorized users cannot access the files, tamper with them, or accidentally delete them.
Check database connection
When running the Sophos Enterprise Console 5.5.1 or later installer, database connection checks are made (prior to installation or upgrade) to establish whether a connection can be made to the database using TLS 1.2.
To ensure that TLS 1.2 is used when connecting to the database, use the CheckDBConnection.exe tool to provide output on the connection checks and make manual changes.
For more information, see knowledgebase article 127521.