Planning database security

Note The links in this section lead to information maintained by third parties and are provided for your convenience. Although we try to review the accuracy of the links periodically, the links may change without our knowledge.

Audit the database

In addition to the protection built into the Sophos Enterprise Console databases, we recommend setting additional protection at the SQL Server instance level (if not already in place) to audit user activities and changes on your SQL Server.

Note SQL Server auditing cannot be turned off from Sophos Enterprise Console. Setting this protection helps you investigate if a Sophos Enterprise Console user is compromised.

For example, if you are using an Enterprise edition of SQL Server, you can use the SQL Server Audit feature. Versions of SQL Server earlier than SQL Server 2008 support login auditing, trigger-based auditing, and event auditing by using a built-in trace facility.

For more information about features that you can use for auditing activities and changes on your SQL Server system, see the documentation for your version of SQL Server.

  • Security Center for SQL Server Database Engine
  • SQL Server Audit (Database Engine)

Encrypt connections to the database

We strongly recommend that you encrypt connections between any clients and the Sophos Enterprise Console databases.

  • Enable Encrypted Connections to the Database Engine (SQL Server Configuration Manager)
  • How to enable SSL encryption for an instance of SQL Server by using Microsoft Management Console

Control access to the database backups

Ensure proper, restrictive access control to any database backups or copies. This will ensure that unauthorized users cannot access the files, tamper with them, or accidentally delete them.

Check database connection

When running the Sophos Enterprise Console 5.5.1 or later installer, database connection checks are made (prior to installation or upgrade) to establish whether a connection can be made to the database using TLS 1.2.

To ensure that TLS 1.2 is used when connecting to the database, use the CheckDBConnection.exe tool to provide output on the connection checks and make manual changes.

For more information, see knowledgebase article 127521.