Frequently Asked Questions

ASSET Installation

  1. Do I need to install JRE and MSDE prior to installing ASSET?

ASSET Problems/Errors

  1. I have received an error when trying to create a new assessment that says "Cannot open connection to ASSET database. Exiting now" What is wrong with my system?

  2. I have uninstalled ASSET and then reinstalled it and receive the same error as question #1, what is wrong?

  3. I have received an error that says "...Connection is busy with results for another hstmt" What is wrong?

  4. I have added three assessors to my assessment and when trying to assign a question to an alternate assessor, the third assessor is not visible on screen, it is hidden by the Windows task bar. What is wrong?

  5. I have opened an assessment that someone else has started. Why isn't my name in the "answered by" checkbox on the questions tab?

  6. I have created a new assessment and assigned assessors to this assessment other than myself. When I exit the system and reload the assessment they are not visible in the assessor table, why is this?

  7. Why are the question tab and summary tab blank?

General ASSET Questions

  1. Is there a limit to the number of assessors you can add?

  2. When do you need to assign responsibility of answering a question to another assessor?

  3. Is there a limit to the number of inter-connected systems you can add?

  4. What is the purpose of the progress bar?

  5. What is the purpose of the comments section?

  6. What does the clear function do?

  7. How do I document the person I interviewed to get an answer to a question?

  8. How do switch between an active assessment and the reporting window?

  9. How do I clear/delete a response that I have already completed?

Security Concerns

  1. I have read about the security vulnerabilities in the JRE and MSDE; can I trust ASSET with these components installed?

  2. Why do I need to add a password to the ASSET database when I install MSDE?

  3. I have run the Microsoft Baseline Security Analyzer and have received vulnerabilities concerning the MSDE, what should I do?

  4. What MSDE vulnerabilities apply to ASSET and how are they mitigated?

  5. Where can I find information concerning patches for MSDE?

  6. What is the purpose of the SQL.log file and can it be deleted to save space?


ASSET Installation

Do I need to install JRE and MSDE prior to installing ASSET?

If you have MSDE 1.0 and JRE 1.4 present on your system prior to installing ASSET the ASSET installer won't install them during the normal ASSET installation. This decreases the amount of time required to install ASSET. The ASSET installer checks to see if these products are present on your system prior to installing them. If you wish to download these products on your own, use the following download instructions:

JRE 1.4:

You can download the JRE 1.4 from the Sun website. ASSET strongly reccomends that users employ the JRE 1.4 due to its increased performance over prior versions of the JRE. Unpredictable behavior may results from the use of alternate versions of the JRE.

NOTE: ASSET will not work with any version of the JRE prior to version 1.2.x

http://java.sun.com/j2se/1.4/download.html

MSDE:

You can no longer download MSDE 1.0 from microsoft.com. Microsoft now supports MSDE 2000. This version of the MSDE has not been tested with ASSET. It is reccomended that users allow the ASSET installer to install MSDE 1.0 during the ASSET installation, and then employ the security instructions provided by the ASSET user manual to secure their installation of MSDE.

return to top

ASSET Problems/Errors

I have recieved an error when trying to create a new assessment that says "Could open connection to ASSET database, exiting now." What is wrong with my system?

When you attempt to create a new assessment in either ASSET System or ASSET Manager and you receive an error that is similar to the following figure:

This may be due to the MSDE database system not being started, or is not currently running. To verify that this is indeed the cause of the error check your system task tray in the far right corner of your task bar. If the task bar contains an icon that resembles a server with a red square over top of it then MSDE is not running. An example of a system tray where MSDE is not running is shown in the following figure

To start MSDE double click on the icon with the red square and press the green play button.

I have uninstalled ASSET and then reinstalled it and receive the same error as question #1, what is wrong?

If you uninstall ASSET by using the automatic unistallation procedure provided by Microsoft Windows or by the ASSET installer all components that were installed by the ASSET installer will not be removed. In this case, you have received this error because the ASSET installer could not create the physical ASSET MSDE databases. These components must be removed if you wish to install ASSET once more, in addition to this the files that remain on your system contain the data that you gathered with ASSET System and ASSET Manager and as such pose a potential security risk if not removed. The following screen shot shows the contents of the MSDE data folder C:\MSSQL7\Data. The highlighted files are those created by MSDE during the execution of ASSET.

When you uninstall ASSET (including the JRE and MSDE), these files still remain on your system. You must delete these files manually and restart your system before attempting to reinstall ASSET. Id you don't do this, you will receive a similar error message as the previous question shows.

I have received an error that says "...Connection is busy with results for another hstmt" What is wrong?

During your operation of ASSET you may receive an error that includes the message shown in the following figure.

This is the result of MSDE not properly handling a previous connection that ASSET System or ASSET Manager has made to the MSDE database. To properly handle this error you should shutdown ASSET and restart your computer.

I have added three assessors to my assessment and when trying to assign a question to an alternate assessor, the third assessor is not visible on screen, the Windows task bar hides it. What is wrong?

ASSET System uses the Swing architecture from Java to provide its user interface. The Swing architecture use a "Lightweight Component" design style where opaque objects on your monitor such as the Windows task bar or other applications will always appear overtop of ASSET System components on screen. The third name is still in the assessor choice box, just hidden by the task bar. You can select this element with the down arrow on your keyboard and it will appear in the text box at the top of the list. NOTE: once you add a fourth assessor to this list, the drop down box of assessors should popup above the text box.

I have opened an assessment that someone else has started. Why isn't my name in the "answered by" checkbox on the questions tab?

The name that is selected in the answered by box is always going to be the primary assessor (the person who created the assessment). To select your name scroll throughout the list with your mouse or keyboard to find and select your name.

I have created a new assessment and assigned assessors to this assessment other than myself. When I exit the system and reload the assessment they are not visible in the assessor table, why is this?

When you create a new assessment and assign assessors to them before you begin to answer assessment questions, these assessors will not get saved with this assesment unless you assign them in the "Answered By" or "Assign to Alternate" boxes on the question tab. Otherwise when you save the assessment, exit, and reload the same assessment these assessors won't be visible.

Why are the question tab and summary tab blank?

When you create a new assessment you may notice that the question tab and summary tab are blank by default. This is because there are actions that must be completed prior to enabling these tabs. You must use the Next and Previous buttons at the bottom of each tab in order to cause ASSET System to behave in the manner it was designed to.

return to top


General ASSET Questions

Is there a limit to the number of assessors you can add?

There is no limit to the number of assessors a user can add; the ASSET was set up to hold an infinite number of assessors. Note: an assessor should only be listed once. Once you add an inter-connected system, you may not delete it, not change its name, as it may be referenced by other assessments in the database.

When do you need to assign responsibility of answering a question to another assessor?

Another assessor needs to be assigned responsibility when the primary assessor is not able to answer a particular question. To assign an alternate assessor to a question just check the assign alternate box and select the assessor’s name from the drop down list.

Is there a limit to the number of inter-connected systems you can add?

There is no limit to the number of inter-connected systems a user can add; the ASSET was set up to hold an infinite number of connected systems. Note: a connected system should only be listed once.

What is the purpose of the progress bar?

The progress bar is located on the fifth tab, Summary, and shows the current assessment’s progress. As questions are answered the bar will show both numerically and visually how much of the assessment has been completed. This information will also be displayed when the cursor is over the Next button.

What is the purpose of the comments section?

The comments section, on the Assessment Questions tab, is where the user can write any remarks or supporting data on why the question was answered the way it was. It may also be used as a place to write comments to another assessor who has been assigned the responsibility to answer the question.

What does the clear function do?

The clear function allows the user to clear all the information that has been entered for a question. It does not clear all of the responses for the entire assessment just the response for the question that you are on.

How do I record a person I interviewed to answer a question?

If you have interviewed someone to answer a question in the checklist you have two options to record this. You may assign this question to that person in the "assign to alternate assessor" list, or you may add a section to the comments field for that particular question that indicates this interview.

How do switch between an active assessment and the reporting window?

ASSET is designed to be modular meaning when an assessment is active you can actively switch between the active assessment and the reporting window. ASSET System includes a "virtual desktop" where multiple assessments can be opened at the same time, similar to the Microsoft Windows desktop. The following screen shot shows how to minimize the active assessment to the virtual desktop.

Once you minimize this assessment you can switch between all other windows that are active on the "virtual desktop". If you have opened the reporting window it will be visible on the desktop. Click on the reporting icon to open the reporting window.

How do I clear/delete a response that I have already completed?

If you wish to clear a response to a question that you have already completed you must use the Clear button on the Question tab. Manually clearing the response boxes may result in unpredictable behavior of ASSET. Clearing the response with the clear button will ensure that the progress is calculated properly in the assessment.

return to top


Security Concerns

The information contained within this section of questions is current as of 5/02/2002, however, it cannot remain current. The recommendations provided herein are extremely helpful in ensuring the security of your computer once you install NIST ASSET, yet as with all software products, information security is a constantly changing landscape, you must consult the provided vendor URLs on a regular basis in an effort to maintain the security provided here. For more information on applying patches to your infrastructure consult the NIST Special Publication 800-40 "Procedures for Handling Security Patches" at the following URL:

http://csrc.nist.gov/publications

I have read about the security vulnerabilities in the JRE and MSDE, can I trust ASSET with these components installed?

NIST recognizes and has validated reports of the vulnerabilities inherent in the MSDE and JRE. These reports are taken very seriously and as such, mitigation procedures have been provided (where appropriate) that will establish a high level of security of which is not easily subverted. The documentation that NIST has provided within the ASSET user manual includes mitigation procedures that are not available from other product vendors.

ASSET assumes a certain level of host-based security on the target machines. This assumption is appropriate with any piece of software that someone will install on their system. Windows NT, 2000, and XP systems require a user with Administration privileges to install the software.

Why do I need to add a password to the ASSET database?

The NIST ASSET Database Password utility is designed to protect systems that have NIST ASSET installed on them from malicious users exploiting inherent vulnerabilities in the MSDE subsystem to take control of their machine. For more information consult the user manual provided with NIST ASSET.

I have run the Microsoft Baseline Security Analyzer (MBSA) and have recieved several vulnerabilities concerning the MSDE, what should I do?

If during the process of using ASSET within your organization you (or a qualified network administrator) run a host based security scanner such as the MBSA you will receive vulnerability listings about the MSDE. The following figure shows an example of the vulnerabilities that the MBSA discovered while scanning a system that had ASSET installed on it.

Explanation of the MBSA:

The MBSA is a freely available software program from Microsoft. The following paragraph is taken directly from Microsoft's Technet and describes the MBSA tool.

"As part of Microsoft's Strategic Technology Protection Program, and in response to direct customer need for a streamlined method of identifying common security misconfigurations, Microsoft has developed the Microsoft Baseline Security Analyzer (MBSA). Version 1.0 of MBSA includes a graphical and command line interface that can perform local or remote scans of Windows systems. MBSA runs on Windows 2000 and Windows XP systems and will scan for missing hotfixes and vulnerabilities in the following products: Windows NT 4.0, Windows 2000, Windows XP, Internet Information Server (IIS) 4.0 and 5.0, SQL Server 7.0 and 2000, Internet Explorer (IE) 5.01 and later, and Office 2000 and 2002. MBSA creates and stores individual XML security reports for each computer scanned and will display the reports in the graphical user interface in HTML."

The MBSA can be downloaded from the following URL:

http://download.microsoft.com/download/win2000platform/Install/1.0/NT5XP/EN-US/mbsasetup.msi

The following white paper from Microsoft provides more information about the MBSA:

http://www.microsoft.com/technet/security/tools/tools/mbsawp.asp

What MSDE vulnerabilities apply to ASSET and how are they mitigated?

If you run the MBSA, or a similar host based vulnerability scanner on a machine with ASSET installed, you will notice that several vulnerabilities are identified with the MSDE. There are additional vulnerabilities that many vulnerability scanners do not identify. NIST takes these vulnerabilities very seriously, and has included steps within the ASSET User Manual and the ASSET Installation package to mitigate/prevent these vulnerabilities. These steps are not common to installation packages because of their complexity coupled with the automation and security that they provide. Some of the information provided below is taken directly from MBSA reports courtesy of Microsoft. The following vulnerabilities are mitigated by ASSET:

Vulnerabilities Mitigated by ASSET
Vulnerability
Description
1. Exposed 'sa' password If you use SQL Server Authentication, also known as Standard Security, to install SQL Server 7.0 (MSDE) Service Packs, the system administrator (sa) password is saved in plaintext format in the Setup.iss file in the %winnt% directory and the Sqlstp.log file in the Temp directory.
2. No SQL user accounts have blank passwords

Similar to Windows, MSDE uses accounts for accountability and role based access control on database interactions. By default the 'sa' account does not have a password set. Alone this vulnerability is not high-risk however it combines with other vulnerabilities to create a high risk situation with any unsecured version of MSDE.

ASSET includes the Database Password utility, which resets the password of the 'sa' account to an arbitrary value. Users are not forced to recall this password and the vulnerability is mitigated. This approach assumes that users have taken steps to implement some type of host based security mechanism on their machine.

3. Un-authenticated network access - execute arbitrary commands

In a default installation, MSDE listens on the TCP port 1433 for incoming network connections. This vulnerability used in conjunction with #2 and others allows a user to execute a stored procedure named "xp_cmdshell". This stored procedure gives MSDE access to the Windows command interpreter. Any command that can be executed from a command window can then be executed by any user that can connect to the machine through ODBC.

The ASSET user manual includes a custom procedure that will close this network port until manually added again. You should consult with your network administrator to ensure that the machine that you are securing does not have some other business need for MSDE.

The following vulnerabilities are not mitigated directly by ASSET and require the installation of a service pack or hotfix. If the vulnerability applies to ASSET it is denoted in the "Applies?" column, otherwise it does not apply specifically to ASSET.

Vulnerabilities NOT Mitigated directly by ASSET
Vulnerability
Description
Applies?
1. Restricting CmdExec Rights to Sysadmin SQL Server Agent is a service available on Windows XP, Windows 2000, and Windows NT executes jobs, monitors SQL Server, and sends alerts. With SQL Server Agent, you can automate certain administrative tasks by using scripted job steps. A job is a specified series of operations performed sequentially by SQL Server Agent. A job can perform a wide range of activities, including running Transact-SQL scripts, command-line applications, and Microsoft ActiveX® scripts. Jobs can be created to run tasks that are often repeated or scheduled, and they can automatically notify users of job status by generating alerts.

Note: You must start the SQL Server Agent service before your local or multiserver administrative tasks can run automatically. SQL Server Agent is also supported on the Microsoft Windows 98 operating system, but SQL Server Agent cannot be used with Windows Authentication when you run it on Windows 98.

2. SQL Server Hotfixes

Service packs are well-tested collections of updates that focuses on a variety of customer-reported concerns with a Microsoft product. They generally fix issues to the product since the product's general availability. Service packs are cumulative - each new service pack contains all the fixes in previous service packs, plus any new fixes. They are designed to ensure platform compatibility with newly released software and drivers, and contain updates that fix issues discovered by customers or via internal testing.

A hotfix, on the other hand, is an interim update that usually addresses a specific bug or security vulnerability. All hotfixes offered during a service pack's lifetime are rolled up into the subsequent service pack. Each security hotfix identified by this tool has an associated Microsoft security bulletin that contains more information about the fix. The results of this check identify which hotfixes are missing, and provides a link to the Microsoft web site to view the details of each security bulletin.

This tool checks to ensure that you have the latest service packs and security hotfixes for the following products and components:

Windows NT 4.0, Windows 2000, Windows XP
IIS 4.0, IIS 5.0
SQL 7, 2000
Internet Explorer 5.01+
This check is done by using information obtained from Microsoft.com. This tool downloads this information from Microsoft.com each time it is run. If it is not able to contact Microsoft.com, it will use a version of the database cached on the local machine.

NOTE: The hotfix checker in V1 will report all available hotfixes from Microsoft, but may not be able to confirm the presence of all SQL-related hotfixes. This is due to a limitation in scanning each instance of SQL Server and will be addressed in future MBSA versions.

3. Service Accounts on SQL Server

This check determines whether the SQL service accounts are members of the local or Domain Administrators group on the scanned computer, or whether any SQL service accounts are running under the LocalSystem context.

The MSSQLServer and SQLServerAgent service accounts are checked on the scanned computer.

Note: If you receive the "No permissions to access database" error message, you might not have permissions to the MASTER database.

4. SQL Server Authentication Mode Microsoft SQL Server provides two modes for securing access to the server: Windows Authentication Mode and Mixed Mode.

In Windows Authentication Mode, Microsoft SQL Server relies solely on the Windows authentication of the user. Windows users or groups are then granted access to the SQL Server. In Mixed Mode, users may be authenticated by Windows or by SQL Server. Users that are authenticated by SQL Server have their user name and password pairs maintained within the SQL Server.

Windows Authentication Mode:

This security mode allows SQL Server to rely on Windows to authenticate users in the same way as other applications. Connections made to the server using this mode are called trusted connections.

When you use Windows Authentication Mode, the database administrator allows users to access the computer running SQL Server by granting them the right to log on to SQL Server. Windows security identifiers (SIDs) are used to track Windows authenticated users. As Windows SIDs are used, the database administrator can grant access directly to Windows users or groups.

Mixed Mode:

In SQL Server, Mixed Mode relies on Windows to authenticate users when the client and server are capable of using NTLM, or Kerberos logon authentication protocols. If either party is incapable of using a standard Windows logon, SQL Server requires a user name and password pair, and compares this pair against those stored in its system tables. Connections that rely on user name and password pairs are called non-trusted.

Mixed mode is supplied for two reasons: 1) backward compatibility with older versions of SQL Server; and 2) compatibility when SQL Server is installed on Windows 95 and Windows 98 operating systems. (Trusted connections are not supported on Windows 95 or Windows 98 computers when they are acting as the server.)

 
5. BUILTIN\Administrators in Sysadmin Role This check determines whether the built-in Administrators group is listed as a member of the Sysadmin role on SQL Server.

Note: If you get the "No permissions to access database" error message, you might not have permissions to the MASTER database.

A SQL Server role is a security account that is a collection of other security accounts. It can be treated as a single unit when you are managing permissions. A role can contain SQL Server logon permissions, other roles, and Windows user accounts or groups.

Fixed server roles have a server-wide scope. They exist outside of the databases. Each member of a fixed server role is able to add other logins to that same role. All members of the Windows BUILTIN\Administrators group (the local administrator's group) are members of the sysadmin role by default, which gives them full access to all of your databases.

 

Where can I find information concerning patches for MSDE?

Microsoft provides a website to inform customers of security related incidents for their product line including the MSDE. The URL of the website is:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/current.asp

From the website you can download security patches for Microsoft products. For more information on applying patches to your infrastructure consult the NIST Special Publication 800-40 "Procedures for Handling Security Patches" at the following URL:

http://csrc.nist.gov/publications/drafts/draft800-40.pdf

What is the purpose of the SQL.log file and can it be deleted to save space?

The SQL.log text file is a text log that MSDE keeps of its activity. As with any other log file it is important for accountability purposes. However if you were to install service packs or hotfixes, this file may also include authentication information that the installer uses to automate the installation process. For this reason, this log file is important to focus on. Extended use of ASSET can cause this file to grow considerably large, this may warrant you taking actions to remove this file if concerned about storage space. This file is recreated each time MSDE is restarted so it is safe to remove. It is recommended that this file is not deleted, merely backed up to another location and stored. The following screen shot shows the sql.log file on the C:\ drive.

return to top


Back to Main Page | Close Window