Database Requirement and Configuration

The Tenable Patch Server requires its own SQL Server database (Adaptiva database).

SQL Server Requirements

Review the requirements in the following table when deciding which SQL Server Edition to use with the Tenable Patch Server.

Component Requirement
SQL Server Version

SQL Server 2022

SQL Server 2019 (Minimum Recommended)

SQL Server 2017
Database Compatibility Level Minimum level is SQL Server 2017 (140). SQL Server 2019 (150) or newer is recommended. For more information on upgrading to a supported SQL Server edition, see Supported version and edition upgrades (SQL Server 2017) (Microsoft).
Database Sizing Minimum database size is 5 GB. Storage allocation per managed device is approximately 2.5 MB. Use the following equation to determine your database size requirements: 5 GB + (2.5 MB x licensed clients) = x GB Note: SQL Server Express Edition will support up to approximately 2000 devices.
Memory 64 GB minimum
Disk Infrastructure SSD or NVMe drives for the database files (recommended), including tempdb and transaction log files.

Database Considerations

You can host the Tenable Patch database on an existing SQL Server instance or on SQL Server Express Edition, the free version of SQL Server. If hosting the database alongside other solutions (Microsoft Configuration Manager), ensure compliance with the licensing requirements for Microsoft. If choosing to use SQL Server Express, you can either install it manually or allow the Tenable Patch Server setup to install and configure it automatically. SQL Server Express Edition supports environments with up to 2,000 devices.

Tenable Patch database SQL Server

  • Local server: Microsoft SQL Server is installed on the same server as the Tenable Patch Server service.

  • Remote server: This is a different server running a Microsoft SQL Server instance. The SQL Server instance may use clustering.

Choosing the SQL Server Edition

The Tenable Patch Server installation wizard requires specific input depending on the SQL Server Edition you choose to use. You may choose to install one of the following SQL Server Editions:

  • SQL Server Express

  • SQL Server Standard

  • SQL Server Enterprise

Use the information in this section to help determine which SQL Server Edition works best in your environment to host the Tenable Patch database. For a full list of the differences between Editions, see Compare SQL Server versions (Microsoft).

SQL Server Express Edition Details

If using SQL Server Express, Tenable Patch Server Setup automatically downloads, installs, and configures it, or you can manually download, install, and then configure it.

Downloading and installing the free SQL Server Express Edition from Microsoft requires an Internet connection. If using this version, you must enable Microsoft .NET Framework 4.0. For details on how to download .NET Framework 4.0, see Microsoft .NET Framework 4 Full Language Pack (x86 x64).

SQL Server Express Edition has the following limitations:

  • No Built-In Scheduled Backups (workaround available)

  • SSRS is only available with SQL Express with Advanced Services

  • Maximum Allowed Memory Capacity is 1410 MB

  • Maximum Database Size is 10 GB

  • Maximum Number of Cores is 1 socket, up to 8 cores

  • No High Availability

The following settings will be installed when the Tenable Patch Server Setup completes the installation:

  • Installs SQL Server 2022 Express Edition.

  • Creates a Named Instance called AdaptivaSQL

SQL Server 2022 Express Edition (SQLEXPR_x64_ENU.exe) can be pre-downloaded. Copy the downloaded SQLEXPR_x64_ENU.exe to the following path:

c:\users\<accountname>\AppData\Local\Temp

You may also specify your own path.

SQL Server Standard Edition Details

  • Install on the Tenable Patch Server or in a remote location.

  • Standard SQL licensing requirements apply. Consult with a Microsoft licensing specialist to ensure you have purchased the proper licenses.

  • Required with more than 2000 licensed devices.

  • Supports high-availability configuration (single database).

SQL Server Enterprise Edition Details

  • The Enterprise edition includes the SQL Server Standard Edition statements.

  • Supports high-availability configuration (multiple databases).

Account Permissions

Installation Account

The account performing the installation on the Tenable Patch Server must be granted the sysadmin role on the SQL Server. These permissions can be reduced after installation. Refer to the Tenable Patch OneSite Platform Installation User Guide for more information.

Database Access Account

The Tenable Patch Server installation defaults to using the Local System account. You can change this to a local account or, preferably, a domain account.

Tenable Patch Reporting Account

The Tenable Patch Server uses a read-only SQL login to display product dashboards. All data providers for the Tenable Patch Server query the Tenable Patch database using this read-only SQL login. During installation, the setup wizard grants this login the db_datareader permission on the Adaptiva database. Consider the following installation options when configuring SQL access:

Quick installation (recommended)

This option downloads, installs and configures SQL Express Edition on the Tenable Patch Server. It creates and configures a SQL account to be used by the data providers.

Note: This is the recommended option for OneSite Patch installations.

Advanced installation

SQL Server is not installed

  • This option will download, install and configure SQL Express Edition. The Tenable Patch Reporting Account page will need to use Windows Authentication, so you must provide a domain or computer service account.

SQL Server is already installed on the same server

  • This option allows you to choose either a SQL account or a Windows Authenticated account. To allow the installation to create an account, leave the account information blank after deselecting Windows Authentication.

  • If Windows Authentication is checked, you must provide a domain or computer service account.

SQL Server is already installed on a remote server

  • This option requires you to use Windows Authentication. You must provide a domain service account or a local service account on the remote SQL server.

All service accounts should have a non-expiring password.

Note: When Windows Authentication is used with a domain account, enter the NETBIOS Domain name, not the Fully Qualified Domain name.

Record the Server and SQL Server Edition Details

Record the server details and the chosen SQL Server Edition. The Tenable Patch Server installation may require configuration details, such as the following:

  • If using SQL Express, using the following download and installation paths:

    • For the download folder location, use the following path: c:\users\<accountname>\AppData\Local\Temp

    • For the SQL Server installation location, use the following path: C:\Program Files\Microsoft SQL Server.

      Note: Tenable recommends that you do not install SQL Server on the C: drive.

  • Database Server FQDN (if using Remote Server)

  • Instance Name: Default or AdaptivaSQL for SQL Server Express Edition

  • SQL Server Port: Defaults to 1433

  • Database name: Tenable Patch

  • Encryption status of the SQL database

  • Account when not using the Local System username and password. Domain names must be entered as a NetBIOS name, not an FQDN.

  • For SQL Authentication Protocol, use NTLM V2 unless integrating with ConfigMgr, Tenable Patch databases, and ConfigMgr databases are on different servers (add additional security as necessary), and then add Kerberos.

  • For the Reporting Account domain name, use the username and password if using Windows Authentication. Do not use FQDN for the domain name.

Reducing SQL permissions

To remove SQL sysadmin access from the installation or optional service account:

  1. Stop the AdaptivaServer service

  2. In SQL Management Studio, open a New Query window for the Adaptiva database and Execute the following:

    • CREATE ROLE db_executer

    • GRANT EXECUTE TO db_executer

  3. Expand Security, Logins folder, right-click the Installation account / service account and select Properties.

  4. Select the Server Roles page and uncheck the server role sysadmin.

  5. In the Users mapped to this login section, select the adaptiva database, and under the database role membership, select the following roles:

    • db_datareader

    • db_datawriter

    • db_ddladmin

    • db_executer

  6. Click OK when complete

  7. This can also be done to the Tenable Patch Server’s System account or NT AUTHORITY\SYSTEM, but it is recommended to leave at least db_owner permissions.

  8. Start the AdaptivaServer service.

Note: Before running any upgrade the installation account and the Tenable Patch Server’s System account must be granted sysadmin permission in SQL.

SQL Express pre-installed

If SQL Express has been installed beforehand, make sure the following configuration changes have been made.

Configuration Steps to Implement
TCP/IP connections must be enabled

  1. Open SQL Server Configuration Manager.

  2. Expand SQL Server Network Configuration (not 32-bit), and select Protocols for MSSQLSERVER or the Instance name used.

  3. Enable TCP/IP, if not already.

  4. Shared Memory should also be enabled, while Named Pipes can stay Disabled.
Enable SQL Server Browser

  1. Select SQL Server Services.

  2. Right-click SQL Server Browser and select Properties.

  3. Confirm the Log on as setting is for Local Service.

  4. Click Start.
Grant Local System account Sysadmin role. Permissions can be reduced after installation.

  1. Install SQL Server Management Studio.

  2. If the account does not exist under Security, Logins run the following T-SQL command:

    • CREATE LOGIN [NT AUTHORITY\SYSTEM] FROM WINDOWS WITH DEFAULT_DATABASE=[master], DEFAULT_LANGUAGE=[us_english];GO

    • ALTER SERVER ROLE [sysadmin] ADD MEMBER [NT AUTHORITY\SYSTEM];GO