Quantcast
Channel: SQL Server Security forum
Viewing all 3042 articles
Browse latest View live

Common Criteria Compliance EAL 4+ compliant scripts

$
0
0

Browsing through several articles I'm unable to find the EAL4+ compliant scripts that need to be enabled in addition to the Common Criteria Compliance option. Most of these resources are linking to http://go.microsoft.com/fwlink/?LinkId=616319 but is resulting into the general SQL Server website. Sample resource: https://msdn.microsoft.com/en-us/library/bb326650.aspx#Examples

Does anyone have the appropriate link/website to the most recent version of these scripts? Or am I missing out something and is this available on a Github/Installation resource?


Change SQL Server Service Accounts Passwords

$
0
0


Hi

We have taken handover of a SQL Server 2014 instance recently. SQL server software was installed using windows account 'Nidadmin'. From SQL Server Configuration manager following service are running under 'Nidadmin' windows account (you can also see green marked field in below picture)-

- SQL Server analysis service,

- SQL Server database engine service

- SQL Server Reporting Service

- SQL Server Agent

Now we want to change password of 'Nidadmin' windows account.  

1) If we change the password of windows account 'Nidadmin' then do we need to update the password in the services from SQL Server Configuration manager? 

2) Is there any impact in SQL server services if we change the password?

3) Do we need change anything else anywhere for this?

4) Do we need to restart SQL server instance?

5)  Is the password change/update is same for all type of service (database engine, reporting service analysis service, sql server agent)

In a nutshell we need to change the password of 'Nidadmin' windows account password so that after handover the other team can not login to the database host. Please let us know the above queries feedback?

properly remove access?

$
0
0

Hi experts,

I want to completely remove access to an individual, I deleted the login from the instance's login. and I get...

I get the message... The login does not have any ownership so, I don't know why sql server doesnt recognize that it doesn't own anything and delete it from the database as well...

Anyway, I have to completely delete 10 logins from the instance; the instance has over 500 databases, I can't go one by one and delete also the users... how should I proceed?

CREATE CERTIFICATE from CA signed certificate

$
0
0

I have a requirement to use a CA signed certificate to encrypt the symmetric keys used for TDE.  I first followed the instructions found on an MSDN blog that I am unable to link at the moment.

This has me generate a private key and use it to create a certificate request.  I have tried many different Certificate Templates to issue a certificate with an exportable private key, but none work with the request generated by openssl.  I have tried to combine the issued cert (converted to PEM) with the originally generated private key.  This creates a pfx file that I can use with PVKConverter to generate a .cer .pvk pair(As I understand it, SQL requires a DER format certificate and a PVK format private key).  However when I attempt a CREATE CERTIFICATE FROM FILE in SQL I get "The certificate, asymmetric key, or private key file is not valid or does not exist; or you do not have permissions for it."

I have created a custom certificate request using the certificates snapin and successfully issued a certificate with an exportable private key in pfx format.  Using PVKConverter to split the pfx into a .cer .pvk pair, SQL throws "The certificate, asymmetric key, or private key data is invalid"

Permissions should not be an issue as I have granted permissions on the certificate files to the sql service account and my own account. I have also granted full permissions to the private key within the pfx certificates to the same accounts.  These were simple troubleshooting measures to see if permissions were the problem.

SQL used to create certificate:

CREATE CERTIFICATE Server_Cert
FROM FILE = 'E:\Certificate\certname_db.cer'
WITH PRIVATE KEY (FILE='E:\Certificate\certname_db.pvk', DECRYPTION BY PASSWORD = 'decryption password');

SQL Server 2012
Windows Server 2012R2

Needless to say I am not a SQL expert, nor am I an expert with certificate authorities or openssl.  I have not been able to find any documentation other than the link above that concerns this issue. I would like to know how to CREATE CERTIFICATE FROM FILE using a CA signed certificate.  Any help would be greatly appreciated.

Add a computer account as a sql server login

$
0
0
Hi All,

I have very strange request from my application team and they want to add the server name as a login in sql server.

Can anybody help with the way to do it.....

I am able to add the computer name as a member of the local administrators and not able to do the same for the sql server logins....

Regards
Nimesh

cross db access using signed proc(s)

$
0
0

my setup is straight forward...db 'A' needs access to db 'B'...that is, read some data outta 'B' via 'A'.  I dont' wanna enable trustworthy or create a common user in both db's...

db 'A' is the initator...therefore they I've created a cert there and all calling proc(s) from there are signed against said cert...cert is backed up and installed on 'B'...a user is created for the cert in 'B' and granted the approp perms...good..

All the proc(s) in 'A' are created w/'execute as owner' syntax...

using a 'test' user In 'A'...invoke the proc(s) in 'A' that read from 'B'...it all works.  Data access in 'B' is happening...

I decide to change/remove the 'execute as owner' from the proc(s)...re-install and re-enable the cert binding after the drop/create of proc(s)...no problem...I run a quick query to verify that the proc(s) are signed...good result..

but when I re-run using my 'test' user...it complains that user 'test' doesn't exist in db 'B'!!???

but when I return the 'execute as owner' to all proc(s), re-bind the proc sigs...it works...

I seem to be missing something fundamental!?  I thought the 'authenticator' would be my cert...regardless of the 'execute as ...' clause...at least that is what the docs have lead me to believe.

docs state the cert is 'unioned' in the user_token...but I don't see it.  I'm think'n my 'add signature...' is the fault!?

can anyone lend some insight? this is straightforward stuff...but i'm baffled!!!

thanks in advance.  Everything is owned by 'dbo'...

-mt


mike t.

Error with SQL Cluster and Trust between Forests.

$
0
0

Hi,

We are facing an issue with Kerberos Authentication failure.
We did set the SPN's for both Servers and Service Accounts.
This is a SQL Cluster and cross forest one way Trust between the domains.
There is also a Package running from SQL Server Integration Services which fails to authenticate.
The users executes the operation (connecting to SQL Server Management Studio for exmaple) from domain "Domain1" and the SQL is at "Domain2" Domain.

If the SPN's are not configured there is an Anonymous Error, when the SPN's configured there is a Kerberos error.
Attached the configured SPN's, the Event Viewer Error and the SQL Management connection error.

thanks alot.


SetSPN -s "MSSQLSvc/ sql01.domain2 " " domain1\SQL-SVC"
SetSPN -s "MSSQLSvc/ sql01.domain2:1433" " domain1\SQL-SVC"

SetSPN -s "MSSQLSvc/ sql02.domain2 " " domain1\SQL-SVC"
SetSPN -s "MSSQLSvc/ sql02.domain2:1433" " domain1\SQL-SVC"

SetSPN -s "MSSQLSvc/ sqlCluster.domain2 " " domain1\SQL-SVC"
SetSPN -s "MSSQLSvc/ sqlCluster.domain2:1433" " domain1\SQL-SVC"


SetSPN -s "MSSQLSvc/sql01.domain2" "domain1\SQL-AGENT"
SetSPN -s "MSSQLSvc/sql01.domain2:1433" "domain1\SQL-AGENT"

SetSPN -s "MSSQLSvc/sql02.domain2" "domain1\SQL-AGENT"
SetSPN -s "MSSQLSvc/sql02.domain2:1433" "domain1\SQL-AGENT"

SetSPN -s "MSSQLSvc/sqlCluster.domain2" "domain1\SQL-AGENT"
SetSPN -s "MSSQLSvc/sqlCluster.domain2:1433" "domain1\SQL-AGENT"

Truncate Table permission

$
0
0

i have stored procedure which is executed by a group let say 'Testgroup'.

in this procedure  i have embedded one "truncate table" statment, i dont want to give any alter or truncate permission to 'Testgroup', how can i achieve this.

altered proc with

EXECUTE AS OWNER statment. it worked but later in this proc one Cross database transaction being executed so getting an error like.

The server principal 'sais not able to access the database 'XYZunder the current security context


SQL Server DBA


AD user removed

$
0
0

I have wierd situation for an failed login 

The login name was associated with AD group which has an access to the databases , few days back this login was removed from the AD group and then we are alerted with this below error. 

Error: 18456, Severity: 14, State: 11. Login failed for user 'WG\Loginname'. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors. [CLIENT: 192.168.1.100]  

I need to get clarrify on below items. 

1.  Is Deleting the user from AD group removes the login from SQL Instance ?

2. On db level the user was shown with login name (AD group name) but missing in DB engine-Security-Logins ?

3. Is this the orphaned user ?

4. How to know the user belongs to which AD group ?

5. is Windows level permissions matters for this login to access on the instance ?

Appreciate if anyone help me in clarrifying the above items. 


SANTHOSH KUMAR


SELECT IS_SRVROLEMEMBER ('sysadmin', 'user'); returns NULL even though user are sysadmin

$
0
0

Hello,

We are running SQL server 2012 SP1.

We have a windows user that has the sysadmin box checked on her login in the SQL.

But when we run SELECT IS_SRVROLEMEMBER ('sysadmin', 'user'); it returns NULL?

Do you have any idea where i should look or do?

Is there a query that I can run to verify the encryption algorithm=AES256?

$
0
0

I have been requested to find out in a database what columns are encrypted.  I ran the following query to determine that:

         SELECT stab.name Table_Name, sc.name Column_Name FROM sys.columns sc
         INNER JOIN sys.types st ON sc.system_type_id=st.system_type_id
         INNER JOIN sys.tables stab ON stab.object_id=sc.object_id
         WHERE st.name='varbinary'
         AND stab.is_ms_shipped=0

Now I am being asked "Can you confirm encryption algorithm=AES256?"

Is there a query that I can run to answer that?  How can one verify the encryption algorithm?


lcerni

WIndows 10 UPDATE Failure on Security Update for SQL Server 2005 Service Pack 2 (KB960089)

$
0
0

UPDATE Failure on Security Update for SQL Server 2005 Service Pack 2 (KB960089)

Cannot connect to remote SQL Server

$
0
0

I am having trouble remotely connecting to an SQL Server and as an intermediate step in trying to figure this out I attempted to remotely connect from within SSMS using the server name as 'tcp:myServer' with SQL Server Authentication.  I get he error message "The remote computer refused the network connection".  What am I doing wrong?  Here are details:

Product: Microsoft SQL Server Express (64-bit)
Version: 12.0.44870
Allow remote connections to this server: checked
SQL Server and Windows Authorization mode: selected
Login name: meMyself
Password: myPassword
Enforce password policy: checked
Enforce password expiration: unchecked
Firewall Inbound Rules: (I added this rule)
   Name: SQL Server 
   Enabled: yes
   Action: Allow
   Program: %Program Files%\Microsoft SQL Server\MSSQL12.MSSQLSERVER\MSSQL\Binn\sqservr.exe
   Protocol: TCP
   Local Port: 1433, 1434

setup adjust the uploading data from Linked Server Oracle and load data into database MS SQL in a set time

$
0
0
Hello.
Perhaps, the question isn't really suitable for this forum, but I can't Google it.
I have 2 database.

1. Database MS SQL 2008 and Server 2008.

2. Linked Server Oracle DB.

I want to adjust the uploading data from Linked Server Oracle and load data into database MS SQL in a set time (1 per every 15 minutes, 1 per every 24 hours).
What tools, methods can I use for this? Thanks.

SQL 2012 TDE on Primary and STANDBY instances

$
0
0

Hello everyone,

we are going to encrypt our SQL 2012 DBs by TDE due to PCIDSS requirements. On prod environment we have PRIMARY+STANDBY instances with log shipping configured.

But firstly we want to test in test environment. Unfortunately in TEST environment we have only PRIMARy instance.

So my question, is the schema below correct for TDE encryption for PRIMARY+STANDBY instances with log shipping configured?

1- create primary DB

2- create standby DB

3- encrypt primary DB

4- encrypt standby DB

5- configure log shipping

Can you point me to some documentation for such scenario?

Thanks beforehand,


Trace File (.trc) Encryption

$
0
0

Are trace file (.trc) entries encrypted when a database is encryption enabled?

Encrypt Audit Trace (.trc) files.

$
0
0
Is there an easy way to encrypt sql server audit trace files (.trc)?

Or is there a way to direct trace data directly into a table?

specific truncate on a table

$
0
0

Hi,

how can i give only truncate permission on a table apart from truncate user should not be able to do any alter table operations.

thanks


SQL Server DBA

How to forbid the TRUNCATE TABLE command?

$
0
0

Hi,

I want to forbid the TRUNCATE TABLE command in SQL Server, how can I do?

Search and delete specific users.

$
0
0

Hello.

I have a web portal that used SQL Server as DB and users can use my web portal for create account and... How can I find specific users in my DB and remove them?

Thank you.

Viewing all 3042 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>