Quantcast
Channel: SQL Server Security forum
Viewing all 3042 articles
Browse latest View live

Credentials and proxy not working as expected

March 10, 2019, 7:03 am
$
0
0

Hi,

Following is an issue that I am facing:

I have setup an agent job step of type, CmdExec. Following is the command that I am trying to execute:

TYPEPERF -f CSV -o SQL:SQLServerMonitor!Perfmonlog -si 1 -c "\SQLServer:Memory Manager\Total Server Memory (KB)" -sc 1

The job is set to "run as" using a Proxy, which is using a credential that uses a domain account <DomainName>\Administrator

The same domain account is added as a user in the administrators group, where SQL Server and Agent service is running.

The job is failing with following message:

<DomainName>\Administrator. Exiting, please wait...                           Unknown.  Process Exit Code -1073738783.  The step failed.

When I am logged into the server using the <DomainName>\Administrator account, the job is successfully executing.

I am aware of a check in Scheduled task that says "Run whether the user is logged in or not". Do we have some thing like that in SQL Server Agent? Or are there any other checks that I need to consider?

Thank you for looking into this...

Search

GMSA SQL 2014

March 11, 2019, 12:27 am

Enforce NTLMv2 and ignore LM

March 13, 2019, 10:43 am
$
0
0

Is there a way to enforce SQL Server to only accept NTLMv2 hashes? The local LAN Manager security policy on the SQL server machine seems to not influence its willingness to accept NTLM or even "obfuscated user/password" logins. Maybe the domain controler which hosts this username could affect it?

On a related note it would be a good idea to log a warning if anybody sends a LM hash.

-- http://itblog.eckenfels.net (german)

Advice on Sql Server Encryption solicited. I am very green

March 13, 2019, 1:32 pm
$
0
0

Hi there, I do have a fairly large personal database in SQL Server tables. Now I feel it is time to start encrypting the data. Where shall I start?

Thanks, - MyCatAlex

Always Encrypted Certificate store issue

March 14, 2019, 2:09 am
$
0
0

Hi All,

I have a mvc application that uses sql express 2016. 

I have follow all the necessary steps to configure always encrypted to one of my columns in the table. And install Certificate to my machine for testing purpose. All Works Fine in my local environment

Now my concern is that, After hosting my Application on another server. At which location i have to install certificate.
Should i install certificate on hosting server or it should be on my local machine. If i install certificate in hosting server than every other user also can Access that column through UI. 


And what if i only want a particular user can access that decrypted column through application, is it possible by installing certificate on that single user's machine instead of hosting server?

Who or what disabled a given SQL login?

April 4, 2012, 11:04 am
$
0
0

Hi,

We have several Windows 2008 R2 SP2 (64 bits) boxes running SQL 2008 R2 SP1 Standard (x64) with mixed authentication.

From time to time, I find that some SQL logins (used by our own applications) have been disabled, so I have to re-enable them manually.

I searched through both SQL logs and Windows Event Viewer, and I can't find who or what disabled these logins.

I thought about SQL Audits, but (as far as I know), they're not enabled on SQL 2008 R2 Standard.

So, how may I pinpoint what user or process is disabling these particular SQL logins? Any ideas?

Thanks in advance

Sebastian Sajaroff Senior DBA Pharmacies Jean Coutu

Test connection failed because of an error in initializing provider. [DBNETLIB][ConnectionOpen (SECCreateCredentials()).]SSL Security error.

March 14, 2019, 7:47 am
$
0
0

Dear Team,

I have installed MS Server 2016 on the top of this I have installed MSSQL 2014 with latest SP3 patch (Build : 12.0.6024.0). As per the compliance requirement, I have kept only TLS 1.2 enabled.

Problem is when I keep TLS 1.2 only enabled, I am getting following error and I completely unsure that why this is happening because MS server 2016 and MSSQL 2014 SP3 patch fully support TLS 1.2.

Test connection failed because of an error in initializing provider. [DBNETLIB][ConnectionOpen (SECCreateCredentials()).]SSL Security error.  

Can someone please help

Linked server and security

March 14, 2019, 1:21 pm
$
0
0

We have setup linked server, Kerberos authentication. Limit users who can access the linked server.

Are there any logs that can tell users is accessing the linked server, and what database or data they are accessing?

I did not see any information about linked server access or connection in the regular SQL server log.

If logs cannot do that, what else we can setup to monitor the use of linked server?

SQLFriend

Search

Cannot log in into MS SQL server using both windows authentication and SQL server authentication

March 15, 2019, 9:37 pm
$
0
0
Till yesterday my SQL server was working fine but today, I cannot log in into the server. I did try using both authentication mode i.e. windows authentication and SQL authentication. How can I resolve this??

Application level encryption

March 18, 2019, 11:15 am
$
0
0
I've never had to implement SQL Server "data at rest" encryption, so please excuse that I'm clueless about this subject.  But is there some form of encryption where application data is encrypted at the client/application server, transparently to SQL database engine, yet still stored in a SQL database?  I.e., encryption that does not involve SQL Server native encryption hierarchy components (TDE, symmetric keys)?  The reason for the question is, I want to write a SQL Server project assessment questionaire to hand off to vendors, and ask any ways that they might encrypt application data.  Hope that makes sense.  Thanks.

Permissions to failover Availability group

February 17, 2016, 11:38 pm
$
0
0

Hi All,

I'm looking to create a server patching role for SQL server and to give this role permission to manually failover availability groups so that both nodes can be patched in a controlled manner.

Can you please advise what the minimal permissions are required to create a SQL server role with the ability to manually fail over an availability group to another node.

Thanks

Robert

Run stored procedure as a LocalSystem account?

March 18, 2019, 2:28 pm
$
0
0

Greetings,

   I have a scheduled script on a workstation which runs under the NTAuthority\SYSTEM account. This script opens a SQL database and executes a stored procedure but it fails to open the database. As I understand it, the network access is done via the workstations computer account so I have given that computer account necessary permissions:

The public server role to connect and

The execute permission on the stored procedure

Can this be done and if so, what bit am I missing please?

Thanks

David Z

Privileges needed for installation

March 19, 2019, 8:19 am
$
0
0

Hello,

I need to understand the privileges needed for installation of SQL Server 2016/2017 on Windows 2016.  Installation, not the service accounts to run sql server, but for installation.  I cannot seem to find this in the documents.  The prereqs just talk about the service accounts.

Our installation account has domain admin, and we would like to reduce this to the necessary.  Any help appreciated!

Dianne

Dianne

Encrypt specific column(s) ?

March 19, 2019, 9:55 am
$
0
0

Hello,

In regards to like SSN column what's the recommended way to abouts?

Is Always Encrypted or something else the way to go and does it encrypt the entire Table/DB or can it be to specific column(s) level?

Also whichever method if Always Encrypted or something else how much performance impact around to consider?

Thanks in advance.

select from master.dbo.sysprocesses

March 19, 2019, 7:37 pm
$
0
0

my application is attempting to run a stored procedure that contains the following, which references the master database to get a list of users currently logged on. This will return a result when the user is in the sysadmin role. I have tried creating a role with execute permission for this store procedure and assigned to a user group. but it does not return a result. Is there a way execute the stored procedure or even the select statement using the sysadmin role?

select distinct
	rtrim(nt_username) as [nt_username]
from master.dbo.sysprocesses
where
db_name(dbid)=DB_Name()
and len(isnull(nt_username,''))>0

Thanks

Search

How to grant "alter" permission on all the future stored procedures to a particular user?

March 20, 2019, 2:04 am
$
0
0

How to grant "alter" permission on all the future stored procedures to a particular user?

We do not want to give alter permission on any other objects except Stored Procedures.

Regards,

Ashif Shaikh

Regards, Ashif Shaikh

Get MicrosoftAccount login from SQL Server

March 20, 2019, 12:54 pm
$
0
0

I found some strange information in log for login auditing. I am using Windows authentication and there are 2 different entries for same user. Sometimes there is ComputerName\User and sometimes MicrosoftAccount\user@email.com. This two accounts are connected. How can i know which account will be used and when?

How can i extract MicrosoftAccount\user@email.com from SQL Server logins? I am using this query but i am only getting ComputerName\User account with it

SELECT
CASE
    WHEN
        CHARINDEX('\', @@SERVERNAME) > 0
    THEN
        REPLACE(name, SUBSTRING(@@SERVERNAME, 1, CHARINDEX('\', @@SERVERNAME) - 1), CAST(SERVERPROPERTY('MachineName') AS nvarchar(128)))
    ELSE
        REPLACE(name, @@SERVERNAME, CAST(SERVERPROPERTY('MachineName') AS nvarchar(128)))
    END
AS name FROM sys.syslogins ORDER BY name

The instance of SQL Server you attempted to connect to requires encryption but this machine does not support it

March 10, 2018, 7:28 am
$
0
0

I am getting error "

The instance of SQL Server you attempted to connect to requires encryption but this machine does not support it

", while i connect to  sql instance

SQL Version: Microsoft SQL Server 2012 (SP3-CU6)

In the error log i see the below error

 Logon       The prelogin packet used to open the connection is structurally invalid; the connection has been closed. Please contact the vendor of the client library. [CLIENT: <local machine>]
 Logon       Error: 17828, Severity: 20, State: 3.

SSL enryption is used and force encryption is enabled , certificate is valid and have 1 more year of expiry

Thanks, Nithin

NT AUTHORITY\SYSTEM password

April 13, 2015, 7:31 am
$
0
0
Who sets the password for <tt>NT AUTHORITY\SYSTEM. Can we change it and manage it?</tt>

SQL Agent won't start under domain account which is not in Local Administrators group /Sql Server 2008 R2

February 11, 2011, 8:30 am
$
0
0

I am running MSSQL Server 2008 R2 with Cumulative Update 5.  I was trying to run SQL Agentunder domain account which is not in Local Administrators group (trying to keep lowest privilleges that are required, agent is working under account belonging to LA).

My domain account has a corresponding login on the SQL Server, which is assigned to sysadmin server role.It is assigned to SQLServerSQLAgentUser local group so has the rights as specified onhttp://msdn.microsoft.com/en-us/library/ms191543.aspx .

It should be sufficient to place my domain account into groupSQLServerSQLAgentUser$SERVERNAME$INSTANCENAME (I've checked, it has rights specified above). Though it doesn't work. Starting SQL Agent from SS Management Studio give me "The SQLSERVERAGENT service on CERNSQL02 started and then stopped." error. Starting from SS Configuration Manager gives "The request failed or the service did not respond in a timely fashion. Consult the event log or other applicable error logs for details." after longer while.

Neither \log\errorlog , nor \log\sqlagent.out , nor Event Log provides any help to debug it (output is the same). I've tried to use procesmon to find the cause, but I didn't succeed.

The temporary solution which I've found is to add my domain account to SQLServerMSSQLUser$SERVERNAME$INSTANCENAME , which has lwoer privilleges than LA.

But the question remains: what privilleges are missing in SQLServerSQLAgentUser group?

Viewing all 3042 articles
Browse latest View live
Search