I am trying to use PowerShell to encrypt the columns in my database. When using the script below without the -Script option, the column in the database becomes encrypted. When using the -Script option, i get no script produced.

$encryptionChanges = @()

$encryptionChanges += New-SqlColumnEncryptionSettings -ColumnName dbo.BadgePrint.pers_title -EncryptionType Deterministic -EncryptionKey "CEK_Auto1"

Set-SqlColumnEncryption `
    -ColumnEncryptionSettings $encryptionChanges `
    -InputObject $smoDatabase `
    -LogFileDirectory "C:\projects\HRAM\logs" `
    -Script

I have also tried to output the script to a file, but that file just remains empty, so I am not sure what I am doing wrong.

I am using version 21.1.18147 of the SqlServer PS module. What am I doing wrong!?

Note: Cross posted from here https://stackoverflow.com/questions/57840457/script-option-in-set-sqlcolumnencryption-produces-nothing

↧

Logon events

September 11, 2019, 1:34 am

≫ Next: Enable TLS 1.2 for Securing SQL Server Connection

≪ Previous: -Script option in Set-SqlColumnEncryption produces nothing

Hello!

When auditing logon events in my SQL Server (SUCCESSFULL/FAILED LOGON EVENTS audit specification) I see 7 events with the ~ same event_time values (for example, 14:45:16.1427822 - 14:45:16.141740374) for each logon - is it normal?

I mean if I connect to the server as Domain\User1 there will be 7 exactly the same raws for that user with the logon times (event_time) that differ only in milliseconds.

select * FROM sys.fn_get_audit_file ('C:\AUDIT\*',default,default)

Thank you in advance,
Michael

↧

Enable TLS 1.2 for Securing SQL Server Connection

September 11, 2019, 4:48 pm

≫ Next: Prevent direct db access with Windows Authentication

≪ Previous: Logon events

Hi All,

I have a database server on version 2017 (standard edition) with build14.0.3192.2 and there's no any encryption method being applied in the SQL server. Due to security concern, I decide to secure SQL server connection by implementing TLS 1.2.

The main concern is do I need to make any changes on the web/application server or the coding part? Together with the connection string?

Hope can get some advice here.

Thanks.

Best Regards,

Han

↧

Prevent direct db access with Windows Authentication

September 12, 2019, 2:20 am

≫ Next: TLS in SQL Server

≪ Previous: Enable TLS 1.2 for Securing SQL Server Connection

Hi SQL Server experts,

I have a general question concerning the security of SQL Server apps.
We have a .NET rich client app that connects to SQL Server. We use an encrypted connection.

If the app uses SQL Server Authentication we have to store an encrypted passwort in the app which can be read by using a memory dump after decrypting.

So Windows Authentication seems the right way. But how can we prevent a direct db access of the user with a sql client tool (SSMS, HeidiSQL, ...)?

Thanks a lot and have a good day,
Ulrich

↧

TLS in SQL Server

September 12, 2019, 5:55 am

≫ Next: Logon,Unknown,Login failed for user

≪ Previous: Prevent direct db access with Windows Authentication

Greetings,

I work for Microsoft Partner and one of our customer was asking about possibility to change TLS 1.0 to 1.2 on SQL Server.

As i know from internet option i can enable TLS 1.2 beside 1.0 and 1.1

is this all what i need to do? or some steps needed configuring SQL Server itself?

Regards,

Khaled El Gazzar

↧

Logon,Unknown,Login failed for user

September 12, 2019, 3:57 pm

≫ Next: Audit permission changes to a schema

≪ Previous: TLS in SQL Server

Hello,

i have problem with my SQL server

i have standalone server for SQL and lot of application connect to it

but i got this problem in my logs

09/13/2019 01:40:59,Logon,Unknown,Login failed for user 'UU\SQLPROD$'. Reason: Could not find a login matching the name provided. [CLIENT: <local machine>]
09/13/2019 01:40:59,Logon,Unknown,Error: 18456<c/> Severity: 14<c/> State: 5.

i am not sure what program is doing this error

and there is no way i can turn off some application to test this..

how can i fix the problem ? or know what is exact server is trying to connect and get this error ? if i got the ip of the server trying to connect and falling i would know what is the exact application

↧

Audit permission changes to a schema

September 13, 2019, 12:27 am

≫ Next: Need help with dbcreator server role permissions.

≪ Previous: Logon,Unknown,Login failed for user

I have an issue on a database where the permissions on a schema are being revoked/disappearing but nobody is admitting to having done it. I set up an audit to capture these changes but nothing is being recorded - not even when I reapplied the permissions to fix the issue. Permission changes to individual objects was captured but not those to the schema itself.

The audit specification I have is:

The permission command I ran was:

GRANT SELECT ON SCHEMA::[schema_name] TO [user_name]

Thanks.

↧

Need help with dbcreator server role permissions.

September 16, 2019, 5:34 am

≫ Next: SQL Server security question

≪ Previous: Audit permission changes to a schema

Why there are different permissions on sever instance for the login - sql authentication and login - windows authentication with server role - dbcreator? Sql user has "alter any database" permission while windows user does not.

↧

SQL Server security question

September 16, 2019, 11:10 pm

≫ Next: Restoring encrypted database

≪ Previous: Need help with dbcreator server role permissions.

Hi All,

This is more of a security related question.
Usually, we connect to Prod SQL Servers via Jump Servers. while connecting to jump server we get the verification code on mobile, we verify and we get access to the prod servers.
We do a RDP or using SSMS we connect to prod env.

Now, my question is, if we are having SSMS installed on local machine/laptop , we are also able to connect to prod servers. This is a potential security risk. How can we restrict such local connections.
We want to allow connections only via jump servers and not from any local machine / laptop.

Is there a way to restrict local connections from SQL Server side or do we need involve network team on this ? if network team is involved, what would they typically do in order to implement such process.
Want to have some idea before reaching out to them.

Please suggest.

Thanks,
Sam

↧

Restoring encrypted database

September 18, 2019, 7:55 am

≫ Next: BATCH_STARTED_GROUP/BATCH_COMPLETED_GROUP

≪ Previous: SQL Server security question

We do offsite SQL and web development for a customer that is considering encrypting their database. I am worried about being able to restore a backup on our server as we will not have the certificate on our server. Will this be an issue, or will backups continue to not be encrypted?

↧

BATCH_STARTED_GROUP/BATCH_COMPLETED_GROUP

September 18, 2019, 7:58 am

≫ Next: How to Grant select on View but underlying table should not be shown in SSMS navigation

≪ Previous: Restoring encrypted database

Hello!

Can't find the description for the BATCH_STARTED_GROUP/BATCH_COMPLETED_GROUP on this page - is there any documentation on these audit action groups?

Regards,
Michael

↧

How to Grant select on View but underlying table should not be shown in SSMS navigation

September 18, 2019, 10:23 am

≫ Next: Change BUILTIN\Administrators from sysadmin to public

≪ Previous: BATCH_STARTED_GROUP/BATCH_COMPLETED_GROUP

How to Grant select on View but underlying table should not be shown in SSMS navigation.

I tried below method, but it didn't work for me.

http://geekswithblogs.net/tburger/archive/2017/01/16/sql-server-hide-tables-from-users-and-only-give-them.aspx

Thanks

Royal Thomas

↧

Change BUILTIN\Administrators from sysadmin to public

September 19, 2019, 3:14 am

≫ Next: Database Users showing disabled

≪ Previous: How to Grant select on View but underlying table should not be shown in SSMS navigation

Hi,

I have a task to delete or degrees permissions to BUILTIN\Administrators in SQL server 2016 (As said best practices). In this group there are local users, local machine and backup user.

I want to create windows logins instead of this login with proper minimal permissions to sql server.

What is the minimum that local machine needs to run sql server properly?

Should I delete BUILTIN\Administrators login from sql server or set to server role public only?

Thanks,

↧

Database Users showing disabled

April 5, 2011, 8:29 am

≫ Next: Grating execute permission on a stored procedure without grating permission on base table not working

≪ Previous: Change BUILTIN\Administrators from sysadmin to public

In SSMS, a database user is showing up as disabled (a down reddish arrow). When I look at the server login - it shows that it is a valid login to the instance. I go to Login Properties and then click User Mapping on the GUI and check the particular database to add/enable this user to a Role. However, no luck. It still shows the user as disabled. The user cannot connect to the database. This is in SQL Server 2005, EE64.

Can someone please help? - Thanks.

↧

Grating execute permission on a stored procedure without grating permission on base table not working

September 19, 2019, 2:47 pm

≫ Next: A self-generated certificate was successfully loaded for encryption.

≪ Previous: Database Users showing disabled

Our production DB server supports a complex web application and the problem we currently face is a kind of a basic security issue and I was asked to resolve it in a week time. The scenario is that a few of the members from web application development team by the virtue of being developers know the user Id and password of the DB account which is intended to be used by the web application only. Some of these developers manipulate the data in the table and that is causing a serious havoc. We do have triggers created on major tables that tell us who changed and what changed etc. But as theses guys use the same userId of the web application , all we can see from the trigger is that same service account user Id only. I was asked to remove the direct table insert,update & delete permission of the web application user. This should be straight forward because the web application is interacting with the database only through a set of defined stored procedures and a few functions. The application code never touch (neither select nor change) any of the tables directly. As such the web application user doesn’t need to have the write permission to these tables. It should only have execute permission on the defined SPs. I thought I could remove it easily. But that was not the case. We have more than 1000 SPs and all of them are created in one database. The underlying tables the SPs insert,update & delete are in a different database on the same server instance. In that case SQL server expect the user have the permission on the underlying table as well. The execute permission on the SP is not enough. I tried all the methods I can think of such as creating a role and changing the SP code to use with EXECUTE AS OWNER etc. but none worked. Can someone please help?

Basically I need the following test case to work. Thanks in advance..

-- Step1. creating a server login and mapping the login to two databases with read access to all tables. (NO write access)

CREATE LOGIN testUser WITH PASSWORD=N'passowrd', DEFAULT_DATABASE=[master]

GO
USE Database1
GO
CREATE USER [testUser] FOR LOGIN [testUser]
ALTER ROLE [db_datareader] ADD MEMBER [testUser]


GO
USE Database2
GO
CREATE USER [testUser] FOR LOGIN [testUser]
ALTER ROLE [db_datareader] ADD MEMBER [testUser]

--Step 2. create one table in first database and one SP in the other. The SP inserts to table in database1.

use Database1
go
create table testTable(a int, b varchar(100))

use Database2
go
create proc testProc @a int, @b varchar(100) as
Begin
insert into Database1.dbo.testTable(a,b) values (@a,@b)
end

--Step 3 .grating the user execute permission on the SP without grating modify permission on the base table

GRANT EXECUTE ON testProc TO [testUser]

--Final step. login as the test user and try to execute the SP

use Database2
execute testProc 100,'aaa'

now I get the error "The INSERT permission was denied on the object 'testTable', database 'Database1', schema 'dbo'."

How can I get it working without making the user able to directly modify the table?

↧

A self-generated certificate was successfully loaded for encryption.

September 20, 2019, 2:40 am

≫ Next: query to see all databases to which a user has access

≪ Previous: Grating execute permission on a stored procedure without grating permission on base table not working

SQL Server logs message "A self-generated certificate was successfully loaded for encryption". Can we know for each SQL Version i.e. 2005/2008/2012/2014/2016/2017 what is the protocol used. Also is there any way of changing protocol for this as there are highlighted as vulnerabilities during scan.

↧

query to see all databases to which a user has access

August 19, 2011, 6:09 pm

≫ Next: how to change sql server login password?

≪ Previous: A self-generated certificate was successfully loaded for encryption.

I need a simple script that will list all of the databases to which a particular user has access. We have over 100 databases on our server, and around 300 users. Yes, I know I can get this info by right-clicking the login in SQL Management Studio. But I'm not looking for a GUI solution. I need a SQL statement (or script) that will produce a list of databases.

Thank you.

↧

how to change sql server login password?

June 15, 2012, 11:02 pm

≫ Next: SQL 2 node cluster - need to whitelist multiple IPs or just single VIP ?

≪ Previous: query to see all databases to which a user has access

hello.

iam using SqlServer 2008r2 and my pc is in the network (in an office)

how can change my login password which is created in SQl server authentication?

↧