Hello we have a 2 node (Active / Inactive) SQL Server cluster. We are in Dept A and would like to create a Linked Server into a different SQL Server that's located in a separate Dept B being in different networks.
Can we just supply Dept B our one SQL Server VIP cluster to white-list...or do we also need to supply them both of our other IPs of each node?
Thanks in advance.
I am setting a password for my login using MSSQL Studio. When I go back to check it, the password is not what I set it to. I know this for two reasons:
1) The password doesn't work. I can't connect to SQL Server using my python scripts
2) Back in MSSQL Studio, the password has a different number of characters.
Am I doing something wrong?
FWIW, I am leaving "Enforce password policy" unchecked.
SQL Always Encrypted for CNG Key Provisioning With Role Separation must be executed from Powershell.
Security Administrators do not have access to DB.
https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/configure-always-encrypted-keys-using-powershell?view=sql-server-2017
Windows 2016 STD x64 with .Net Framework 4.6.2
MS SQL 2017 Enterprise Edition RTM CU-11
Latest module “SqlServer” version 21.1.18179 installed.
HSM Model : Gemalto Safenet - LunaSA 6.2.1, Firmware 6.10.9, FIPS 140-2 in ON
Master Key was created on target machine hosting DB with the HSM-specific tool:
C:\Program Files\SafeNet\LunaClient\win32\KSP\KspConfig.exe
I granted permission to myself & SYSTEM\NT_AUTHORITY
Partition contents confirm a key label “Always-Encrypted-Auto1” was created.
I tested the Always Encrypted keys using SSMS 17.9 with SUCCESS, but my objective is via Powershell.
I launched Powershell ISE as Administrator
----------------------------------------------
PS C:\> Import-Module"SqlServer"
$CMKSettings=New-SqlCngColumnMasterKeySettings-CngProviderName"SafeNet Key Storage Provider"-KeyName"Always-Encrypted-Auto1"
#Generate a column encryption key, encrypt it with the column master key to produce an encrypted value of the column encryption key.
$encryptedValue=New-SqlColumnEncryptionKeyEncryptedValue-TargetColumnMasterKeySettings $CMKSettings
# Share the location of the column master key and an encrypted value of the column encryption key with a DBA, via a CSV file on a share drive
$keyDataFile="E:\SharedFolder\AlwaysEncryptedKeyData.txt"
"KeyStoreProviderName, KeyPath, EncryptedValue">$keyDataFile
$cmkSettings.KeyStoreProviderName+", "+$cmkSettings.KeyPath+", "+$encryptedValue>>$keyDataFile
----------------------------------------------
ERROR MESSAGE:
New-SqlColumnEncryptionKeyEncryptedValue : The type initializer for 'Microsoft.SqlServer.Management.AlwaysEncrypted.Types.AlwaysEncryptedManager' threw
an exception.
At line:5 char:19
+ ... ptedValue = New-SqlColumnEncryptionKeyEncryptedValue -TargetColumnMas ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-SqlColumnEncryptionKeyEncryptedValue], TypeInitializationException
+ FullyQualifiedErrorId : System.TypeInitializationException,Microsoft.SqlServer.Management.PowerShell.AlwaysEncrypted.NewSqlColumnEncryptionKeyEncry
ptedValue
--------------------------------------------------------------
PS C:\> Import-Module "PSPKI"
Get-CryptographicServiceProvider
Name Type IsLegacy Algorithms
---- ---- -------- ----------
Microsoft Software Key Storage Provider None False {RSA, DH, DSA, ECDH...}
Microsoft Passport Key Storage Provider None False {RSA, AES, 3DES, DES...}
Microsoft Smart Card Key Storage Provider None False {RSA, ECDH_P256, ECDH_P384, ECDH_P521...}
Luna Cryptographic Services for Microsoft Windows RsaFull True {}
Luna enhanced RSA and AES provider for Microsoft Win... RsaAes True {}
Luna SChannel Cryptographic Services for Microsoft W... RsaSChannel True {}
Microsoft Base Cryptographic Provider v1.0 RsaFull True {rc2, rc4, sha1, md2...}
Microsoft Base DSS and Diffie-Hellman Cryptographic ... DSSDiffieHellman True {rc2, rc4, sha1, md5...}
Microsoft Base DSS Cryptographic Provider DSS True {sha1, md5, DSA}
Microsoft Base Smart Card Crypto Provider RsaFull True {rc2, rc4, sha1, sha256...}
Microsoft DH SChannel Cryptographic Provider DiffieHellmanSChannel True {rc2, rc4, sha1, md5...}
Microsoft Enhanced Cryptographic Provider v1.0 RsaFull True {rc2, rc4, sha1, md2...}
Microsoft Enhanced DSS and Diffie-Hellman Cryptograp... DSSDiffieHellman True {rc2, rc4, sha1, md5...}
Microsoft Enhanced RSA and AES Cryptographic Provider RsaAes True {rc2, rc4, sha1, sha256...}
Microsoft RSA SChannel Cryptographic Provider RsaSChannel True {rc2, rc4, sha1, md5...}
Microsoft Strong Cryptographic Provider RsaFull True {rc2, rc4, sha1, md2...}
Hi,
I am using Windows Authentication to send email using sp_send_dbmail.
Sending email works if I do not try to add a remote attachment. It also works if I try to send email with a local attachment (on the SQL Server machine). It works for remote attachments (as \\remote_server\share_name\test.txt) **if** I am connected to SQL Server as a sysadmin (Windows Authentication test logon in the sysadmin role). However, if I try sending email with a remote attachment as a non-administrative user, the attachment fails.
EXEC msdb.dbo.sp_send_dbmail @profile_name = 'DatabaseGoogleMailProfile',
@recipients = 'abc@xyz.com',
@subject = 'TESTING2',
@body = 'This is a new test message2.',
@file_attachments = '\\servername\SQL_Data\ABC_Application\QA\global\file.txt'
The error message I receive is:
Msg 22051, Level 16, State 1, Line 0
Failed to open attachment file '\\ remote_server\share_name\test.txt'. Access denied.
The Windows Authentication test logon is in the DatabaseMailUserRole Database Role and has full control of the remote share. It would appear there is some SQL Server permission setting that I'm missing to allow any user to add remote attachments. Obviously I can't just give everyone sysadmin rights on the server in order to let them include attachments in e-mail. Can anyone shed some light on this?
I am running SQL Server 2008 R2 (64-bit) on Windows 2008 R2 Server (64-bit). Also the Windows Authentication test login I am using has full control of the remote share.
Thanks!
Hello!
One more question on auditing, please:
This page says:
FAILED_DATABASE_AUTHENTICATION_GROUP Indicates that a principal tried to log on to a contained database and failed. Events in this class are raised by new connections or by connections that are reused from a connection pool. This event is raised.
SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP Indicates that a principal successfully logged in to a contained database.
I create a new audit specification
...and try to connect to the Test contained database using Windows-based and SQL-based db user (I make two successfull and two failed connection attempts), for example:
Now I expect to see these 2 succsessful and two failed connection attempts in the log, but it produces only the success-related events:
I failed (in other tests as well) to make the server log the failed connections - what am I doing wrong?
Thank you in advance,
Michael
Hello,
is there a Way to access a SQL-Server Database (2017 Express) from a Client without VPN (comfortability Reasons when Access from external) not produce a Security-Risk ?
Thanks
Hi,
My company wants to encrypt some of the tables of database. Our requirement is to do storage level encryption. I searched the net and found TDE (Transparent Data Encryption) is the option for storage level encryption. But if we enable TDE then the whole database will be encrypted. I want to know-
1) Is it possible to encrypt some tables (not full database) by TDE?
2) Is there any other security feature that encrypt table at storage level?
Please note that we need encryption at storage level, that means if storage (hard disk/SAN disk) is stolen then the hacker/thief will not able to retrieve the encrypted information. There are some table encryption feature like DDM (Dynamic Data Masking) which encrypt data but not at storage level.
Regards
Arif
Hi,
One of our developer wants to transfer data from Oracle to SQL Server through SSIS package job. SQL Server Integration Service is not installed in database instance. Only database engine and SQL Server agent is installed.
Do I need to install integration service to run SSIS package job or my current setup will do?
Regards
Arif
Hello Team,
I am Serge KOUNGA, Head of IT Audit at an insurance company in Cameroon (Africa).
Throughout some of the analyses I performed in our Database, I identified number jumps in the table "dbo.Caisse", which lists all money entries of our company. I would like to point out that these numbers are automatically created by the sql server
database.
However, the data entered in the *.LDF file does not show me any sign of any deletion of entries in this table "dbo.Caisse".
My question is: Is it also possible to modify the entries contained in the *.LDF file.
If so, how to configure SQL Server to avoid such a change
Thanks
Hi All,
I wanted to write a sql query to return all the users from a specific AD Group specifying the Group Name instead of the CN value in memberof.
I have written the query as shown below. kIndly help me on the same :
SELECT sAMAccountName as Login
FROM OPENQUERY( ADSI,
'SELECT sAMAccountname FROM ''LDAP:// DC=<<MyDomainName>>,DC=com''
WHERE objectCategory=''person'' AND objectClass=''user'' AND memberOf=''CN=<<MyGroupName>>,OU=BI,OU=Administrator Accounts,OU=MIS,OU=Corporate Users,DC=<<MyDomainName>>,DC=com''')
Kindly help me on the same
Thanks
ram
I'm trying to encrypt multiple columns using AlwaysEncrypted, trying to apply the encryption using PowerShell and it is failing with the below error message :
Set-SqlColumnEncryption : The type initializer for 'Microsoft.SqlServer.Management.AlwaysEncrypted.Types.AlwaysEncryptedManager' threw an exception.
The actual line of code where is is giving exception is :
Set-SqlColumnEncryption -ColumnEncryptionSettings $encryptionChanges -InputObject $smoDatabase
Further looking into the error, I've found the below exception :
System.TypeInitializationException: The type initializer for 'Microsoft.SqlServer.Management.AlwaysEncrypted.Types.AlwaysEncryptedManager' threw an exception. ---> System.Reflection.TargetInvocationException: Exception has been thrown by the
target of an invocation. ---> System.TypeInitializationException: The type initializer for 'Microsoft.SqlServer.Management.AlwaysEncrypted.Management.AlwaysEncryptedManagement'
threw an exception. ---> System.IO.FileNotFoundException: Could not
load file or assembly 'System.Net.Http, Version=4.2.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a' or one of its dependencies. The system cannot find the file specified.
I'm running SQL Server 2016 Enterprise, PS Version 5.1, SQLPS version 21.1.18068.
Not sure what am I missing here. Any help will be highly appreciated.
Hello all,
I have a client that would like to implement that non-DBA users should not have a system database as a default. Client would like to make sure that a non-DBA not assigned a system database causing a security breach. Any way to prevent this? Is assigning a security risk? Is this at all possible? Any links to documentation would be helpful.
Gokhan Varol
The postings that I have seen on this site which deal with this problem only provide a suggested "solutions" to the problem. They do not provide some insight into why this might be occurring. In my specific case, I have a relatively complex network of production servers running the latest system software networked to terabytes of data storage. I am dealing with SQL job failures in random jobs in random steps during overnight processing. This does not occur every night. Even this is random. When I say random, I mean random. In some cases the step has an auto-retry which kicks in. Sometimes the step runs on the retry without problems. Usually it fails again. When I arrive early in the morning, without doing any of the suggested "solutions", I can manually restart at the failing step and it normally runs to completion.
What is causing this random failure? What should I look for and where should I look to determine the cause? Once I know the cause, then I can possibly arrive at the appropriate "solution".
Randy Harding
Himanshu Bal
Hello, we're looking to set up a brand new Windows Server 2012 R2 with a security certificate to encrypt entire SQL Server activities.
We currently have SQL 2016 ready to install but wondering are there any compatibility concerns/issues using Windows 2012 R2 & SQL 2016 installing/enable certificate encryption?
Or would it be better to use higher versions of Windows 2016 or Windows 2019 (when it gets released)?
Also are there any differences benefits comparisons between SQL 2016 vs SQL 2017 vs SQL 2019 (when it gets released)? (We might be willing to pay further for higher versions beyond SQL 2016.)
Thanks in advance.
Does any have a script that would script out a user or users DB ROLE PERMISSIONS from every database usingsp_msforeachdb
I have script that gets users role permission per database but not all of them at once
my example
SELECT
'EXEC sp_addrolemember @rolename ='
+''+QUOTENAME(USER_NAME(rm.role_principal_id),'''')+', @membername ='+''+QUOTENAME(USER_NAME(rm.member_principal_id),'''')AS[-- SQL STATEMENTS --],
3
AS[-- RESULT ORDER HOLDER --]
FROM
sys.database_role_membersASrm
WHERE
USER_NAME(rm.member_principal_id)IN(
--get user names on the database
SELECT[name]
FROMsys.database_principals
WHERE[principal_id]>4-- 0 to 4 are system users/schemas
and[type]IN('G','S','U')-- S = SQL user, U = Windows user, G = Windows group
and[name]='username')