Quantcast
Channel: SQL Server Security forum
Viewing all 3042 articles
Browse latest View live

Grating execute permission on a stored procedure without grating permission on base table not working

September 19, 2019, 2:47 pm
$
0
0

Our production DB server supports a complex web application and the problem we currently face is a kind of a basic security issue and I was asked to resolve it in a week time. The scenario is that  a few of the members from web application development team by the virtue of being developers know the user Id and password of the DB account which is intended to be used by the web application only. Some of these developers manipulate the data in the table and that is causing a serious havoc. We do have triggers created on major tables that tell us who changed and what changed etc. But as theses guys use the same userId of the web application , all we can see from the trigger is that same service account user Id only.  I was asked to remove the direct table insert,update & delete permission of the web application user. This should be straight forward because the web application is interacting with the database only through a set of defined stored procedures and a few functions. The application code never touch (neither select nor change) any of the tables directly. As such the web application user doesn’t need to have the write permission to these tables. It should only have execute permission on the defined SPs. I thought I could remove it easily. But that was not the case. We have more than 1000 SPs and all of them are created in one database. The underlying tables the SPs insert,update & delete are in a different database on the same server instance. In that case SQL server expect the user have the permission on the underlying table as well. The execute permission on the SP is not enough. I tried all the methods I can think of such as creating a role and changing the SP code to use with EXECUTE AS OWNER etc. but none worked. Can someone please help?

Basically I need the following  test case to work. Thanks in advance.. 

-- Step1. creating a server login and mapping the login to two databases with read access to all tables. (NO write access)

CREATE LOGIN testUser WITH PASSWORD=N'passowrd', DEFAULT_DATABASE=[master]

GO
USE Database1
GO
CREATE USER [testUser] FOR LOGIN [testUser]
ALTER ROLE [db_datareader] ADD MEMBER [testUser]


GO
USE Database2
GO
CREATE USER [testUser] FOR LOGIN [testUser]
ALTER ROLE [db_datareader] ADD MEMBER [testUser]


--Step 2. create one table in first database and one SP in the other. The SP inserts to table in database1.

use Database1
go
create table testTable(a int, b varchar(100))

use Database2
go
create proc testProc @a int, @b varchar(100) as
Begin
insert into Database1.dbo.testTable(a,b) values (@a,@b)
end


--Step 3 .grating the user execute permission on the SP without grating modify permission on the base table

GRANT EXECUTE ON testProc TO [testUser]

--Final step. login as the test user and  try to execute the SP

use Database2
execute testProc 100,'aaa'

now I get the error "The INSERT permission was denied on the object 'testTable', database 'Database1', schema 'dbo'." 

How can I get it working without making the user able to directly modify the table? 



Search

SQL Server 2017 Linux: Access denied for active directory users who are granted access via DL- and G- group mechanism.

October 24, 2019, 6:13 am
$
0
0

Hi,

we installed an SQL Server 2017 for linux under RedHat Enterprise Server 7.4.

TL;DR (too long; didn't read)------------------------

  • Member of DL-Groups can't authenticate against SQL Server Linux
  • sys.dm_exec_sessions field nt_domain shows a wrong value missing the last character
  • May be sql server linux bug

Long version--------------------------

What works:

The server is integrated into our active directory via sssd and the SQL Server is configured as shown in the documentation.

Every user who is granted access direct via

  • "<Domain>\<Username>" and via
  • "first-level"-Group (user is member of group and group "<Domain>\<G-Group>")

is working well. The users can connect via "Windows Authentication" and access the database.

What does not work is:

User is

  • Member of G-Group,
  • the G-(global)-Group is Member of DL-(domain local)-Group and the
  • DL-Group gets the grants

What I checked:

I checked the

  • spns, the
  • kerberos-keytabs,
  • getent passwd with <username>@<full.domain.name> under the command-shell works as required
  • getent passwd with <netbiosdomain>\\<username> under the command-shell works as required, too
  • login to windows-servers with smbclient works (can login with "-k" for kerberos)
  • unix file permissions based on "DL-Groups" work

What I tried and found so far:---------------

1. I changed the type of the DL-Groups in Active Directory to "Universal".

After some (sync) time. The logins began to work. Wo only have one forest and one domain. There are no subdomains so that seemed to be very strange here.

2. Now I checked the dm-Views for working logins

to see if they contain some faults (sys.dm_exec_connections and sys.dm_exec_sessions).

There I found a strange value for "nt_domain" in thesys.dm_exec_sessions.

  • The netbios domain name is missing one character.
  • Our full-kerberos-domain is "sgr.lan", the netbios domain should be "SGR"
  • The value for "nt_domain" is just "SG".

I don't know where to look next.

So where does the value come from? The name "SG" is not configured anywhere.

It seems a little bit like a sql server linux bug, but someone needs to help me here to proove it.

Same permissions to 4 sql server user, Exist a global role?

October 30, 2019, 9:20 am
$
0
0

Hi...
today my co-worker ask me to set 4 new user (not windows... sql server users for a VNP external connection) those need specials permission on some DBs and some tables.

If those were windows user, I would have created a windows groupin which I would have included users... and all could been very simple.


BUT... there is a way for a "group role" at server level for all 4 users?


I know DB role/Application role... but in my case I should set 8DB role (users need access to 8 DB)... exists some trick for a server level role that managed granularity on each DB?

I had to apply the accesses and permissions to all 4 users... no a single statement.

Hope that someone could clarify me this concept...

I don't found a technicality for group those 4 user and apply an a server role permission to access and write in some DB of my instance... butcould be my fault

Thanks ALEN, Italy


Encrypt master database backup?

October 31, 2019, 2:58 am
$
0
0

Hi.

I am currently utilising database backup encryption via certificate on my production server. This includes all my system databases

Just wondering what the general consensus is out there in the big wide world:

  • Is it worth encrypting your system database backups (master, model, msdb)?
  • Does anyone out there think that this is overkill? If so, why?

Thanks guys.

SQL Server 2012 SP4 Fails to update database engine

January 22, 2018, 6:47 am
$
0
0

We are having problems updating SQL Server 2012 SP3 with GDR Patch to SP4.  We are getting SQM Service: SQM does not have an active session, and SQLScriptdowngrade.dll access denied.  Also getting Accessing denied when writing to the registry key SQLCTR.

I have validated the SP4 media and download file, and they are fine.  I have validated the registry and it's fine as well, all values for paths are valid.  I can't uninstall parts of SP4 that were updated.  I get access denied. Servers are not running any Security software due to they are on a private network that has no access to the internet, and firewall rules limit the servers that can access the servers.

I can't apply the SP4 GDR for Spectre and Meltdown.

I have tried to repair the SQL Server 2012 Installation, and that crashed SQL Server 2012.  After trying to repair SQL Server 2012 SP3 GDR installation, SQL Server 2012 would no longer start, and I am not able to uninstall to re-install SQL Servers.  I am in the process of rebuilding 2 of the servers.

For SQLCTR registry key and sqlscriptdowngrade.dll, process monitor shows no process accessing them.  Why do I get access denied on the registry key and dll?

I am unable to attach the logs as these are secure systems and can't have the logs transferred outside of the facility.

What more can I look at to determine why SQL Server 2012 SP4 will not update the database engine?

DJ

What "Common criteria complinace" is it for?

November 2, 2019, 4:31 am
$
0
0

guys, c2 audit register success and unsucess tries to log in. just wondering about this new audit mode

thank you

MY ACCOUNT PASSWORD

November 3, 2019, 11:21 pm
$
0
0

DEAR SIR MY ACCOUNT PASWARD AND ACCOUNT DID NOT OPEN SERVER COULD NOT BE OPEN HELP ME SOON

SQL Server Login Audit

November 4, 2019, 1:09 am
$
0
0

Hi,

We need to audit all successful login in one of our production database instance. I have enabled following audit option at server audit specification-

SUCCESSFUL_LOGIN_GROUP

But I found another auditing option below-

SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP

Can anyone let me know this option also required?

Normally in SQL server  one login have access permission to multiple databases. In that case only 'SUCCESSFUL_LOGIN_GROUP' option is enough to capture 
the information or 'SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP' is also required?

Regards

Arif

Search

How to delegate SQL server authentication to Active directory Authentication

November 4, 2019, 10:42 am
$
0
0

Dear Experts,

How to delegate SQL server authentication to Active directory Authentication

Kiran

dbcreator is not able to restore a database

November 6, 2019, 5:07 am
$
0
0

I have a login that is member of dbcreator server role.

this login can create the database and backup it to a folder, but when trying to restore that backup from the same folder that it placed the backup on, we are getting the following error:

cannot start SQL Server from single user mode

November 6, 2019, 6:07 am
$
0
0

My problem is this – I cannot start SQL Server from single user mode, therefore I cannot make administrative changes to rights to my WSUS (or any) databases.  I need those rights to run SQL queries against my WSUS database.  The SA account is disabled and we do not know the password to the account.

Kiran

SSMS login issue

November 6, 2019, 5:15 am
$
0
0

Dear Experts,

We have a server. I can login to that server and when I click on SSMS it is automatically taking my windows login credentials and logging into SSMS. I want another windows login to be able to login to SSMS on that server, and he is not an admin of that server

Kiran

Always Encrypted testing

November 7, 2019, 12:36 pm
$
0
0
We would like to test our asp.net application that connects to a SQL Server 2016 database prior to doing the same in a hosted site where our production database exists.  I read up on the steps to setup always encrypted and we know the table columns that will be encrypted but would like to test it here at our test site before we apply the encryption and asp.net page changes in production. How can we do this?

User for restore specific db ?

November 8, 2019, 5:19 am
$
0
0

Hi, 

example: 
- databaseA
- databaseA-test (copy of databaseA for develop/test)

I need a user who will be able to restore db from backup file (databaseA.bak) to databaseA-test
but will not be able to finish (in case of user error) restore (file databaseA.bak) to databaseA

my db user: restoreDb has server role: public + dbcreator
and permition for db: 
- databaseA - db_backupoperator + public
- databaseA-test - public + owner + db_backupoperator + db_datareader/writer + db_ddlamin

but this setting is not required - restoreDb can make restore databaseA despite not being the owner

is any settings possible ? 

Can't create Always Encrypted CMK in LocalMachine even as local administrator

July 6, 2018, 6:18 am
$
0
0

I need to create a CMK in the LocalMachine keystore on SQL Server 2016 Standard (using manual key creation as automatic wizard insists on CurrentUser which is no good). My user account is a Local Administrator, yet I get told by the system that "you do not have the required permissions to create certificates in local machine".

This can surely not be right?

I have been tearing my hair out over this issue for two days straight by now and I am in desperate need of assistance!



Search

error 18456 on secondary node alwayson with powershell

November 11, 2019, 7:37 am
$
0
0

Hi all,

i get the error in object, when try to launch a powershell script that remove from AvailabilityGroup some db.

Configuration is following:

- 1 domain user added as administrator locally on both 2 node;

- powershell script is invoked by jenkins scheduler. Domain user is stored on jenkins scheduler;

- on both sql server domain user is sysadmin, script are stored locally on servers.

So script work fine on primary node, remove db from ag and after delete it. When i try to launch script from primary node to secondary (with same user)doesn't work, i got error in attach with "login failed for NT AUTHORITY\ANONYMOUS LOGON " on sql log.

User and password for security are not hardcoded into the script. Into the script there is integrated security = true. We tried with integrated security = SSPI but got same error. If we put integrated security = false it works on secondary node.

What are doing wrong?

Thanks

Permission to execute xp_servicecontrol procedure

November 13, 2019, 7:11 am
$
0
0

Team,

I need  to provide permission to execute "xp_servicecontrol" procedure only. However,  don't want to add in sysadmin role. Is there any way to accomplish the same 

Please mark this reply as answer if it solved your issue or vote as helpful if it helped so that other forum members can benefit from it

Intermittent issue an error occurred during decryption error message , status of db became recovery pending

November 13, 2019, 7:36 pm
$
0
0

Our environment is sql server 2017 with the latest CU 16 . We implemented our database TDE with safenet luna HSM.

We will encountered intermittent issue with the following

1) an error occurred during decryption error message for our database check integrity job and backup jobs

2) status of some databases became recovery pending .

 Once we restarted the database instance, the statue became normal and our dbcc checkdb can execute successfully.

A few weeks later, we encountered the same issue

 

  Does anyone know what could be the possible cause and whether there is any other way to resolve the issue beside restart the database instance

login failed for user 'sa'

November 14, 2019, 7:54 am
$
0
0

Hi All

Why the following errors logging in SQL errorlog for few only versions (ex, 10.50.6560) after renamed/disbaled SA account and how to stop them being logged

Logon              login failed for user 'sa'. Reason: Could not find a login matching the name provided. [CLIENT: local server ip address]

Thanks

Dave

SQL SERVER DATABASE -

November 14, 2019, 11:04 pm
$
0
0

We are a startup software development company. One of our client who use our Desktop Application [ Developed in .net and SQL Server Database ] has a Main Office Server computer with static IP assigned and Sql Server Database for Database.

This Main Office Sql DB is accessed through internet by the Computers / users from Three branches in different locations. Data is transferred / sync between branches and to main office... and all works perfect as per the requirement.

Port is opened in Main office SQL Server for data transferring. Firewall or VPN is not installed and configured. To make the Database / systems more secure and to prevent the intrusion, Hacking and Ransom ware what security measures should be taken care of ?

If anybody can guide us how to configure Firewall and VPN to make our system more secured, will be highly appreciated.

Regards
Shaaji


Viewing all 3042 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>