Quantcast
Channel: SQL Server Security forum
Viewing all 3042 articles
Browse latest View live

A global group cannot have a cross-domain member

January 26, 2016, 2:11 pm
$
0
0

I have a sql job that runs a SSIS package using a proxy ID.  The job is also set up with an output file that appends to an existing file on a file share location.  The credential that the proxy ID runs under as well as the service account ID both have modify access to the file share location.  But when I run the job, I get this error:  cannot write to logfile \\myfile\share\location  Error 8519: A global group cannot have a cross-domain member.

I have another job that is nearly identical except the package is run as the SQL Server Agency Service Account.  This job successfully creates (however, it does not append) a log file on the exact same file share.

Is it not possible to generate an output file from a job step that is executed using proxy? Any assistance is greatly appreciated.

Search

Granting Execute to sp_enable_sql-debug

January 27, 2016, 8:08 am
$
0
0

We have a development environment that all the developers log onto and do their development. They are not allowed to do development on their own local PCs. They just have the SQL Server Management Studio client on their PCs. We have SQL Server 2012.

Do to issues my manager has asked me to restrict the privileges.  They no longer have sysadmin.  Thus, how can they use the debugger then.  I tried to select the master database under “Users mapped to this login”.  And run the following               GRANT EXECUTE ON sys.sp_enable_sql_debug to 'DomainNameHere\UserNameHere' .  However, this still didn't work.  Is there something that I am missing or is it that only sysadmins can run the debugger? 

lcerni

How to encrypt the Connection string in Web.config without affecting connectivity between application and DB

January 27, 2016, 9:48 pm
$
0
0

Hi,

I have found a command to encrypt and also decrypt the Web.config file in connection string. So if anybody can decrypt the same connection string means then what will make difference and the purpose of encrypting.

Note: And also if I encrypt the connection string, I'm not able to connect with neither SQL DB Server nor localhost for my web application. Please help me on this and give the steps to encrypt the connection string in web.config file without affecting the Connectivity between the web.config file and DB server


Database user types

January 25, 2016, 7:00 am
$
0
0

Hello!

Maybe it's a silly question but I'd like to have it clarified: what's the difference betweenSQL user with login user type (in case when that login is a Windows login)  andWindows user? For example, when I create a new user as SQL user with login and then open this user's properties it will display asWindows user type, not theSQL user with login:

Thank you in advance,

Michael

Cannot bulk load because the file could not be opened. Operating system error code 5(Access is denied.)

January 28, 2016, 1:03 am
$
0
0

I'm facing an issue with my SSIS deployment. This is the first time i'm going with this architecture. (Earlier this worked fine in other environments). Let me explain how the new environment has built. 

We can considering Two Azure servers (Server A andServer B) in this scenario.

Server A resides the CSV files and SSIS package deployed. 

From the SSIS Job referring  a database which resides in Server B. (Basically,  CSV file path and all other configurations also containing in this particular database ).

 So, when the SSIS package runs it execute an Stored Procedure inServer B database and refer the CSV file path (which is a network path to read the file inServer A)

Even though the package succeed it writes following error to error Log tables. 

Cannot bulk load because the file "\\ServerA\CSVFilesFolder\Data\AWD_01-20-2016_17.20.csv" could not be opened. Operating system error code 5(Access is denied.).User Name: NISALMG\S-SQLAGENTSTG Schema Name:dbo

So far I have tried by,

  • giving the bulkadmin  role to the user which is run SQL Agent job. 
  • Grant the full permission for the folder \\ServerA\CSVFilesFolder\ for the user NISALMG\S-SQLAGENTSTG

But still I'm getting the same error. 

Any thoughts regarding this issue. Really appreciate for your help.

Thanks !

-Nisal 

User Access to Database Files and Folders

January 12, 2016, 2:39 am
$
0
0

We have migrated to Windows Server 2012 R2 from Windows Server 2008 R2 SP1 and running SQL Server 2012 SP2 CU6. In reviewing the Windows Event Logs, I am finding where a domain service account running an application is accessing the folders and database files for SQL Server databases.  I was under the impression that only the account running the database engine (NT Service\MSSQLSERVER) would need access to the database files and folders.  The process that was accessing the database files and folders was sqlservr.exe

Is there any known situation where a user would need to access the database files and folders?

See Below.

DJ

.





SQL agent error: for couple of jobs out of hundreds and random Unable to connect to SQL Server '(local)'. The step failed.

January 28, 2016, 10:14 am
$
0
0

This started happening in our environment mainly after windows patching I believe.

Duration         00:00:00

Unable to connect to SQL Server '(local)'. The step failed.

Firstly not sure what triggered this, only couple of Random jobs fail(they run good again in next run) out of 1000 scheduled.

What setting I need to change so Agent will not timeout rightaway so it can try connecting to server instead of failing right away?

Duration         00:00:00

What could have triggered the issue and what would be the solution?

Unable to connect to SQL Server '(local)'. The step failed.

Raju

How to Send Alert to DBA for any occurence of EventID 1015

January 29, 2016, 9:48 am
$
0
0

Trying to monitor a Kerberos event that triggers a server shut down.  Believe error is fixed (SQL 2012 S2 running on Windows 2008 R2). 

Need to know if an additional event is triggered - effort is to have someone on the SA team immediately respond.  

Extended Events doesn't appear to have a method for tracking a specific event. Or if so, not sure how the "user_event" works.

Perfmon seems okay to count events but filtering for something specific is a bit more challenging.  I suspect I can just hinge on a database_stopped event in the extended_events as it is one of the symptoms associated with our issue.    If there is a method available to filter for just the one EventID (1015) in the log, it would be preferable.  The user_event looks like it may be right but seems lacking for a filter for the eventid.   I suspect it is not the right tool. 

Reference https://msdn.microsoft.com/en-us/library/ff878264(v=sql.110).aspx

Also looking at the Windows Resource Manager - it may not be available on this server's build.

TIA,

Jamie

--CREATE EVENT SESSION [LSA Event Kerberos Monitor] ON SERVER
--ADD EVENT sqlserver.user_event(
--    ACTION(sqlserver.server_instance_name))
--WITH (STARTUP_STATE=ON)
--GO


USE MASTER;
GO
SELECT DISTINCT
   tb.trace_event_id,
   te.name AS 'Event Class',
   em.package_name AS 'Package',
   em.xe_event_name AS 'XEvent Name',
   tb.trace_column_id,
   tc.name AS 'SQL Trace Column',
   am.xe_action_name as 'Extended Events action'
FROM (sys.trace_events te LEFT OUTER JOIN sys.trace_xe_event_map em
   ON te.trace_event_id = em.trace_event_id) LEFT OUTER JOIN sys.trace_event_bindings tb
   ON em.trace_event_id = tb.trace_event_id LEFT OUTER JOIN sys.trace_columns tc
   ON tb.trace_column_id = tc.trace_column_id LEFT OUTER JOIN sys.trace_xe_action_map am
   ON tc.trace_column_id = am.trace_column_id
WHERE em.xe_event_name='user_event'
ORDER BY te.name, tc.name






Search

SYSTEM suddenly changed to ANONYMOUS LOGON after update

January 14, 2016, 12:27 pm
$
0
0

After installing recent windows updates on a server, a script that accessed SQL server from the SYSTEM account suddenly gets rejected with "Msg 18456 ... ANONYMOUS LOGON".  This is a much simpler scenario than what I have seen in other threads.

There is no domain, this is a standalone server outside the firewall.

This is not really a network access, everything happens on one server.

Both server OS and SQL Server are version 2008 R2.

This access is from a scheduled task (Windows Scheduler, AT command) running as Local System .

A similar machine which hasn't received the same Windows updates doesn't fail.

Here is a simplified proof-of-concept batch file demonstrating the problem:

------- Typed this in because IE refuses to let me paste in this forum -------
SET COMPUTER >%TMP%\testout.txt 2>&1
SET USER >>%TMP%\testout.txt 2>&1
whoami >>%TMP%\testout.txt 2>&1
sqlcmd -Q "USE master;" >>%TMP%\testout.txt 2>&1
------- End of file -------

Ran this with the command

AT hh:mm "C:\Windows\Temp\test.bat"

and then waited until hh:mm to grab testout.txt.

Output on computer where this fails (I replaced computer name with BAD and workgroup name with CONTOSO):

------- Typed this in because IE refuses to let me paste in this forum -------
COMPUTERNAME=BAD
USERDOMAIN=CONTOSO
USERNAME=BAD$
USERPROFILE=C:\Windows\system32\config\systemprofile
nt authority\system
Msg 18456, Level 14, State 1, Server BAD, Line 1
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
------- End of file -------

Output on very similar computer with fewer windows updates applied (I replaced computer name with GOOD and workgroup name with CONTOSO):

------- Typed this in because IE refuses to let me paste in this forum -------
COMPUTERNAME=GOOD
USERDOMAIN=CONTOSO
USERNAME=GOOD$
USERPROFILE=C:\Windows\system32\config\systemprofile
nt authority\system
Changed database context to 'master'.
------- End of file -------



What version of SQL Server support ssl connection with TLS. 1.2 (SHA-256 HASH)

April 24, 2014, 1:06 am
$
0
0

Hi,

I just want to know,

What version of SQL Server support ssl connection with TLS. 1.2 (SHA-256 HASH).

if support already,

how can i setting.

plz.  help me!!! 

CDC change data capture issue with new line characters

February 1, 2016, 11:11 am
$
0
0
I have enabled CDC on a table that contains a large nvarchar field with data that contains new line/carriage control characters.  For some reason, CDC picks these records up as updates (3, 4) and displays the original field value as NULL and the updated value displays the actual data.  These same records are captured over and over making the CDC output table very large and inaccurate.  Is there any way to get around this issue?  Any assistance is greatly appreciated.

Automate database encryption

January 31, 2016, 6:53 am
$
0
0

I have a web application.

Customers can sign up to get access to the application. All of the customers data is sensitive and needs to be encrypted. I use a SQL Server. And each customer has his own database.

I been looking at SQL Server Transparent Data Encryption (TDE). The only problem is that i need the signup process to be automated. So when the user sign up he can start working right away. When i read about TDE it looks like you have to manuel set up the database.

What is the best way to accomplish my needs?

Regards Jakob

Extended Events in SQL - Cannot Read Event Stream

February 1, 2016, 6:50 pm
$
0
0

I'm running 11.0.5058 (SQL 2012).  I was made to believe that in order to manage extended events, I needed server permissions as follows:

ALTER ANY EVENT SESSION 

However, In my application this does not allow me to read an event stream based on the event session.

ie.  I can successfully do as follows :

CREATE EVENT SESSION

and then :

ALTER EVENT SESSION


But this fails (from Microsoft.SqlServer.XEvent.Linq):

                QueryableXEventData StreamObj = new QueryableXEventData(
                    ThreadStartInfo.SqlServerConnectionString,
                    ThreadStartInfo.SessionName,
                    EventStreamSourceOptions.EventStream,
                    EventStreamCacheOptions.DoNotCache);

                // Iterate through each events
                foreach (PublishedEvent EventObj in StreamObj) ...

Internally it is generating a SELECT statement as follows,  I can send this as a SQL command from .Net and get the same permissions error as when I try to create the stream above..

SELECT type, data FROM sys.fn_MSxe_read_event_stream

Any help would be much appreciated.  The only workaround I have for now is granting "CONTROL SERVER ".

 

Connect SQL permission works when directly assigned to a login, but not when it's in a User-Defined Server Role

February 2, 2016, 5:21 pm
$
0
0

Hello,

I'm getting ready for an audit, and one of the STIGs indicates that permissions are not allowed to be assigned directly to logins/users; instead they have to be granted via server/database roles. I created a server role called CONNECT_SQL assigned it CONNECT SQL permission. Then I added logins to the role.  This works fine on all but one of my servers. The problem server's main database has all of its user objects (tables, views, sp's) belonging to a schema other than dbo, and I'm guessing this is relevant. The schema for all the user objects on the working servers is dbo in all the databases.

When I assign the login CONNECT SQL permission directly on the problem server everything works perfectly, but when I remove the CONNECT SQL permission and make the login a member of the CONNECT_SQL server role it can't connect.   I checked the permissions for the public role, and I didn't see any DENYs (although I'm assuming that anything in public that prevented the role from working would also prevent the direct permission assignment from working).  The login that's having the problem is using Windows authentication.  Not sure whether it matters, but I'm using SQL Server 2012 SP3 Enterprise Edition. I had the same problem on SQL Server 2005 last year before we upgraded to 2012.  Is there something I need to do with the non-dbo schema to allow the server role to work?

Thanks in advance for your assistance,

Mike

Can't connect to SQL Server 2014 when TLS 1.0 is disabled.

June 24, 2015, 11:43 am
$
0
0

After installing SQL Server 2014 SP1 CU1 (build version 12.0.4416.1) the SQL Server service no longer fails to start when TLS 1.0 is disabled, but no matter what I have tried I can't successfully connect to the database.

When trying connect using shared memory I get this message:

A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - No process is on the other end of the pipe.) (Microsoft SQL Server, Error: 233)

And if I tryTCP/IP or Named Pipes I get this:

A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: SQL Network Interfaces, error: 26 - Error Locating Server/Instance Specified) (Microsoft SQL Server, Error: -1)

TLS 1.1 and TLS 1.2 are enabled on the computer and working fine for IIS.

Any Ideas on what I can do to get SQL Server to work successfully with TLS 1.2 or is it still just not supported yet?

Search

How do I create Satabase Role to be part of all db_datareader database role?

February 3, 2016, 7:33 pm
$
0
0

Hello,

I'm Windows Admin and I understand SQL permissions has somewhat familiar hierarchy of Logins and Roles Mapping to "users" and "groups" in OS.

What I want to accomplish is to have Server Role which is called "Read Only Role" which will provide same level of access as "db_datareader" for each database on that server. So when new QA engineer say joins I just need to create login for him on Server and add him to "Read Only Role" without neccesity of mapping him to individual daftabases etc.

Is it possible to do or what is the best way to accomplish something like that?

SQL Server Audit - parsing event id 33205

February 4, 2016, 6:50 am
$
0
0

Hello!

I enabled auditing of the INSERT operation on PRINTERS table in one of my databases (to Security log) and can't understand the following: when I execute the first INSERT after connecting to the db the event 33205 contains all information it should have, but any subsequent insert operations produce events 33205 that contain blank database_principal_name, object_name and statement fields:


Is this behaviour by design?

Thank you in advance,

Michael

SSIS User Rights Assignment

February 5, 2016, 3:58 am
$
0
0

We are currently running SQL Server 2012 SP2 CU6 on Windows Server 2012 R2, and I am updating our security documentation based on what is currently running in our production environment following a successful migration from Windows Server 2008 R2 and SQL Server 2012 SP2 CU1.

I have noticed that SSIS only has the Logon as a service right on our servers, and SSIS appears to be running correctly.  We currently run SSIS Packages from the file system.   The following URL lists SSIS should have the Bypass traverse checking, Impersonate a client after authentication and Logon as a service right.

https://msdn.microsoft.com/en-us/library/ms143504%28v=sql.110%29.aspx#Windows

Did Windows Server 2012 R2 introduce virtual accounts that provide the same user rights to a service without having to specify a specific service name? Once virtual account I have noticed is the NT Service\Service.

I am wondering whether I should go ahead and add the specific user rights to the SSIS account, or update our documentation to reflect that SSIS doesn't need the impersonate a client after authentication right, and the bypass traverse checking user right.

Any information would be appreciated.

DJ

Help me to implement a hierarchy Raw Level Security

February 5, 2016, 3:46 am
$
0
0

Hi all

I am newbie on administer and security SQL Server 2014 and my first task surpasses me so I need your help.

I need to implement a system security based in a hierarchical permissions. I have four groups (e.g. : group A: Sellers (they can see only your data),
group B.Supervisors (they can see data from their vendors), group C. Area supervisors (they can see the data from ther supervisors) and finally group A.the heads 
(obviously they can see all).

all users are authenticated through the Windows Active Directory within a Citrix platform.

At the first moment they access data using excel and pivot tables, nobody will connect directly through SMS.

I have read a CLS whitepaper and try to implement with the label policy designer but for any reason the tblUniqueLabel table doesn´t populute so when I create the view I find an empty table.

So at this momment I unable to implement this type of solution, so I don´t now if I can combine nested roles with RLS.

In short, I need someone to light me 

Regards

Schema compare fails in VS2015 - MS_DatabaseMasterKey

February 8, 2016, 2:16 am
$
0
0

When I try to run a schema comparison using SQL Server tools in Visual Studio 2015 I get the following error:

The element ##MS_DatabaseMasterKey## is not supported in Microsoft Azure SQL Database v12.

I know the use of external tables in Azure SQL DB is a fairly new technology however I think it should still work in Visual Studio. 

Any support you can provide would be appreciated. 

Scott Adams

Viewing all 3042 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>