I have a new installation of SQL 2016 Standard and I ran a Sysinternals utility that lists all the active logons to the server . I noticed several logins from user accounts SQLSERVER1 , SQLSERVER2 etc.. all the way to 14. They login to a local user group (which I did not create) called SQLRUserGroup
Can someone confirm that this is a breach ? thanks so much
A
Hello,
Every time I get updates I continue to select SQL Server 2012 Service Pack 3 (KB3072779) update
and it continues to fail with WindowsUpdate_84BE0BCE" "WindowsUpdate_dt000" Any suggestions as to
how to get it to update successfully?
Thanks
Hello guys,
I've been trying to set up a SQL DB on azure, but I got stuck on the Firewall and 40615 Error, which says that my IP is not allowed.
I tried to open the database also in Visual Studio, which is clever enough to add my client address, but this results to an infintie loop of adding my IP again and again.
I also tried to add a range of IP addresses, just to make sure, but still nothing.
I followed this article:
Configure an Azure SQL Database server-level firewall rule using the Azure Portal
and I also checked video tutorial "Azure SQL Database Firewall".
But with no luck, simply the firewall seems not to work as shown in the video and the article.
Since this is the first time I'm playing with database on azure, I hope I haven't done some silly mistake, but I don't exclude this possibility. It has been discussed here serveral time, but I wasn't able to find anything that would help me to solve this problem.
Many thanks for any help or ideas in advance,
Radim
i created a login and created a user for the login in that database also i granted execute permissions to 6 stored procedures ,but the user is able to execute all the stored procedure now,
i did all the above using TSQL and 100% sure no additional permission is given
also cross db chaining is enabled for this database alone in this instance not user whether this will be a reason
how to Execute permission on xp_msver for the finction ad say ab/my_prod_id
Kindly assist
k
hi GUyz
i need to know how to execute this request please
Add permission to the func id (ab\my_prod_id); permission needed is “Execute permission on xp_msver”
Regards
k
Hello. I was under the impression that I could create a server role that say, granted read-only permissions to all non-system DBs on a server. But that seems to not be the case. There's no option to add db_datareader into a server role. We still have grant someone db_datareader in every DB either in the GUI or via an sp_msforeachdb statement. Is that right? Guess I'm not quite grasping this.
Ken
We're in the process of deploying SQL Server 2014 in our processing environment. As part of that deployment, I've been performing a security audit on a fresh install of SQL Server. One of the requirements of the audit is to validate the file permissions on all files that are part of the SQL installation. To that end, I wrote a small Powershell script (Powershell is awesome!) that crawls all the files and folders, checking for any abnormal file permissions. Almost all of the permissions were in line with what I expected (Full control for system/admins, read/execute for users, etc). However, I ran across one entry that seems odd to me.
On [Voume Letter]:\Program Files\Microsoft SQL Server\[Instance Name]\MSSQL\Binn\atxcore.dll, the SQL Server service account (In my case, NT Service\MSSQLServer) has permission to change permissions (i.e. Write DAC).
While I could just remove the permissions, I'm a little hesitant to do so without any understanding of why it's there in the first place.
So, does anyone know why would the SQL Server service account need the ability to dynamically adjust the permissions of this file? Can anyone else confirm this is the case on their installation of SQL Server 2014?
Thanks.
Dear Helper,
I get this error message from event viewer. When I start a job using SQL Server Agent for SQL Server 2014 SP1 in Windows 2012 R2 with Windows local administrator account.
This problem may cause by I change the server name before.
eg.
Old Name:
TestingServer
- Windows local administrator account: TestingServer\administrator
New Name:
ProductionServer
-Windows local administrator account: ProductionServer\administrator
How to solve this problem? Please advise. Thank you.
Log Name: System
Source: Microsoft-Windows-DistributedCOM
Date: 26/8/2016 9:40:00
Event ID: 10016
Task Category: None
Level: Error
Keywords: Classic
User: NT SERVICE\SQLSERVERAGENT
Computer: ProductionServer
Description:
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{806835AE-FD04-4870-A1E8-D65535358293}
and APPID
{EE4171E6-C37E-4D04-AF4C-8617BC7D4914}
to the user NT SERVICE\SQLSERVERAGENT SID (S-1-5-80-344959196-2060754871-2302487193-2804545603-1466107430) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified
using the Component Services administrative tool.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-DistributedCOM" Guid="{1B562E86-B7AA-4131-BADC-B6F3A001407E}" EventSourceName="DCOM" />
<EventID Qualifiers="0">10016</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2016-08-26T01:40:00.603574700Z" />
<EventRecordID>78567</EventRecordID>
<Correlation />
<Execution ProcessID="632" ThreadID="27796" />
<Channel>System</Channel>
<Computer>ASWGROUPERP</Computer>
<Security UserID="S-1-5-80-344959196-2060754871-2302487193-2804545603-1466107430" />
</System>
<EventData>
<Data Name="param1">application-specific</Data>
<Data Name="param2">Local</Data>
<Data Name="param3">Activation</Data>
<Data Name="param4">{806835AE-FD04-4870-A1E8-D65535358293}</Data>
<Data Name="param5">{EE4171E6-C37E-4D04-AF4C-8617BC7D4914}</Data>
<Data Name="param6">NT SERVICE</Data>
<Data Name="param7">SQLSERVERAGENT</Data>
<Data Name="param8">S-1-5-80-344959196-2060754871-2302487193-2804545603-1466107430</Data>
<Data Name="param9">LocalHost (Using LRPC)</Data>
<Data Name="param10">Unavailable</Data>
<Data Name="param11">Unavailable</Data>
</EventData>
</Event>
Hi,
I tried to backup the master key by the following syntax :
OPEN MASTER KEY DECRYPTION BY PASSWORD ='mypassword'
BACKUP
MASTER KEYTOFILE='c:\temp\master' ENCRYPTION BY PASSWORD ='mypassword'but it failed and i got the following message:
Cannot write into file 'c:\temp\master'. Verify that you have write permissions, that the file path is valid, and that the file does not already exist.
NB: I am using the "sa" user to execute this command.
I know that we have a security permission issue , but where and how ?
Regards,
Tarek Ghazali
SQL Server MVP
Hi
I am not so much expertise in SQL Server.
I want to do
1. Secure database with a password.
2. Only be accessable with that password.
3. Not to be accessed with windows authentication mode.
The thing is client also uses SQL Server management studio and I don't want to share/view the structure of the database.
Kindly suggest
I currently implemented the use of certificates for SP's and have a question on how to get the account mapped to a linked server.
http://www.sommarskog.se/grantperm.html
When I try and add the login to linked server impersonation it fails and says the account doesn't exist. A lot of the stored procedures that are signed with a certificate use a linked server connection to pull data.
EXEC master.dbo.sp_addlinkedsrvlogin @rmtsrvname=N'remote_server',@useself=N'False',@locallogin=N'sql_cert_login',@rmtuser=N'linkedserver_acct',@rmtpassword='########'
Thanks!
My company wants to check if all certificates we use are updated to SHA-2. For SQL Servers one place I can think of is the TDE certificates (we only use the certificates created by CREATE CERTIFICATE). The questions I have -
1. How can I check the hash algorithm in these certificate. (Tried BACKUP CERTIFICATE to hard drive as filename.cer, and then double click to open. It gives an error "access denied")
2. If there is a way to check the hash algorithm, is there a way to upgrade it to SHA-2? (suppose it uses SHA-1 now)
Any suggestions would be highly appreciated.
Good morning everybody.
I am trying to learn about Role Based Access Control and I found an understandable model:
But I do not know if it is o. k. to implements thiks like a role may contain other role (I know that I can do it if the roles table is hierarchyID type) I think.
1o.- Is this model enought to implements thiks like in SQL Server utility "View Dependencies"?
2o.- Is this model enought to implements thiks like in SQL Server "GRANT" and "DENY"?
If the answer is no, which changes I have to do to this model to manage those scenarios?
Here is the creation code for this model:
SET ANSI_NULLS ON GO SET QUOTED_IDENTIFIER ON GO CREATE TABLE [dbo].[users] ( [user_id] [int] NOT NULL, [username] [varchar](40) NOT NULL, [password] [varchar](64) NOT NULL, [nonce] [datetime] NOT NULL, PRIMARY KEY CLUSTERED ( [user_id] ASC ) WITH ( PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS = ON, ALLOW_PAGE_LOCKS = ON ) ON [PRIMARY] ) ON [PRIMARY] GO ALTER TABLE [dbo].[users] ADD DEFAULT (GETDATE()) FOR [nonce] GO CREATE TABLE [dbo].[roles] ( [role_id] [int] NOT NULL, [name] [varchar](100) NOT NULL, PRIMARY KEY CLUSTERED ( [role_id] ASC ) WITH ( PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS = ON, ALLOW_PAGE_LOCKS = ON ) ON [PRIMARY] ) ON [PRIMARY] GO CREATE TABLE [dbo].[user_role] ( [user_id] [int] NOT NULL, [role_id] [int] NOT NULL, PRIMARY KEY CLUSTERED ( [user_id] ASC, [role_id] ASC ) WITH ( PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS = ON, ALLOW_PAGE_LOCKS = ON ) ON [PRIMARY] ) ON [PRIMARY] GO ALTER TABLE [dbo].[user_role] WITH CHECK ADD CONSTRAINT [role_user_role] FOREIGN KEY ([role_id]) REFERENCES [dbo].[roles]([role_id]) GO ALTER TABLE [dbo].[user_role] CHECK CONSTRAINT [role_user_role] GO ALTER TABLE [dbo].[user_role] WITH CHECK ADD CONSTRAINT [user_user_role] FOREIGN KEY ([user_id]) REFERENCES [dbo].[users] ([user_id]) GO ALTER TABLE [dbo].[user_role] CHECK CONSTRAINT [user_user_role] GO CREATE TABLE [dbo].[sessions] ( [session_id] [int] NOT NULL, [user_id] [int] NOT NULL, [name] [varchar](64) NOT NULL, [created] [datetime] NOT NULL, PRIMARY KEY CLUSTERED ( [session_id] ASC ) WITH ( PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS = ON, ALLOW_PAGE_LOCKS = ON ) ON [PRIMARY] ) ON [PRIMARY] GO ALTER TABLE [dbo].[sessions] ADD DEFAULT (GETDATE()) FOR [created] GO ALTER TABLE [dbo].[sessions] WITH CHECK ADD CONSTRAINT [users_sessions] FOREIGN KEY ([user_id]) REFERENCES [dbo].[users]([user_id]) GO ALTER TABLE [dbo].[sessions] CHECK CONSTRAINT [users_sessions] GO CREATE TABLE [dbo].[operations] ( [operation_id] [int] NOT NULL, [name] [varchar](100) NOT NULL, PRIMARY KEY CLUSTERED ( [operation_id] ASC ) WITH ( PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS = ON, ALLOW_PAGE_LOCKS = ON ) ON [PRIMARY] ) ON [PRIMARY] GO CREATE TABLE [dbo].[objects] ( [object_id] [int] NOT NULL, [name] [varchar](100) NOT NULL, PRIMARY KEY CLUSTERED ( [object_id] ASC ) WITH ( PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS = ON, ALLOW_PAGE_LOCKS = ON ) ON [PRIMARY] ) ON [PRIMARY] GO CREATE TABLE [dbo].[permissions] ( [permission_id] [int] NOT NULL, [name] [varchar](100) NOT NULL, PRIMARY KEY CLUSTERED ( [permission_id] ASC ) WITH ( PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS = ON, ALLOW_PAGE_LOCKS = ON ) ON [PRIMARY] ) ON [PRIMARY] GO CREATE TABLE [dbo].[role_permission] ( [role_id] [int] NOT NULL, [permission_id] [int] NOT NULL, PRIMARY KEY CLUSTERED ( [role_id] ASC, [permission_id] ASC ) WITH ( PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS = ON, ALLOW_PAGE_LOCKS = ON ) ON [PRIMARY] ) ON [PRIMARY] GO ALTER TABLE [dbo].[role_permission] WITH CHECK ADD CONSTRAINT [permission_role_permission] FOREIGN KEY ([permission_id]) REFERENCES [dbo].[permissions]([permission_id]) GO ALTER TABLE [dbo].[role_permission] CHECK CONSTRAINT [permission_role_permission] GO ALTER TABLE [dbo].[role_permission] WITH CHECK ADD CONSTRAINT [role_role_permission] FOREIGN KEY ([role_id]) REFERENCES [dbo].[roles]([role_id]) GO ALTER TABLE [dbo].[role_permission] CHECK CONSTRAINT [role_role_permission] GO CREATE TABLE [dbo].[session_role] ( [role_id] [int] NOT NULL, [session_id] [int] NOT NULL, PRIMARY KEY CLUSTERED ( [role_id] ASC, [session_id] ASC ) WITH ( PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS = ON, ALLOW_PAGE_LOCKS = ON ) ON [PRIMARY] ) ON [PRIMARY] GO ALTER TABLE [dbo].[session_role] WITH CHECK ADD CONSTRAINT [role_session_role] FOREIGN KEY ([role_id]) REFERENCES [dbo].[roles] ([role_id]) GO ALTER TABLE [dbo].[session_role] CHECK CONSTRAINT [role_session_role] GO ALTER TABLE [dbo].[session_role] WITH CHECK ADD CONSTRAINT [session_session_role] FOREIGN KEY ([session_id]) REFERENCES [dbo].[sessions] ([session_id]) GO ALTER TABLE [dbo].[session_role] CHECK CONSTRAINT [session_session_role] GO CREATE TABLE [dbo].[permission_operation] ( [permission_id] [int] NOT NULL, [operation_id] [int] NOT NULL, CONSTRAINT [PK_permission_operation] PRIMARY KEY CLUSTERED ( [permission_id] ASC, [operation_id] ASC ) WITH ( PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS = ON, ALLOW_PAGE_LOCKS = ON ) ON [PRIMARY] ) ON [PRIMARY] GO ALTER TABLE [dbo].[permission_operation] WITH CHECK ADD CONSTRAINT [operations_permission_operation] FOREIGN KEY ([operation_id]) REFERENCES [dbo].[operations]([operation_id]) GO ALTER TABLE [dbo].[permission_operation] CHECK CONSTRAINT [operations_permission_operation] GO ALTER TABLE [dbo].[permission_operation] WITH CHECK ADD CONSTRAINT [permissions_permission_operation] FOREIGN KEY ([permission_id]) REFERENCES [dbo].[permissions] ([permission_id]) GO ALTER TABLE [dbo].[permission_operation] CHECK CONSTRAINT [permissions_permission_operation] GO CREATE TABLE [dbo].[object_permission] ( [object_id] [int] NOT NULL, [permission_id] [int] NOT NULL, CONSTRAINT [PK_object_permission] PRIMARY KEY CLUSTERED ( [object_id] ASC, [permission_id] ASC ) WITH ( PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS = ON, ALLOW_PAGE_LOCKS = ON ) ON [PRIMARY] ) ON [PRIMARY] GO ALTER TABLE [dbo].[object_permission] WITH CHECK ADD CONSTRAINT [objects_object_permission] FOREIGN KEY ([object_id]) REFERENCES [dbo].[objects] ([object_id]) GO ALTER TABLE [dbo].[object_permission] CHECK CONSTRAINT [objects_object_permission] GO ALTER TABLE [dbo].[object_permission] WITH CHECK ADD CONSTRAINT [permissions_object_permission] FOREIGN KEY ([permission_id]) REFERENCES [dbo].[permissions] ([permission_id]) GO ALTER TABLE [dbo].[object_permission] CHECK CONSTRAINT [permissions_object_permission] GO --DROP TABLE [dbo].[object_permission] --GO --DROP TABLE [dbo].[permission_operation] --GO --DROP TABLE [dbo].[session_role] --GO --DROP TABLE [dbo].[role_permission] --GO --DROP TABLE [dbo].[permissions] --GO --DROP TABLE [dbo].[objects] --GO --DROP TABLE [dbo].[operations] --GO --DROP TABLE [dbo].[sessions] --GO --DROP TABLE [dbo].[user_role] --GO --DROP TABLE [dbo].[roles] --GO --DROP TABLE [dbo].[users] --GO
Thanks a lot for your valuable help.
Regards,
Jamesit0
We created a SQL Login account for reporting use only (SSRS), we'll call it 'MyReportAcct'.
We've used this account for some time and it is created for every newly installed instance. It has been working as you'd expect, except on a couple of mirrored instances. I've not seen this issue on any standalone instances in my environment.
Randomly, reports will stop working and there is nothing being changed based on our internal processes for Change Management, Windows Logs, and SQL Error logs. Here are two of the error messages we receive:
Upon investigation of the account, it shows up under the Security object folder in SSMS. Also, we find that the account is associated to all the databases under User Mapping for the account properties. I've verified that 'MyReportAcct' has public and db_datareader, so on the surface every looks as expected.
The rub comes when I try to alter the account or remove the mappings. I'm met with:
What I've had to do to fix the issue is delete every instance of 'MyReportAcct' on the server, then recreate it, then add to each database. This doesn't happen all the time, but often enough that it is irritating. Further, we shouldn't have to do this at all.
I think that we should change this account to an Windows Account instead of a local SQL Login in every instance. I have a feeling that this might fix the issue, but I need to prove why or provide a reasonable answer. I think part of the problem is the mirroring in some way, but I don't know how to prove that either.
Security is a weakness of mine and I'm employing steps to change this, so any insight you can provide would be greatly appreciated. Please let me know if you need more information.
There is always a way...
I am doing some testing of utilizing our EKM for encrypting our databases with TDE, but I am running into a strange error, where the database encryption key is corrupted when it is created. We are currently using Safenet on SQL Server 2014 Enterprise. Here are all of the steps that were performed as recommended by their documentation:
CREATE CRYPTOGRAPHIC PROVIDER safenetSQLEKM FROM FILE = 'C:\SQLEKM\safenetsqlekm.dll'; CREATE CREDENTIAL TestEKMCred WITH IDENTITY = 'TestEKM', SECRET = '<password>' FOR CRYPTOGRAPHIC PROVIDER safenetSQLEKM; ALTER LOGIN SA ADD CREDENTIAL TestEKMCred; CREATE ASYMMETRIC KEY EKMLoginKey FROM PROVIDER safenetSQLEKM WITH PROVIDER_KEY_NAME = 'TestEKMAKey', CREATION_DISPOSITION = OPEN_EXISTING; CREATE CREDENTIAL TestEKMTDECred WITH IDENTITY = 'TestEKM', SECRET = '<password>' FOR CRYPTOGRAPHIC PROVIDER safenetSQLEKM; CREATE LOGIN SafeNetEKM FROM ASYMMETRIC KEY EKMLoginKey; ALTER LOGIN ADD CREDENTIAL TestEKMTDECred; CREATE MASTER KEY ENCRYPTION BY PASSWORD = '<password>'; CREATE DATABASE TestEKM; USE TestEKM; CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_256 ENCRYPTION BY SERVER ASYMMETRIC KEY EKMLoginKey;
Although I do not receive any error output or see any errors in the event log, in Profiler I see the following error generated:
Database encryption key is corrupted and cannot be read.
If I attempt to enable encryption on the database, it will set the state to Encrypting, with a progress of 0% forever.
Has anyone seen this kind of error, or used Safenet for TDE? Or any EKM for that matter - I am not finding a lot of online resources for this.
Thanks!
Brandon
Hi,
I have a SQL login it has sysadmin permissions, when i connect to SQL instance with this login everything works fine.
if i remove sysadmin from Sql login it although all the databases associated with the logon has data reader and data writer the databases are inaccessible
what are least permissions to access the databases without sysadmin for SQL user.
thanks
Ranjith.
Lessandro Zampieri - http://lezampieri.com