Quantcast
Channel: SQL Server Security forum
Viewing all 3027 articles
Browse latest View live

Set-SqlColumnEncryption throwing exception in Windows 2012 R2

December 7, 2018, 9:00 am
$
0
0

Hi,

I am using

1) System 1: Windows Server 2012 R2 and installed .Net Framework 4.6.1 on it, Powershell verison 5. Now I am trying to execute the powershell  scripts from here, which connects to a

2) System 2: Windows 2012 Server R2 and having Server having SQL Server 2016 installed 

3) My purpose is to encrypt the columns using powershell

4) I have connected to Powershell console using Administrator login in system 1 and database is successfully connected, since I debugged the code in powershell ISE and checked the same. 

5) I have installed the Master Key certificate in System 1 and already created the "Master Key" metadata CMK1 and "Encryption Key" CEK1 in the database server successfully

6) I am getting exception as follows

==============================================================

Set-SqlColumnEncryption : The type initializer for 'Microsoft.SqlServer.Management.AlwaysEncrypted.Types.AlwaysEncryptedManager' threw an 
exception.
At C:\DB\RMD_Customer_Encyption_DBA_Part.ps1:35 char:1
+ Set-SqlColumnEncryption -InputObject $database -ColumnEncryptionSetti ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Set-SqlColumnEncryption], TypeInitializationException
    + FullyQualifiedErrorId : System.TypeInitializationException,Microsoft.SqlServer.Management.PowerShell.AlwaysEncrypted.SetColumnEncryption

=====================================================================

Source code is

# Obtain the location of the column master key and the encrypted value of the column encryption key from your Security Administrator, via a CSV file on a share drive.
$keyDataFile = "C:\db\keydata1.txt"
$keyData = Import-Csv $keyDataFile

# Import the SqlServer module
Import-Module "SqlServer"

# Connect to your database.
$serverName = "IN1"
$databaseName = "ABC"
$password = "Admin1234"
$connStr = "Data Source=IN1;Initial Catalog=ABC;User ID=sa;Password=Admin1234;MultipleActiveResultSets=False;Connect Timeout=30;Encrypt=False;TrustServerCertificate=False;Packet Size=4096;Column Encryption Setting=Enabled"
#$connStr = "Server = " + $serverName + "; Database = " + $databaseName + "; Integrated Security = True"
$connection = New-Object Microsoft.SqlServer.Management.Common.ServerConnection
$connection.ConnectionString = $connStr
$connection.Connect()
$server = New-Object Microsoft.SqlServer.Management.Smo.Server($connection)
$database = $server.Databases[$databaseName]


# Encrypt the selected columns (or re-encrypt, if they are already encrypted using keys/encrypt types, different than the specified keys/types.
$ces = @()
$ces += New-SqlColumnEncryptionSettings -ColumnName "dbo.Customer.FirstName" -EncryptionType "Deterministic" -EncryptionKey "CEK1"
$ces += New-SqlColumnEncryptionSettings -ColumnName "dbo.Customer.LastName" -EncryptionType "Deterministic" -EncryptionKey "CEK1"
Set-SqlColumnEncryption -InputObject $database -ColumnEncryptionSettings $ces

Search

Windows sysadmin access to SQL Server ?

December 8, 2018, 6:58 pm
$
0
0

Hello, if Domain\User_a who creates a VM at the Windows OS server level...is that particular domain user able to access SQL Server as a sysadmin role by default after SQL Server was installed by a different Domain\User_b OS level sysadmin?

Thanks in advance.

Symmetric Encryption - Creating Passwords

December 10, 2018, 3:22 am
$
0
0

Hi there,

I have a question regarding passwords when creating a symmetric encryption key.

To generate the symmetric encryption key I'm am following the approach of creating a "Database Master Key" then a "Certificate" then the "Symmetric Key"  

I am backing up both the database master key and the certificate using a password.

This will be replicated on a number of different databases and I am concerned about the number of passwords that will be needed and the possibility of loosing a password and therefore making the encrypted data inaccessible if I need to restore or move the database.  

The passwords needed created would be for the database master key password, database backup master key password and the certificate password.

Is it best practice to keep all these passwords unique opposed to using the same password of each one?

Thanks!

   


SQL Server Developer Edition - SQL 2008 & 2012 details required

December 10, 2018, 8:48 pm
$
0
0

HI Team,

on of my client is using  sql 2012 standard edition & sql 2008R2 Standard edition for UAT environment . To cut cost they were planning to migrate to SQL 2012 Developer edition & SQL 2008 R2 Developer edition  assuming its free .  but i said its not completely free . 

i need some supporting details reg. licensing of developer edition of sql 2008 R2 & 2012 version , can we really save cost on UAT environment over sql standard edition , one server is cluster and another is stand alone 

Also i need the list of limitations  of using developer edition over std edition

thank you

hemadri

Server Error 15404

June 1, 2018, 12:24 am

SQL Service Agent Password Reset Issue - Could not obtain information about Windows NT group/user error code 0x5. [SQLSTATE 42000] (Error 15404)).

December 11, 2018, 7:32 am
$
0
0

When we reset a SQL Service Account (domain joined) password, we do so using our PAM/Password Vault application. That PAM/Vault reaches out to Active Directory via a proxy server, and sets the new password. It also reaches out to the server that is running SQL Services (MSSQLSERVER, SQLSERVERAGENT), and puts the new password into the services. We then do not auto-restart the services then and there (as this would cause a production outage). We wait for the servers to get patched or have a reboot scheduled for updates, and just let them restart the server (which in theory is our replacement for restarting the 2 sql services). Unfortunately, this has become an issue this year. This doesn't appear to happen every time, but about half of the time we run into the issue of the service failing to authenticate after we place the new password into the services (and don't immediately restart the server or restart the services).

From the SQL Server - The job failed.  Unable to determine if the owner (Domain\UsernameHere) of job randomJobNameHere has server access (reason: Could not obtain information about Windows NT group/user 'Domain\UsernameHere', error code 0x5. [SQLSTATE 42000] (Error 15404)).

From the server running the 2 SQL services within an hour after setting the new password via PAM/Vault (when the SQL job tried to run)...

Failure Information:
Failure Reason:An Error occured during Logon.
Status: 0xc000018d
Sub Status: 0x0

Process Information:
Caller Process ID:0x630
Caller Process Name:C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\sqlservr.exe

From the server running the 2 SQL services ~3 hours after setting the new password via PAM/Vault (when the SQL job tried to run again)...

Failure Information:
Failure Reason:Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a

Process Information:
Caller Process ID:0x630
Caller Process Name:C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\sqlservr.exe

Last year we used to reset passwords this way, and didn't have any issues. At that time we were using CyberArk as our PAM/Vault solution, and this year we are using CA PAM as our solution, although I don't see how the PAM/Vault solution would cause the problem. Is there some sort of caching issue taking place from an AD perspective? What about a caching related thing with SQL Service? Is it a requirement now to restart the SQL Services after changing the password for the domain joined service account running them?

Thanks.


SQL version 17.9.1 is not available in WSUS

December 11, 2018, 11:05 pm
$
0
0
I have a WSUS server configured, but it does not have SQL version 17.9.1 listed. I can see only 17.4 listed. Nothing beyond that is available. Under WSUS products and classification, SQL Server Feature Pack is selected. Is there any more configurations to be done on WSUS?

CorYos

SQL View - Access problems

December 13, 2018, 3:47 am
$
0
0

Hi, hoping someone can help me with a problem I am facing. I have a SQL server with some databases in production use and everything is working. I need to provide a user access to a particular subset of data from one of the databases and to archive this I have created an SQL view. 

I added a login for the user (a domain user) with server role of public and no direct user mappings

I have then added a select permission on the view itself. If I authenticate as the user in SSMS I can see the DB but not expand to the view. Manually running the query select * from view returns The server principal domain\user is not able to access the database "DB" under the current security context.

If I follow the same process on other view in other databases it seems to work as I'm expecting but the views weren't created by me in that instance

Does it sound reasonable to assume this is a problem with this database only and if so what could the issue be? As a test I did grant the user dbreader on that DB that didn't make any difference to the ability to see the view, db owner did of course give full access

Thanks


 
Search

query to see all databases to which a user has access

August 19, 2011, 6:09 pm
$
0
0

I need a simple script that will list all of the databases to which a particular user has access. We have over 100 databases on our server, and around 300 users. Yes, I know I can get this info by right-clicking the login in SQL Management Studio. But I'm not looking for a GUI solution. I need a SQL statement (or script) that will produce a list of databases.

Thank you.

please let me know which algorithm the dynamic data masking feature uses

December 17, 2018, 12:44 am
$
0
0

Good Morning Experts,

Could you please let me know which algorithm the dynamic data masking feature uses

Kiran

Unable to install KB4057114 SQL Server 2008 manually

December 17, 2018, 1:54 pm
$
0
0

Hi, I am trying to install  KB4057114 SQL Server 2008 manually to address vulnerabilities.

The Vulnerability summary is ADV180002: Microsoft SQL Server January 2018 Security Update (Meltdown)(Spectre)

When I try to install the KB manually. In the Select features tab, it shows "The Version of SQL Server instance SQLEXPRESS" does not match the version expected by the SQL Server update. The installed SQL Server product version is 10.3.5500.0, and the expected SQL Server version is 10.4.6000.29." in the description and the ERROR shows "There are no SQL Server instances or shared features that can be updated on this computer."

Please help me to solve this,

thank you.

SQL server migration - extract all login never loged on

December 17, 2018, 1:50 pm
$
0
0

Hi,

We did migrate instances from one server to another weeks ago. When we did the migration, we created all the logins from one server to the other.

I would like to put a trace, extended events or something else to track all login activity. Why? Because we would like to disable all the logins that never loged on the instance. Then after a certain period we will deleted them.

We have more than 50 production instances to cleanup.

Any idea of the trace we would need to achieve our goal?

Thanks,

Cannot execute as the database principal because the principal "dbo" does not exist, this type of principal cannot be impersonated, or you do not have permission.'

December 18, 2018, 1:04 am
$
0
0

Hi,

I am encountering the below error multiple times in ErrorLog file of SQL Server. 

I have given SA access to all the USer DB's , and i could see there is no compromise done on security part, as its an UAT machine . But still i could see this message is posted multiple times in the errorlogs, 

how should i avoid the same . 

The activated proc '[dbo].[fms_runscheduledjob]' running on queue 'scmdb.dbo.fms_ScheduledJobQueue' output the following:  'Cannot execute as the database principal because the principal "dbo" does not exist, this type of principal cannot be impersonated, or you do not have permission.'

disclaimer text

hemadri

SQL Connection only works when application 'Run As Administrator'

October 9, 2015, 1:52 pm
$
0
0

Hello, we have a problem on our clients where SQL applications will only authenticate and connect successfully when the application is right clicked and 'Run as Administrator'. Even if the user is a Domain Admin or even Local Client Admin, the application will not run if it is just simply executed. I have run SQL Profiler on the SQL Server and it seems when not being run as admin, the connection is not even reaching the server (the log remains blank) however if I run the SQL apps as administrator (using the UAC 'Run as Administrator' option) the SQL Profiler shows a successful connection and SQL Transaction. 

It may also be worth noting that if one SQL app is already open (with Run as Administrator) other SQL apps can also be opened simultaneously and the connectionwon't fail, even if it is connecting to a separate SQL server. This leads me to believe that the problem lies on the client machine, however, I don't know how to resolve this.#

Any help is much appreciated

Error code 0x80090304 on queries requiring AD logins

December 19, 2018, 12:08 am
$
0
0

My config:
Ubuntu Server 16.04.5 LTS x64
SQLServer 2017 on Linux (just updated to CU13 - 14.0.3048.1)
SSMS 17.9.1

When I run the following query:

EXECUTE AS LOGIN='DOMAINNAME\domain.user'
GO

I get this error message:

Msg 15404, Level 16, State 22, Line 1
Could not obtain information about Windows NT group/user 'DOMAINNAME\domain.user', error code 0x80090304.

The error is thrown both if logged in with sa and with DOMAINNAME\domain.user user (which is an admin too).

I've already followed the troubleshooting documentation and checked everything, multiple times: DNS, hosts, service account, SPN, wbinfo -u, wbinfo -g, ...
SQLServer log contains nothing relevant (in fact it reports nothing at all).

Anyone can help me understand what's wrong on my side?
Is there a way to increase the (now useless) log verbosity in /var/opt/mssql/log/errorlog ?



Search

SA account behaviour bugs?

December 19, 2018, 3:07 am
$
0
0

Has anyone previously encountered any buggy behaviour from the SA account in SQL SMS 2008?

I recently was unable to login as the SA account - it gave a simple run of the mill 'login failed for user' error.
In the end it turned out the account was locked, however my understanding was in such a scenario it should display a different error message as below;
Image result for sa account is locked error

I also checked the status of the account under Properties > Status
and the 'Login is locked out' check box was unticked.

Additionally when troubleshooting, any attempts to make amendments to the SA account were met with messages that the account does not exist or I do not have permission.
While this would suggest I don't have SysAdmin rights, I am definitely in that server role, and have all the same permissions as the SA account. The SA account definitely also existed!


I can't find an explaination for this behaviour, and was wondering if anyone else has come across this before?
I'd like to identify what caused the unexpected behaviour beyond just a server restart (following O/S patching) as although that could explain the initial account locking, I don't think that explains the other issues.

The target principal name is incorrect. Cannot generate SSPI context. (Microsoft SQL Server, Error: 0)

September 13, 2013, 7:36 pm
$
0
0

Hi,

I just installed SQL one my box but I am unable to access SQL remotely while accessing remotely getting below error and services are running on domain account. As the services are running under domain account we have registered SPN (Service principal name ). Is there any other way to get it resolve this issue.

Registered SPN :

MSSQSLSvc/myserver:1433
MSSQSLSvc/myserver.domain1.com:1433

ADDITIONAL INFORMATION:

The target principal name is incorrect.  Cannot generate SSPI context. (Microsoft SQL Server, Error: 0)

Testing Login Using a Contained Database User Via SSMS

October 11, 2017, 1:59 pm

Need VIEW DATABASE STATE permission for sp_spaceused in SQL Server 2017?

December 19, 2018, 6:16 pm
$
0
0

Hi All,

It failed to execute sp_spaceused in SQL Server 2017, if the sql user has below permissions, but executing sp_spaceused can work well under SQL 2012, 2014 and 2016 with the same permission.

SELECT * FROM fn_my_permissions(NULL, 'DATABASE'), the returned values:

CONNECT, SELECT, INSERT, UPDATE, DELETE, VIEW ANY COLUMN ENCRYPTION KEY DEFINITION, VIEW ANY COLUMN MASTER KEY DEFINITION.

Are there any changes for SQL Server 2017?

Thanks

Scott

SQL server hardening

December 20, 2018, 7:47 am
$
0
0

Hi,

I am looking for information on best practices in sql server hardening. Can someone please point me to the best resources out there?

Thanks.

Viewing all 3027 articles
Browse latest View live
Search