Quantcast
Channel: SQL Server Security forum
Viewing all 3027 articles
Browse latest View live

Bulk copy functions support on SQL server with force encryption enabled

September 14, 2017, 12:54 am
$
0
0

Hi,

My application works fine before my SQL server enabled the "force encryption" in SQL configuration manager. For security reason, I enabled "Force encryption" for my SQL server to make the connection go with TLS 1.2. 

In client side, I updated my ODBC driver to 11 and enabled encryption as well. The test connection from the DSN administrator odbcad32.exe is successfully.

My application can connect to SQL server using TLS 1.2 successfully, and execute some queries. However, the bulk copy functions do not work after the encryption is enabled. There is no error returned from bcp_init(), but the bcp operations after bcp_init() get the Function Sequence Error.

However, the bulk copy functions do not work after the encryption is enabled. There is no error returned from bcp_init(), but the bcp operations after bcp_init() get the Function Sequence Error.

The error message from ODBC driver is: retcode:0  state:HY010  MessageText:[Microsoft][ODBC Driver 11 for SQL Server]Function sequence error.

Are bulk copy functions supported when force encryption is enabled? Thanks.



Search

Row Level Security - Policy Enabled but not Filtering

June 6, 2019, 5:38 am
$
0
0

I'm trying to implement row-level security in SQL Server 2016 but am getting stuck.  Below is the code being used for the predicate function and the security policy.  From what I can see, everything looks good, but when SSMS is showing the security policy is enabled, users who should have restricted access to the key dimension can see all of the data.  

Predicate Function

CREATE FUNCTION [dbo].[udf_RLSDimAgentIDPredicate] (@DimAgentId int)
RETURNS table
WITH SchemaBInding
AS
RETURN (select max(fn_securitypredicate_result) fn_securitypredicate_result 
        from
	(
        --"Regular" Users: Does the AD Group they belong to have access to the incoming companyID?
        SELECT 1 fn_securitypredicate_result
        FROM Dim.Agent a
        INNER JOIN dbo.AgentGroupMapping arm ON a.MasterAgentId = arm.MasterAgentId 
        WHERE IS_MEMBER(arm.ADGroupName) = 1 and a.DimAgentId = @DimAgentId

	UNION
        --"Power" Users and Admins: Do they belong to an AD Group that has access to all companies (designated by -1 in MasterAgentID in dbo.AgentGroupMapping)?
	SELECT 1
	FROM Dim.Agent a, dbo.AgentGroupMapping arm
	WHERE IS_MEMBER(arm.ADGroupName) = 1 and arm.MasterAgentId = -1 and a.DimAgentId = @DimAgentId

	) r
WHERE r.fn_securitypredicate_result is not null)


Security Policy

CREATE SECURITY POLICY [dbo].[DimAgentPredicate] 
ADD FILTER PREDICATE [dbo].[udf_RLSDimAgentIDPredicate]([DimAgentId]) ON [Dim].[Agent],
ADD FILTER PREDICATE [dbo].[udf_RLSDimAgentIDPredicate]([DimAgentId]) ON [Fact].[WorkersCompClaim],
ADD FILTER PREDICATE [dbo].[udf_RLSDimAgentIDPredicate]([DimAgentId]) ON [Fact].[WorkersCompPremium],
ADD FILTER PREDICATE [dbo].[udf_RLSDimAgentIDPredicate]([DimAgentId]) ON [Fact].[WorkersCompProducer],
ADD FILTER PREDICATE [dbo].[udf_RLSDimAgentIDPredicate]([DimAgentId]) ON [Fact].[WorkersCompRegister],
ADD FILTER PREDICATE [dbo].[udf_RLSDimAgentIDPredicate]([DimAgentId]) ON [Fact].[WorkersCompQuoteSummary],
ADD FILTER PREDICATE [dbo].[udf_RLSDimAgentIDPredicate]([DimAgentId]) ON [Fact].[WorkersCompExposure]
WITH (STATE = ON, SCHEMABINDING = ON)

The odd part that I can't get over is that when the security policy is disabled, any user who runs the following code gets the correct predicate result.  As a power user, 1 is returned for every company in Dim.Agent.  A user with restrictions to certain companies has 1's for just those companies with NULL being returned for everything they don't have access to.

SELECT a.MasterAgentID, p.fn_securitypredicate_result
FROM Dim.Agent a
	OUTER APPLY dbo.udf_RLSDimAgentIDPredicate (a.DimAgentId) p

A question that regularly runs through my mind is if the security policy is disabled, when I think it should be enabled.  One test I've been doing to verify is to run this same query.  With the policy enabled, it fails, because the function is referencing itself.

Msg 4429, Level 16, State 1, Procedure udf_RLSDimAgentIDPredicate, Line 5 [Batch Start Line 28]
View or function 'dbo.udf_RLSDimAgentIDPredicate' contains a self-reference. Views or functions cannot reference themselves directly or indirectly.
Msg 4413, Level 16, State 1, Line 30
Could not use view or function 'dbo.udf_RLSDimAgentIDPredicate' because of binding errors.

Does anyone see issues in the code that would be preventing proper filtering?  Or, has anyone encountered something like this in the past, and if so, what was the solution?  Everything seems to be set up, based on the documentation I've found.  What am I missing?

 

Thanks,

Erin


Force encryption on SQL Server not working?

December 26, 2010, 1:59 pm
$
0
0
Hello Everyone,


I'm running SQL Server 2008 64-bit. I've installed a self-signed cert on the box and set  "Force Encryption"  and restarted SQL server. 

I setup a client machine to trust the authority of the cert installed on the server. When I connect to that SQL server from SSMS from a client machine and select the "encrypt connection" option in the client Connection properties, SSMS correctly complains that the cert on the server does not match the computer name I asked to log into . This is because, although the cert is trusted, the dns name dos not match the CN in the cert <- Perfect, exactly what I am expecting.

When I connect to the same SQL server from the same client but  UNCHECK "encrypt connection" on the client, I'm able to login. Considering I've checked the "Force Encryption" on the server, the server should have rejected the connection. Why not?


Ameer Deen

Recommended auditing to track all changes within SQL Server user DB ?

June 10, 2019, 3:29 pm
$
0
0

Hello, what is the recommended method of tracking all activity & changes to a particular user DB and who did what and when?

Including DMLs (Selects), DDLs, Creating/Dropping/Adjusting objects, Views, Stored Procs, Roles, Schemas, Users, etc...

Thanks in advance.

Linked Server Test Connection Error

June 11, 2019, 2:19 am
$
0
0

Hello I am using sql server 2012 on a 64 bit machine

Whenever I try to Test Connectin over my linked server I get the following:

OLE DB provider "Microsoft.ACE.OLEDB.12.0" for linked server "ExcelData" returned message "Unspecified error".
Msg 7303, Level 16, State 1, Line 1
Cannot initialize the data source object of OLE DB provider "Microsoft.ACE.OLEDB.12.0" for linked server "ExcelData".

But when I run Sql as Administrator Test Connection over linked server works correctly and I can query the excel file linked to it.

I am logged in from an administrator account that is a sysadmin on sql.

I have tried the solution mentioned here

https://visakhm.blogspot.com/2013/12/how-to-solve-microsoftaceoledb120-error.html

But none worked.

Microsoft access database engine 2010 -x64 was installed successfully.And my Os is Windows 10 Pro and sql version

Microsoft SQL Server 2012 (SP4) (KB4018073) - 11.0.7001.0 (X64) 
Aug 15 2017 10:23:29 
Copyright (c) Microsoft Corporation
Standard Edition (64-bit) on Windows NT 6.3 <X64> (Build 17763: )

Any other solutions that I can try?


The server principal "XXXXXX" is not able to access the database "XXXX" under the current security context

June 13, 2019, 5:25 am
$
0
0

Hello Team,

We are suddenlty facing the above error in Live SQL server environment..  below is the flow of the application to give a quick view

1. front end application connect to SQL Server A - DB1 with Service account SVC_xx   

2. SVC_xx execute a stored procedure "GetData" against SQL Server A - DB2 . inside the GetData Stored procedure there is a command which will run the SQL statement in different service account (SVC_yy) context using " with execute as SVC_yy " command.

the above senarios working fine until yesterday afternoon (from last couple of years), suddently its broken and giving the below error.Also note that TurstWorthy is already enabled on database server..

Error Detail - "The server principal "XXXXXX" is not able to access the database "XXXX" under the current security context."

any one faced this kind of issue? if so please advise... any help on this regard is greatly appreciated..

CREATE USER 'FOR LOGIN' VS 'FROM LOGIN'

November 23, 2013, 10:33 am
$
0
0
                

SQL SERVER 2012

For CREATE USER books on line shows FOR and FROM options but I cannot see where it explains the difference. Could someone please enlighten me.

Thanks

Examples from BOL:

CREATE USER [Domain1\WindowsGroupManagers] FOR LOGIN [Domain1\WindowsGroupManagers]

CREATE USER [Domain1\WindowsGroupManagers] FROM LOGIN [Domain1\WindowsGroupManagers]





A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections.

March 24, 2014, 11:16 pm
$
0
0

A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: SQL Network Interfaces, error: 26- Error:Locating Server\instance Specified)

How Can i solve this?

Search

Multifactor Authentication on SQL Server

June 19, 2019, 12:07 am
$
0
0

Hi Everybody,

Can we apply Multifactor Authentication on SQL serves when they are connected remotely through Management Studio or any other platforms remotely. I have Gemalto Safenet Authentication  Service for Multifactor Authentiction, and i want this MFA to be applied on my databases also.

SQL Server 2008 self-signed certificate is 1024bit or 2048bit?

February 4, 2015, 6:08 am
$
0
0
When there is no user defined certificate available, SQL Server will generate a self-signed certificate when service starts, We have a tool scans and finds that in SQL 2005 the self-signed certificate is 1024bit,  does someone know the default self-signed certificate is still 1024bit or is it 2048bit in SQL 2008? Thanks a lot!!!

TDE during encryption process

June 22, 2019, 11:21 am
$
0
0

How to estimate if there are extra transaction log usage when enabling TDE on a database ?

And what's the proper step for doing TDE on a database which is already having log shipping ?

How to back multiple master database key DEK on SQL with TDE Enable

June 24, 2019, 8:20 am
$
0
0

Hi,

I have an SQL instance with multiple data bases. Each of them are TDE encrypted.

I know that all data bases use the same service master key, SMK, to encrypt tempdb.  I have back up the SMK using:

BACKUP SERVICE MASTER KEY
TO FILE = 'tmp-path.key'
ENCRYPTION BY PASSWORD = 'temp-password';


Now, how do I back up the distinct database master key, DMK? Each data base use a different one, but the SQL statement doesn't allow to specify which one to back up. Next, is the command I'm running.

BACKUP MASTER KEY
TO FILE = 'tmep-path.key'
ENCRYPTION BY PASSWORD = 'temp-passowrd'

I though that by:

use [specific-db];
GO

It will back up an specific one, but the command won't run. You need to be on master, to run the command.

Thanks



Database 'TEST' is already open and can only have one user at a time.

April 30, 2015, 7:27 am
$
0
0

Hi all,

Could some help on this issue as per urgency!



Database 'TEST' is already open and can only have one user at a time.

I also tried this command but having the same error, please let me know how to troubleshoot this issue

Use Master

GO

Select * from master.sys.sysprocesses

Where spid > 50

            And dbid=DB_ID (‘StuckDB’))  -- replace with your database name

Thanks

SID Mismatch

June 24, 2019, 10:38 am
$
0
0

What are the resons for SID mismatch in SQL Server 2016 (AlwaysOn)?

Recently we have migrated DB from 2008 to 2016 and i have micrated all users with SP_Revlogin.

Everything working fine from past 1 month, but recently i found that user is not able to access DB after failover.

When i verify the user is not mapped to DB, found that SID is Missmatch.

What could be the reason?

SQL 2019 - Missing "Allow Enclave Computations" & No enclave provider found for enclave type 'SIMULATOR'

April 11, 2019, 5:06 am
$
0
0

I am trying to configure Secure Enclaves, in SQL Server 2019 CTP 2.3.

I have built an attestation service, which seems to be working, and I have registered the SQL Computer's certificate with the Attestation Service. 

I have configured the enclave type as VBS, and used trace flag 127, to enable enclave computations, as below:

However, when I try to create a column master key, there is no option to "Allow Enclave Computations", as per the MSDN tutorial

If I try to connect to the instance, with Always Encrypted enabled, I get the following error:

No enclave provider found for enclave type 'SIMULATOR'. Please specify the provider in the application configuration.  (System.Data)

I know we are in CTP, so it may just be buggy, but wondered if anybody else had come across this, or knew how to work around it?

Pete


Search

Database size after TDE

June 25, 2019, 6:47 pm
$
0
0
Are there anything which can estimate the database size increment after turning on TDE ???

SQL Server Secure Access from Azure Data Factory

April 26, 2019, 12:52 pm
$
0
0

We have an on-premise instance of SQL Server and we need to access some data from this server through Azure Data Factory (ADF). Since ADF can connect through a large set of IP addresses, there is no way to specify IP based firewall rules on the system where SQL Server is installed. So right now, the system is exposed to the internet.

What would be the best security architecture in this scenario?

I understand that a VPN can be set up but that solution is little too complex for us right now. Any other solution besides this?

Thank you

Sohi


Unable to locate SSDT and SSIS tools

June 27, 2019, 1:03 am
$
0
0

Hi All,

User unable to locate SSDT and SSIS Tools on the Windows server.

What access the user need to view and work on these tools.

TIA.

Vinai Kumar Gandla

Using Union with Always Encrypted Enclave

June 28, 2019, 6:32 am
$
0
0

I'm following instructions from https://docs.microsoft.com/en-us/sql/relational-databases/security/tutorial-getting-started-with-always-encrypted-enclaves?view=sqlallproducts-allversions to try the new Always Encrypted Enclave feature out. After I encrypted the [SSN] column, I found out that UNION doesn't work with encrypted columns:

Sample SQL script:

select [SSN]
from Employees
union
select [SSN]
from Employees

Error messages:


Msg 33277, Level 16, State 2, Line 25
Encryption scheme mismatch for columns/variables 'LastName'. The encryption scheme for the columns/variables is (encryption_type = 'RANDOMIZED', encryption_algorithm_name = 'AEAD_AES_256_CBC_HMAC_SHA_256', column_encryption_key_name = 'CEK Contoso1', column_encryption_key_database_name = 'ContosoHR') and the expression near line '2' expects it to be DETERMINISTIC, or PLAINTEXT.
Msg 8180, Level 16, State 1, Procedure sp_describe_parameter_encryption, Line 1 [Batch Start Line 23]
Statement(s) could not be prepared.
Msg 33277, Level 16, State 2, Line 25
Encryption scheme mismatch for columns/variables 'LastName'. The encryption scheme for the columns/variables is (encryption_type = 'RANDOMIZED', encryption_algorithm_name = 'AEAD_AES_256_CBC_HMAC_SHA_256', column_encryption_key_name = 'CEK Contoso1', column_encryption_key_database_name = 'ContosoHR') and the expression near line '2' expects it to be DETERMINISTIC, or PLAINTEXT.

Is this a bug or an unsupported feature by design?

Disadvantage of using a SQL login in SSRS config manager connection

June 28, 2019, 2:22 am
$
0
0

Hi, is there any issue if a sql login is used for connection from SSRS config manager to sql database, 

https://docs.microsoft.com/en-us/sql/reporting-services/install-windows/configure-a-report-server-database-connection-ssrs-configuration-manager?view=sql-server-2017

So my question is under 'Choosing a credential type' in the above link, about a sql login:

"If you use SQL Server Authentication and the report server database is on a remote computer, use IPSec to help secure the transmission of data between the servers."

So any concerns on using a SQL Login? Thanks

D


Viewing all 3027 articles
Browse latest View live
Search

Latest Images

7 clever tricks Primark does to keep you walking & buying more than you need...

7 clever tricks Primark does to keep you walking & buying more than you need...

July 20, 2025, 5:14 am
Art for Everyone! Autism advocacy, local stories, and indigenous pride in one...

Art for Everyone! Autism advocacy, local stories, and indigenous pride in one...

July 20, 2025, 5:06 am
Paintings of English Downs 2

Paintings of English Downs 2

July 20, 2025, 4:30 am
How Kerala Women Rescued a Dying Forest and Turned It Into a Safe Haven for...

How Kerala Women Rescued a Dying Forest and Turned It Into a Safe Haven for...

July 20, 2025, 3:30 am
Met Eireann warns of heavy rain & spot flooding for DAYS before big...

Met Eireann warns of heavy rain & spot flooding for DAYS before big...

July 20, 2025, 1:14 am
Who is Kevin Lerena’s wife Geraldine?

Who is Kevin Lerena’s wife Geraldine?

July 20, 2025, 12:57 am
Man stabs woman, baby to death inside Queens home, police say

Man stabs woman, baby to death inside Queens home, police say

July 19, 2025, 11:00 pm
Ang papel ni whistleblower Julie Patidongan sa kaso ng mga nawawalang sabungero

Ang papel ni whistleblower Julie Patidongan sa kaso ng mga nawawalang sabungero

July 19, 2025, 9:45 pm
Telangana Human Rights Commission (TGHRC) seeks report from revenue dept on...

Telangana Human Rights Commission (TGHRC) seeks report from revenue dept on...

July 19, 2025, 7:29 pm
Crisis-hit NHS fat cats raking in MASSIVE salaries as frontline services cry...

Crisis-hit NHS fat cats raking in MASSIVE salaries as frontline services cry...

July 19, 2025, 2:11 pm
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>