Accessing Password_hash By Users In SQL Server 2005
Feb 28, 2007
In SQL Server 2000 we had a view that would show the user credentials and the password hash. The reason we need this is that we use SQL Server authentication on the database. To test users, we have a login with little access, and it should be able to see the view and compare the password supplied against what is in the database, and then let the code handle a graceful exit if the password is invalid. I am trying to do this with SQL Server 2005, and I am running into trouble. I am trying to do this with a function, since there I can set the EXECUTE AS clause (in theory) and leverage the privlidges of a specific user in the database. Here is an example function:
CREATE FUNCTION check_acct.fn_allusers (@test int)
RETURNS @users table (username varchar(50), passwd varbinary(256))
WITH EXECUTE AS caller
AS
BEGIN
INSERT @users
select name, password_hash from sys.sql_logins
RETURN
END
GO
GRANT SELECT ON fn_allusers TO user_acct
I cannot get to all rows in the sys.sql_logins table unless I first:
GRANT VIEW ANY DEFINITION TO CHECK_ACCT
then when I call this function from CHECK_ACCT, I am able to see the data. If I change the WITH EXECUTE AS 'CHECK_ACCT' and execute thsi function from USER_ACCT, I do not get the same results. Do functions not inherit VIEW DEFINITION proivlidges? Any suggestions on how to do this but limit access to these secure objects to this one function?
I'm trying to extract all the users and their membership to groups, and the membership of groups to groups from active directory though a link to server.
I can get the users. I can get the groups.... individually.
I can't get the info of what user is a member of or who are members of a group.
Anyone know how to do this or am I going to have to right a vb app? (Anyone already got the code...)
I want to load this data into tables for reporting in my Data Warehouse.
I need a way to automatically generate a daily report of user names, time of access, and type of access (login, select, insert, update, delete, etc.) to a database.
We need to audit all accesses from all accounts to find out who is accessing the payroll system. We have already defined the security to be as tight as possible - however we need to monitor all Administrator accounts to ensure they are not being used to obtain sensitive information.
I have looked for some software to read the live SQL Transaction Logs, but none of the tools I have seen can do exactly what we require. For example, I've tried Lumigent Log Explorer (http://www.lumigent.com/products/le_sql.html), but it's not automated and the report output is just garble to our payroll staff.
I have looked up all Microsoft SQL Server partners but their software is all about data recovery and data reporting. We need Security Reporting.
I have created a general SQL Profiler trace that may suffice if everything else fails, but I still have no way of automating it - it relies on Real-Time monitoring which I can't trust (admin can turn this off, do their stuff, turn it back on). Also this is dependant on someone turning it off, save the log, turn it back on, every day - this person would be the Administrator - what admin would monitor themselves?
- SQL Trace seems like a good idea, how do I read the trace log file? How do I automate a trace?
- Can we automate the SQL Profiler to read the transaction log to find all accesses to a database?
- Does anyone know what we can do to automatically audit accesses to a database? What format can the report come in (pdf, xls, dbf, html etc.)
- Recommended software to try?
- Ideas for alternatives to try?
- Any companies/developers out there who know of a tool or are developing a tool to provide this sort of report?
- Is there a spec somewhere to let us write our own software to query the live transaction log?
Thanks, I appreciate any help. Kind Regards James Payne
I would like a report to display the number of users and the reports accessed for a certain duration of time[being able to go back and check for previous years as well].
I read on the msdn that 60 days worth of report log is kept,and the rest gets wipped off.Any suggestions on how I would be able to get user access list for the past year as well.
Is there a way to find a list of Windows User accounts that are directly or indirectly (through Windows Group membership) assigned to a database role?
I could put work in to CLR programming or using a Linked Server to Active Directory, but if there is a sys.* view available that can provide me this information directly it would be much easier.
I'll be looking into this further myself anyway and posting an answer if I can find one, but if anyone has suggestions... well, thanks!
Based on our database infrastructure, we need to secure our SQL databases. The security issue concerns on allowing a limited number of Domain Admin users to access the SQL databases. We tried certain ways, based on the documents in the Microsoft web site, but we couldn€™t reach to the point of preventing the Domain Admin users accessing the SQL databases.
I just bought a new HP laptop that has Vista installed. Not happy about the OS but it is what it is...
I need to use Enterprise Manager, or an equivalent, to access a remote server, running SQL 2005.
With XP, I always installed and used SQL Server 2000 Client features.
Vista does not play well with SQL 2000 so I am looking for an alternative to simply be able to access, and perform DTS functions, a remote SQL 2005 system.
Does SQL Server 2005 Express offer client alias features?
I recently downloaded SQL Server 2005 Express Edition. Everything was installed correctly without any problems. However, when I went to my Program list, the only thing listed for Microsoft SQL Server 2005, was Configuration tool.
Where is the actual program where I can write and run queries? How do I access the server?
I'm considering shifting my database server to 64-bit MS SQL Server 2005 for improved scalability and performance. I'm concerned, however, that my classic ASP website (which sits on a separate server) may have problems communicating via ADO/OLEDB because of communication problems between 32-bit IIS on the web server and 64-bit MS SQL Server on the database server.
My current set up (which works fine) is:
Web Server: Windows Server 2003, Standard Edition, SP1 - running IIS with a set of ASP websites Database Server: Windows 2000 SP4, running MS SQL Server 2000
Connection String:
MyConnection="Provider=SQLOLEDB;Network Library=DBMSSOCN;SERVER=192.168.0.1;INITIAL CATALOG=MyDatabase;UID=MyUserID;PWD=MyPassword" Set Conn = Server.CreateObject("ADODB.Connection") Conn.Open MyConnection
My core question is:
If I change my database server to new machine with 64-bit Windows Server 2003 running 64-bit MS SQL Server 2005, will my (32-bit) web server be able to connect from ASP as it does now?
I have a strange problem that I think deals with security on SQL 2005.I have a scheduled task that runs on a Windows 2000 machine. It callsa vb script which creates a connection to SQL Server.We migrated a database from SQL 2000 to 2005 which is on a differentbox. I changed the connection in the vb script to use the new sqlserver. The original connection to SQL 2000 used the 'sa' accountcoded into the connection string , which we don't want to use on thenew server, so I changed the connection string in the script to usethe below login information.Const strConnection = "Provider=SQLOLEDB;DataSource=SQLServer;Integrated Security=SSPI;Persist SecurityInfo=False;Initial Catalog=database;I created a domain user and gave it dbo rights on the new database onSQL 2005 as well as administrative rights on the local machine and thenetwork. The task runs fine for a while and then it will fail tostart. I have looked in the event log as well as the SQL log and havenot found anything else that ran when my task failed. Once it hasfailed, if I manually run the vb script on the 2000 machine, it runsjust fine, but the schedule won't work. If I change the name of theuser that is running the scheduled task, it will begin working again.I have run the profiler on SQL 2005 and watched the scheduled tasklogin as the correct user and update the database. There is nopattern to when the scheduled task will stop running. This has beenhappening for a few days now.This script and scheduled task worked fine for over a year on themachine when it logged into SQL 2000 and nothing else has changed,which makes me think it is related to the SQL 2005 server. Any ideas?
HI, I need some help regarding the data access. I needs to access some data from tables which are in oracle and load it into sql server tables. Please let me know the process for this.
I have a C# program that access SQL Server 2005. The program have 4 threads that performs the same method and are used only to improve performance of the system The C# accesses the SQL Server using OleDbConnection and
OleDbCommand classes. Sometimes (very rare) I get exception to method ExecuteNonQuery() with message: "Table does not exist.". The command text for the query is a constant string in the format: "insert into my_table€¦". Can any one tell me what could be the problem?
I am developing a windows application that needs to communicate with a remote SQL server 2005 database. Server allows remote connections and MSDTC service also running. Do I need to run MSDTC service on the client machine where I use desktop application ? any ideas ? It's throwing some error like An error has occurred while establishing a connection to the server. When connecting to SQL Server 2005, this failure may be caused by the fact that under the default settings SQL Server does not allow remote connections.
But my SQL Server allows remote connection, and I am able to do a select statement. But when I insert/update anything, it's throwing this error. I guess some problem with MSDCT. Anybody have any idea ?
Hi I have created a linked server from SQL Server 2005 (SP 1) to SQL Service 2000 (SP 4) with a sql server login that is available on both servers but with different passwords and permissions.
I am getting the following error while accessing the linked server in management studio based on the scenario given below ;
------ Error Message Starts OLE DB provider "SQLNCLI" for linked server "(SQL Server 2000 instance name)" returned message "Communication link failure". Msg 10054, Level 16, State 1, Line 0 TCP Provider: An existing connection was forcibly closed by the remote host. Msg 18456, Level 14, State 1, Line 0 Login failed for user 'abc'. ------ Error Message Ends
Consider login name is abc. Now this login abc has sysadmin rights on sql server 2005. The same login abc has only db_datareader rights on sql server 2000 on just one database and is not associated with any fixed server role.
I have configured the linked server using the following options; 1. I have tried impersonating login from SQL Server 2005 to SQL Server 2000 . 2. I have also tried specifying remote login / password option.
Anyone having any idea, would be of great help. Regards, Salman Shehbaz.
Hi, i would appreciate any help with this issue i have come across when trying to access a version 7 dbase from within sql server 2005.
The error message is telling me that "This version of SQL server man studio can only be used to connect to SQL Server 2000 and SQL servers 2005"
I am new with SQL server so ill explain how im accessing it. I am connecting a server with sql 2005 on it via net support then through this trying to access another server with v 7 on it.
Hello, What permissions do I need to set on our new SQL Server 2005 test server so that I can see the stored procedures, views and tables from Visual Studio development environment.
Example, I can see my older SQL Server 7 tables, edit them, write stored procedures, and so on. But while I can see the SQL Server 2005 and its databases, the folder underneath are empty and I cannot right-click to create New stored procedure or table.
My guess is that there is security involved, if so, what do I set on the new server? If I'm wrong, and it's something else entirely, please advise.
I created a stored procedure (see snippet below) and the owner is "dbo". I created a data connection (slcbathena.SLCPrint.AdamsK) using Windows authentication. I added a new datasource to my application in VS 2005 which created a dataset (slcprintDataSet.xsd). I opened up the dataset in Designer so I could get to the table adapter. I selected the table adapter and went to the properties panel. I changed the DeleteCommand as follows: CommandType = StoredProcedure; CommandText = usp_OpConDeleteDirectory. When I clicked on the Parameters Collection to pull up the Parameters Collection Editor, there was no parameters listed to edit even though there is one defined in the stored procedure. Why?
If I create the stored procedure as "AdamsK.usp_OpConDeleteDirectory", the parameters show up correctly in the Parameters Collection Editor. Is there a relationship between the owner name of the stored procedure and the data connection name? If so, how can I create a data connection that uses "dbo" instead of "AdamsK" so I can use the stored procedure under owner "dbo"?
Any help will be greatly appreciated!
Code SnippetCREATE PROCEDURE dbo.usp_OpConDeleteDirectory ( @DirectoryID int ) AS SET NOCOUNT ON DELETE FROM OpConDirectories WHERE (DirectoryID = @DirectoryID)
I've built a development server for my SQL 2005 productionenvironment. I've restore the databases from a backup, and I want tocopy the users from my production to development machine.How can I do this?TIARob
I am restoring a production copy of db XYZ to the development server db XYZ. I want to retain the original users on the development server for db XYZ. How do I create a script that will reset the users on the development server with the same permissions and access they had before the production copy was restored on development? I have searched and searched and cannot find the answer. I can use a third party tool - Embarcadero - to script out the create and update stmts but it is not 100% correct. I end up having to do alot of manual work.
any assistance would be greatly appreciated. thanks
I have an MVC asp.net application that stores many records in a table on sql server, in its own system. Â used the system for 2 months, worked fine accessing, changing data.
Now that other users are logging in? there is cross coupling going on. Â one user gets the data from another users sql search.
In the mvc app it had used the get async method to read the ID record from the db, i set that to synchronous. Â no effect; Â the user makes their own login id but that does nt matter either.
Hi, i just need some help?? just some info?is it TRUE that SQL Server 2005 Express Edition (free) is capable ONLY of SINGLE user?i mean if i have a data driven page, if someone is using or editing the data in my page, does no one can access my data base simultaneously??i hope you could enlighten my mind, thanks
I am sure that I am missing something which is why I am in need of the communities assistance...
I have installed SQL Server 2005 Express Edition. I can log in with the Windows Authenication and the SQL Server Authentication using the 'sa' account. This is all good...
What I want to be able to do is add 1 to 3 more users so they can gain access to the database I have created to run queries and add data. This is the part I am confused about. How do I get additional users added??
I need to set up 1 new user in SQL Server 2005 to be able to read specific tables in a db (db1).
The user will connect from MS access using odbc links (SQL Native client ot SQL Server driver)
I've tried to set up one and once logged on from the user workstation, I can only see sys. tables and INFORMATION_SCHEMA tables. None of the required db1 tables appear.
under Security/Logins I've created User1: SQL Server auth. with password default db = db1 server_roles = none user mapping = map, db1, user1,dbo securables = none status = grant, enabled
on the access db, the odbc link was set up with default db = db1
We are running SQL Server 2005 in a Windows 2003 domain and I have a situation where some of my users are unable to connect to the SQL Server unless they are a member of the sysadmin group. Any attempts by these users to login result in a login failed,
Error: 18456, Severity: 14, State: 11
Which indicates that it is a valid user who does not have access to this SQL Server.
I have been able to narrow the failures down to the following situation:
Create a user, TestUser1, as a member of 1 domain local group TestGroup1
Give TestGroup1 access to SQL (standard public access to master)
All good. Login succeeds.
Add TestUser1 to another domain local group TestGroup2
Attempt to login to SQL Server -> login failed.
Add the user explicitly -> login failed
Add one of the groups to sysadmin -> login succeeds
It seems that as long as the user is a member of more than one AD group, and none of those groups is a member of the sysadmin server role then the user is unable to login. Obviously having all of the users as sysadmin isn't a workable solution, has anyone seen this issue before?
I have been able to replicate a similar situation in our test domain, but in that case the issue is resolved by adding the users explicitly to SQL Server (still not an ideal solution).
Interestingly, if I run the same test in our test domain but use global groups, it works. But unfortunately the network admin tells me the groups must stay as local.
I also migrated the server level logins using SSIS transfer logins task, available on SSIS 'Transfer logins', I selected all the databases that I have migrated so that I have all database users account in server logins (to avoid orphaned users); but I don't have all the database users in server logins, also the sys.sysusers doesn't have the database users, that I have moved to SQL 2005. Can anybody help?
Also do I need to back up the SQL Server 2000 database and restore it on SQL 2005? What impact this operation can have?
hi guys, i am having a truble in accesing the server 2005 express edition from my client systems in server 2003 domain network. i get server not accessible. whereas my domain is working perfectly. i really tried alot and i have enable tcpip and named pipes and i am still getting errors while accessing. i have also created user reights for the domain users to access sql server. still i couldn't able to access it.
please guide me to over come this issue. I'm dying.My project is similar to SAP concept project and i am doing it in a production industry.so each department as to access the data from the server to update their daily production and activity.
For SQL Server 2000 we have a user login mapped to msdb with database role membership of db_datareader and public checked. This seems to allow the developers to view the Management Activity monitor. For SQL Server 2005 the same mapping is in place but the developers cannot view the Management Activity monitor. Developers are NOT granted the sysadmin role, and should not have that role.
What permissions need to be set for SQL Server 2005 to allow users to view the Management Activity monitor? They should not be allowed to take actions on the activities.
I have been struggling with this for a while and cannot get it right. I have read countless articles on the internet as well as MSDN documentation about SQL Server 2005 and no success so far.
What I want is a database with multiple SCHEMAS, DATABASE ROLES and USERS in order to have a finer grade of security to access the various objects.
My schemas are (in order to simplify the situation and provide an example of the setup):
- [dbo] the standard DBO schema which is always default. Contains public objects. - [com] a special module integrated into the system - [ofc] contains objects used by back-office only - [aud] contains objects used for auditing, etc.
Each of these schemas has their fair share of tables, views, functions and stored procedures which have been created appropriately (i.e. CREATE TABLE [ofc].[Addresses]), in other words prefixed by the name of the schema to which they belong.
Then I have created various database roles (don't confuse them with SQL2005 application roles) as follows:
- PublicRole mostly used for viewing, no data alterations - WorkerRole used by front end processes that need write access to data in [dbo] and [aud] - OfficeRole used by back-office for dealing with backoffice data (basically [ofc], [aud] stuff) - AdminRole used by application administrator
Each of these database roles has been defined with owner 'dbo', none of them own any schemas. And last but not least to each of these roles I have selected the above named schemas (dbo, ofc, aud) as securables and for each of those securables schemas I have then given the correct set of GRANT/DENY on the Alter, Control, Delete, Execute, Insert, References, Select, Update, Take ownership and View definition.
As an example, the PublicRole role has been given the following permissions (Y=GRANT, N=DENY):
Table #1 of Application Permissions [dbo] [com] [ofc] [aud]Alter N N N N Control N N N N Delete N N N N Execute Y Y N Y Insert N N N Y References Y Y N Y Select Y Y N Y Update N N N Y Take ownership N N N N View definition N N N N
And I have the following minimum set of database users defined (the server login has the same name):
- upublic, assigned to PublicRole - uworker, assigned to WorkerRole - uoffice, assigned to OfficeRole - uadmin, assigned to AdminRole
As I understand when I assign these users to a particular custom Database Role, the users inherit the permissions granted to THAT role thus liberating me from having to assign the permissions to each and every user account on the same role.
What I expected was that when I logged in to the database with the upublic user account I would at least be able to view (SELECT at least) ALL the objects with the exception of those in th e[ofc] schema. Unfortunately the account is not able to access ANYTHING at all, I get an error like
"The SELECT permission has been denied on object XYZ, database DB, schema 'dbo'"
So, when I use Management Studio to look at the properties I selected the PublicRole and it showed the upublic user as a member of the role (Members of this role). So far so good.
Then when I switch to the Securables page for this role it shows all the schemas I defined and for each of them the same list shown in Table #1 except it has two lines for each permission, the first for Grantor dbo and the second for Grantor upublic. The first has the same permissions I assigned to the role (as shown on Table #1) but the 2nd does not show a checkmark on either GRANT or DENY!!! For example ([x] = checked, [ ] unchecked):
What am I doing wrong here? Apparently I then have to repeat the whole grant/deny for EACH and EVERY USER I define when the idea was that I would grant/deny on the database role and every member of that role would inherit those permissions automatically.
is there a step by step paper to get there? here is what i need to consider. I Iwill have many customers that will need their own set of records and access pages "branded for their company" each customer will have many clients. I am hosting this application on a windows 2003 server with SQL 2005 server enterprise.
I am using windows authentication, I have created a username in windows, then i added the windows user in SQL management studio in security, granted "DB Read" and "DB write" and again under the database security tab. still from the web authentication fails. i must be nissing a step or two?
I expect to set up a username for each database as i setup new customers.
I have an asp.net application. This application provide consolidated information to the user using Analysis Services 2005. Within it, one aspx page uses MDX query to retrieve the information from the cube. However, we are unable to access AS 2005 because of authentication issues. What would be the easier to implement and deploy scenario? How can I access AS 2005 from an ASP.NET application? Is there any feature to use?
In SQL 2000, we have SQL Client which is used to access remote sql servers. What is there in SQL server 2005? I just want to install a client and not a server on my local boxes to access remote server.
Any help is appreciated.
Thanks Sachin
Don't sit back because of failure. It will come back to check if you still available. -- Binu
