DB Engine :: How Security Log Is Much Secure Than Application Log

Sep 17, 2015

SQL Server 2008 R2: How security log is much secure than application log?

View 3 Replies


ADVERTISEMENT

DB Engine :: Secure Deletion Of Data

Nov 16, 2015

We have been asked whether it is possible to completely delete sensitive data. When data is deleted it is not actually completely removed from the database but is marked as deleted. It is possible to zero out that data using sp_clean_db_free_space but this doesn't affect the transaction log.

We had hoped that CHECKPOINT would clear the data from the log but we are not completely certain of this. So the question becomes is there a built-in command or function in SQL Server 2008, or subsequent versions, that will completely remove deleted data, both from the transaction log and the database itself? Or is there a 3rd party tool to accomplish the same thing?

View 25 Replies View Related

Secure .NET 1.1 Application From Users

Jan 20, 2006

Hi all.

I am developing an distributed VB.NET 1.1 application with a TripleDES capable socket layer for communication with my server app.

I need to secure the distributed app from the users within the organization I am developing it for (a franchise).

I do not wish to store any encryption keys in the source code as these would be obvious to any seasoned hacker through decompilation of my binaries (even with obfuscation). I have decided to use the windows DPAPI (under machine storage mode) to secure manually entered (at installation) encryption layer keys in the registry. The salt values for this DPAPI mode also need to be secured, as a disgruntled franchise owner may be the hacker (and hence would have admin privilege on the machine the software is installed on). Not as far fetched as you think !

This is the beginning of a vicious cycle. How do I secure and where do I store this salt value safely ? With it a hacker with admin privilige can easily decrypt my keys if they know I am using machine mode DPAPI. Can I use ACLs to protect the keys with an account I set up manually on the machine ? If so then I would need to be able to switch account identities in my code (which I haven't researched as yet) and then would need to store the password to that somewhere.

If anyone could offer any insight or direction it would be much appreciated.

View 11 Replies View Related

SQL Security :: How To Secure MDF File

Sep 14, 2015

I have a query regarding how to secure my mdf file.

I'm sending my mdf file at the time of installation of the software, so I want to know how to protect my mdf file from other clients.

(So that they cannot see or access my tables and data present in it).

View 10 Replies View Related

Secure SQL Server Remote Access From ISV Application

May 8, 2007

Hi guys



I'm writing a C# application which connects to a local SQL database for data access. The application connects to SQL Server through windows authentication, but opens up the port and sqlbrowser to others on the network wanting to access the database through SQL Server authentication, and also allows remote users to connect to this server remotely if they have the login and password (and because the port is already open)



I understand this is not secure and open to attack, and am unsure of how to secure these processes without blocking these three types of access, from A.) the local user, B.) the network user and C.) the remote user across the net.



Have researched this a fair bit, but get somewhat lost amongst all the jargon.

View 6 Replies View Related

SQL Security :: How To Organize And Secure Database Users

Apr 21, 2015

Is there any way in which I could distinguish a group of Database users from the other users. Say for e.g. store the Database users hierarchically, etc. Adding a Prefix/Suffix to the user name as a distinguish-er will not work in my case. I want to restrict the deletion of these Database users. Even the login with sysadmin or serveradmin rights should not be able to DROP those Database users.

View 11 Replies View Related

Secure Social Security Number In My DataBase

Jun 13, 2006

Hi, i have a data base in SQL 2005 and i it has many tables with confidencial information Like Social Security numbers, Credit card Numbers, etc. And i would like to encrypt this information or make something to make this info invisible to any hacker, or any person that logs on the server.

Here are the limitations:

1 - I cant make any changes in the front end, so if i encrypt the data, I have to make all the modifications in the database, and if the front end needs some encrypted information, the database should dencrypt it.

Any one has any idea ???



Best Regards.

View 7 Replies View Related

DB Engine :: Connection Closed From Application End

Jun 30, 2015

The application server gets below error while the job is being run intermittently:

An error occurred while performing connection management

com.microsoft.sqlserver.jdbc.SQLServerException: The connection is closed.
 at com.microsoft.sqlserver.jdbc.SQLServerException.makeFromDriverError(SQLServerException.java:171)
 at com.microsoft.sqlserver.jdbc.SQLServerConnection.checkClosed(SQLServerConnection.java:319)
 at com.microsoft.sqlserver.jdbc.SQLServerConnection.prepareStatement(SQLServerConnection.java:1839)

[Code] ....

There is no error reported in SQL logs.

View 6 Replies View Related

Simple Search Engine (windows Application)

Sep 14, 2005

I'd like to build a simple search engine against Sql Server. Does .NET Framework provide some class to help in this task? From what I've heard there is an interface which implements it..

View 1 Replies View Related

DB Engine :: Restore Database When It Is Accessed By Application?

Oct 5, 2015

Our application team make design changes of the database in their development server and asks me to restore the bak file from the development server into the production server with replace command. The database in the production server is connected to the application server and so when I try to restore the database error message comes that the database is in use.

So first I find out the sessions with the logins who is the user in the database with sys.dm_exec_sessions joined with sys.dm_exec_requests and then kill the sessions. And after that it is possible to restore. But many times when I kill the session and try to restore in between new sessions comes into effect which are generated from the web server and many times I have to resubmit the query in the dmv's and find the sessions and kill it again and again before restore can be done. Is there any correct method to restore an active database which is being accessed by the application from a web server with out stopping the web server?

View 6 Replies View Related

DB Engine :: Application That Insert Some Data In Database

Jun 15, 2015

What are the optimal values for this parameters? How it depends from queries characteristics?I create an application that insert some data in database. It'll work on different servers with different load and performance. I want to prevent timeout exceptions.

View 4 Replies View Related

DB Security Vs. Application

Feb 3, 2004

We are rolling out mssqlxpress to our development staff and would prefer to alter their permissions so that they can only make changes using mssqlxpress (since it integrates nicely with VSS).

So are choices are to uninstall SQL Enterprise Manager and SQL Query Analyzer, or more preferably, alter their NT Permissions so that they do not have the capability to change anything in the DB's.

My concern is that it seems we can only set their permissions from DB level and not the application, does that sound correct? Has anyone else had to deal with this predicament and is there an alternative to uninstalling the SQL Client tools?

View 1 Replies View Related

DB Engine :: Export Data-tier Application Restrictions

Oct 27, 2015

I want to create one bacpac file but it does fails, Need I delete all the descriptions before to begin? How odd! I don't understand why can we choose some scripting options such as we did on 'Generate Scripts' task..I get errors such as: dbo.table.field.Ms_Description is not supported when used as part of a data package

View 2 Replies View Related

DB Engine :: Identifying Start Time For Application Hitting?

Jun 12, 2015

We have an issue where servers goes slow from morning 2 AM EST to 10 AM EST.

Using SP_WhoIsActive we somehow found that there is netbackup from Symantec which runs during that time phrase.

As per Symantec team there backup should get over by 5 AM EST, per their testing for almost 100 Dbs on the server( not big in size , all of them in total would be 60 GB).

Using SP_whoisactive we only see, start time of that virtual backup occurring on tape, for one database at time.

So is there a way we actually determine when does the above backup kicks and stops?Also, could SQL server be the problem in making these backups run slow or there is something else i need to monitor?

View 6 Replies View Related

Security- Application Roles

Jul 17, 2000

We are looking to make our applications as secure as possible. I am interested in how well Application Roles work to make security tighter.

Have you used Application Roles. If you have, I'd like to know if it helped provide better security or not and if it did, how was it implmented in you production environment. I already know how to get it set up, I'm just wondering if it's really worth the trouble.

Thanks!

View 2 Replies View Related

Designing Security In An Application

Apr 24, 2008

With my next application, I'm thinking about establishing a new security paradigm for my programs, with respect to SQL Server.

In all my previous applications, connections are established using SQL Server authentication. So, all my users may log-in under a single log-in, mapping to a single user in a database. My application then has to use its own security arrangement to determine who has access to what forms within the application. There are three major problems with this design: 1) the user name and password to connect to the SQL server have to be resident as strings somewhere in the application code (or ancillary files), 2) everyone connecting to the SQL Server "looks" the same, and 3) you have to give the broadest rights to everyone with the same login and then pare those rights down within the application itself.

By implementing multiple SQL Server Authentication logins I can mitigate problems 2) and 3), but the only way to eliminate problem 1) is to move to Windows Authentication.

Windows Authentication would allow me to resolve all three design constraints, but there is one problem that I see coming as a result.

If I use Windows Authentication, each user must have an independent login to the SQL Server. If I have an application that may have 4,000 to 6,000 users, does that means I have to have 4,000 to 6,000 logins set up on SQL Server?

Is that true?

I could, of course, generate a script to build all 4,000 to 6,000 users, but I am concerned about this.

Is this a "normal" arrangement that SQL Server has no problem-with?

View 8 Replies View Related

Yet Another Question On Application Security....

Sep 29, 2006

Ok, i have read a few articles regarding application security and it sems to me the Microsoft just doesn't get it.

As others have posted, Vendor packages are not normally controlled by the IT staff... they do what they do. When an application is used for mission critical data, it becomes important to lock down that data as best as it can be under the limits of that application. Yet what is often lacking in a vendor package is thought about what opening up the database means.

We are using a Vendor package that does not allow for application security to be set. In other words, it uses windows authentication to grant Database access. As many others here have noted, this opens the database to manipulation via any other tool the user has at their disposal.

It seems that the general reply here is that we should get the vendor to change their package to allow for Application level security. Good Luck!

I am not a DBA (must be obvious at this point) and i do not know all the what's up and coming, but generally as a system support person, i must deal within the environment i am given. Here's what I see as the environment I am working under, the problem and the preferred solution.

Application only allows windows authentication.

The users must be allowed full access to the database in order for the application to perform updates as needed.

Security to specific data by company is controlled within the application to determine what a specific user can change.

Granting security to a user ID allows them to access and change data at will through an alternate product (E.G. Enterprise manager, MS Access etc.) without regards to the security built in to the application.

SQL Server knows what ID is requesting data and knows what application is generating the request (I have seen screen prints of the list of who is logged into the database and right alongside the UserID is the Apllication Name).

If SQL server knows these two bits of info, why is it so difficult to allow SQL server to append the Application name onto the user ID and allow access to the DB only via this combination? The permissions can be set up with some combination of UserID/Application name and no special security, no messing with special application passwords/aliases, no pleading with Vendors to make changes and best of all.... satisfying SEC rules for locking down DBs.

Am i missing something? Does anyone know how i can accomplish this simple task without stressing out the DBAs?

Thanks for all your help and creative ideas!

Rob

View 21 Replies View Related

Security For Application Role

Sep 4, 2007

We have an application use Approle to read from database. If the client login to windows as administrator or a name that has the administrator rights, the application can get all data. If the client login to windows as a domain user that has limited rights, the application can't get all data.
I run profiler and found that it seems, when application use approle to access a database, the login name is the domain user that log into windows. Is there anybody know what type of right the window login name should have in order to get all data from a database?

Second question, when I log in to window as domainusername( username is not administrator, but has administrator rights). In the profiler, I can see the application use this domainusername access database. However, under sql server login node, I didn't find domainusername. Is this because, the domainusername belongs to buildinadministrator?

Thanks

View 1 Replies View Related

SQL Security :: Enable Encrypted Connections To Database Engine?

Nov 2, 2015

The option:

SQL Server Configuration Manager>SQL Server Network Configuration>Protocol for SQL_xxx (right click)>Properties, we can see two Tabs:

Tab 1: Flags
Tab 2: Certificate

If I set the value of Hide Instance= Yes, does "Force Enctyption", need to be set YES as well? 

Or Force Enctyption has to be enabled in order to hide instance?

What is the recommend settings?

[URL]

View 3 Replies View Related

DB Engine :: Replicate Database On Another Server With / Without Bring Over Security?

May 6, 2015

I have 2 SQL 2008 R2 Servers which are always running (on is Prod/one is Test).

is there a way to sync Prod to Test WITHOUT using the .bak and overriding Test's Security settings?

View 6 Replies View Related

Application && Database Security Consultant

Dec 2, 2005

Looking for a consultant with solid experience in application anddatabase security for a project in the GTA.CONTACT---------------------------------------------------Please send your resume to:Join Bytes!

View 1 Replies View Related

Application Login And Integrated Security

Aug 8, 2007

Hello,

We're having a bit of a problem getting Integrated Security to work with a .Net 2.0 application and SQL 2005. While we're tweaking permissions on the SQL-side, we came across an account "Application Login" and wondered what its role is. First, our problem:

Currently, the users in the AD group get a connection error. This group is defined as follows at the instance level:

role: public
user mapping: to the database without any default schema
securables: none
status: grant and enabled

At the database security level:

general: none
securables: execute on all (100+) stored procedures

And we gave them "Execute" on the database itself.

A little background: we had detached and copied this database from one server to another. So we suspect that the Application Login may have been modified/corrupted, even though it appears to be identical between the original and the copied databases. So we redefined it on the copied DB to match the original.
Another group, which is defined as dbo on the database, has no problem at all connecting and running the application.

The Application Login has Execute permissions on all stored procedures and Delete, Insert, Select, Update, and View Definition on the ChangeLog table. It also has db_DataReader, db_DataWriter, and db_ddlAdmin roles associated with it.

Is there another SQL login required for initial connection to the database even though Integrated Security=SSPI is used in the connection string?

Does anyone see where we may be missing a security setting for the non-dbo user group to connect to the database?

Thanks very much for any suggestions, ideas ....
Cheers,
Tess

View 1 Replies View Related

Connection Problem From Access Front End Application To SQL Desktop Engine Backend

Jul 23, 2005

Hi there,I sincerely hope that someone out there can help. I have twoinstances of the SQL 2000 Desktop Engine running. One is on my localmachine for development and the other is on another machine on ournetwork which is the production environment. I have built an Access2003 front end application which connects to this database. Thisworks fine locally, as you would expect. I successfully installed thedatabase on the production machine and am able to connect to it viaAccess 2003 (using the Data Link Properties window) and from thirdparty database manager software (similar to Enterprise Manager). I amnot able to to connect to the database via my application.I am using the "sa" account with a strong password. This is myconnection string:strConnection = "Provider=sqloledb;DataSource=server02;UserId=sa;Password=strong;Initial Catalog=Test"The error I'm getting is:"Connection cannot be used to perform this operation. It is eitherclosed or invalid in this context."The connection string is the only thing that changes in my code when Iswitch from my local to my production database. Is there some reasonthat I can't use the "sa" account in this fashion that I'm not awareof? I'd rather not use integrated security for simplicity's sake asthis is a small, internal application. Also, I would have thoughtthat if that was the issue, I couldn't use "sa" at all, even locally.I'm going to post to the Access group as well but thought someone heremight have some advice to offer as well.Thanks,Barb

View 2 Replies View Related

SQL Security :: User Login Failed For Web Application

Nov 19, 2015

We have a Web application that requires user authentication.  We have a Login Page for user's to login and be authenticated.  We also manage the user accounts using SQL Server Membership Provider.  We created aLogin user in SQL Server and used this user's privileges to connect to SQL Server in our website's connection strings.  Example, in our Web.config file, the connection string is:

<connectionStrings>
  <addname="MyConnectionString"connectionString="Server=MYSERVERNAMESQLSERVER2012;Initial
Catalog=MyDatabase;User Id=TUser;Password=MyPassword"providerName="System.Data.SqlClient"/>
</connectionStrings>

The problem now is when a user logs in, it's throwing an error that TUser's password has already expired.  We did not enforce the password policy and expiration date for this user.  So, I'm wondering why it's giving me this error.

View 2 Replies View Related

SQL Server Security Setup For Web Application Access

Jun 6, 2007

All:

I am writing an Internet/Extranet based (ASP.Net 2.0) web application that uses SQL server 2005 as the database. I am using forms authentication on my web application. I am also storing the connection string to SQL server in my web config file. The conn string is encrypted using DPAPI with entropy. I currently have created a SQL login account on my SQL server for use by the web application. This is the user ID I am using in my conn string. The reason for this is because all persons using the application will NOT have a windows login.

Here is my question: The login I created currently has defaulted to the "dbo" role and therefore has "dbo" rights to the database. I want to setup up this login account so that all it can do is execute stored procedures. I dont want this SQL login to be able to do anything else. In my application I am using stored procedures for ALL data access functions, via a data access layer in my application. Can someone guide me step by step as to how to setup this type of access for this SQL login.

Thanks,

Blue.

View 1 Replies View Related

Unauthorized Operation Setting Application Security Through VS2005 (Why?)

Feb 12, 2007

I'm attempting to setup the defaco MS security for membership and roles, using a newly created database under SQL 2005 (not express). I created the database using the aspnet_regsql.exe utility and that worked fine. I created my provider connection string logging in as 'sa' wit the proper password. All that seemed to work okay too. However when I attempt to change any of the settings like setting the authentication type or enabling roles, I get the follwing error message: The following message may help in diagnosing the problem: Attempted to perform an unauthorized operation. at System.Security.AccessControl.Win32.SetSecurityInfo(ResourceType type, String name, SafeHandle handle, SecurityInfos securityInformation, SecurityIdentifier owner, SecurityIdentifier group, GenericAcl sacl, GenericAcl dacl) at System.Security.AccessControl.NativeObjectSecurity.Persist(String name, SafeHandle handle, AccessControlSections includeSections, Object exceptionContext) at System.Security.AccessControl.NativeObjectSecurity.Persist(String name, AccessControlSections includeSections) at System.Security.AccessControl.FileSystemSecurity.Persist(String fullPath) at System.IO.File.SetAccessControl(String path, FileSecurity fileSecurity) at System.Configuration.Internal.WriteFileContext.DuplicateTemplateAttributes(String source, String destination) at System.Configuration.Internal.WriteFileContext.DuplicateFileAttributes(String source, String destination) at System.Configuration.Internal.WriteFileContext.Complete(String filename, Boolean success) at System.Configuration.Internal.InternalConfigHost.StaticWriteCompleted(String streamName, Boolean success, Object writeContext, Boolean assertPermissions) at System.Configuration.Internal.InternalConfigHost.System.Configuration.Internal.IInternalConfigHost.WriteCompleted(String streamName, Boolean success, Object writeContext, Boolean assertPermissions) at System.Configuration.Internal.InternalConfigHost.System.Configuration.Internal.IInternalConfigHost.WriteCompleted(String streamName, Boolean success, Object writeContext) at System.Configuration.Internal.DelegatingConfigHost.WriteCompleted(String streamName, Boolean success, Object writeContext) at System.Configuration.UpdateConfigHost.WriteCompleted(String streamName, Boolean success, Object writeContext) at System.Configuration.MgmtConfigurationRecord.SaveAs(String filename, ConfigurationSaveMode saveMode, Boolean forceUpdateAll) at System.Configuration.Configuration.SaveAsImpl(String filename, ConfigurationSaveMode saveMode, Boolean forceSaveAll) at System.Configuration.Configuration.Save(ConfigurationSaveMode saveMode) at System.Web.Administration.WebAdminPage.SaveConfig(Configuration config) at ASP.security_setupauthentication_aspx.UpdateAndReturnToPreviousPage(Object sender, EventArgs e) at System.Web.UI.WebControls.Button.OnClick(EventArgs e) at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) at System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) at System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)Anyone have any clue why this is happening? Do I need to add something to the database as far as users/roles go? I figured 'sa' would have free roam, but something permission-wise just isn't jiving.

View 2 Replies View Related

Security Error When Execute Sp From An Application, But Not From SQL Management Studio.

May 8, 2008


Hello,
I am facing a very odd behavior with SQL server 2005.
I have a database role with specific permissions to execute only some of the stored procedures in the database. I also have a SQL login/user attached to the role.

If I execute one of the stored procedures from the application (web application, with Microsoft enterprise library database block) I am getting a security error stating that I need select permission for the schema.
However, If I execute the same sp with the same parameters from SQL management studio, connecting with the same SQL login as in the application I can execute the sp without any security errors. The SQL management studio is in on a different server than the targeted database.

Are there any differences between executing stored procedures from SQL MS and from application when using the same SQL login?

Thanks,
IT

View 6 Replies View Related

SQL Server 2005 Security Setup For ASP.Net Web Application Data Access - HELP!

Nov 17, 2007



Here is my situation: I am creating a database driven ASP.Net web application that will be used over the internet. My ASP.Net application connects to my SQL server 2005 database/server by using a SQL server login. I am using the DPAPI API to encrypt my connection stings with a hidden entropy value for extra security. I am using the SQL login for obvious reasons, as my users will not have a windows login.

What I am trying to do: I want to limit this SQL login account to be able to just run/execute stored procedures and NOT access the tables or views directly. In my ASP.Net application I am using the MS applications data block, and I am using stored procedures for every single database access action. There is no inline SQL being executed from my web application.

What I have tried so far:


I created a new schema and made the above SQL login account owner of this schema. I then granted "Execute" permissions to the SQL login and DENY permissions to all other permissions.

I created an database role with "Execute" only permissions and DENY permissions to all other permissions.

What Happened: In BOTH of the above scenarios I tested a direct SQL statement against one of my tables, from my ASP.Net application and I was able retrieve data back, NOT GOOD, exactly what I am trying to STOP.

If someone could give me (Step-by-Step) guide on how to setup the situation I am looking for, I would be very grateful!


Thanks to all that help!

View 13 Replies View Related

Application/Security Design: Stored Procedures Versus SQL Queries

Mar 7, 2007

Hello everyone,

I don't know what category would be appropriate for this question but security seems to be close enough.

I have this case scenario: I am running an automated application that extracts data from a web site and stores the data into a table on SQL server 2005. This information is not confidential in the extreme of social insurance #'s, bank account #s, but should not be seen by a typical employee (it has no use for them). After the data has been stored, it retrieves the data from the same table, processes it, and updates the same table. This application runs every hour infinitely.

Should all the insert, update, and select queries be stored under a stored procedure? I am not concern with performance. My concern would fall under design and security.

Is it worth to hide the details of inserting/updating/selecting behind a stored procedure? Or should I just allow the program to send select/update/insert SQL queries?

No employee (other then the developer and the DB admin) or customer ever access this table (They do not have permission from SQL). The username and passwords were created with security in mind.



Any thoughts or ideas?

Thanks for your time, Adrian

View 11 Replies View Related

SQL Server 2k Security Setup On Application Server

Apr 13, 2004

Hi all

If i wanted to set up my SQL Server DB to run in an Application Server environment (i.e. clients connecting to a remote server)
would i be required to give every user a WINDOWS SERVER logon as well as a SQL Server logon or would i only need to setup just a SQL Server logon for them?
(obviously using SQL Server Security opposed to NT Integrated Security)

Thanks in advance for any help

View 3 Replies View Related

How To Secure Mdf

Sep 24, 2005

I am designing an application built on sql server 2000
how can I prohibit other sql server users from accessing my database and allowing only acceesing it through my application or through owner designer of sql server database.

my situation needs sometimes copying the db from the end user platforms to
my designer computer to analyze some problems or maintainenace or modification, and also I have no control on users windows environment and I need the end user professional not to enter the my db from outside my application.

So,
is there anything I can do to secure an MDF (MSDE/SQL Server 2000) file so that a user cannot see my schema under any circumstances.

Even if I lock the MDF down and secure the instance, a smart user can just shut off the SQL server, copy the MDF to another instance, sp_attachdb and open it with sa rights. I need a way to prevent others from getting inside my schema.

View 1 Replies View Related

Secure FTP

Apr 28, 2008

Hi,
Do you guys know how to call secure FTP from a script task in an SSIS package which can be done by invoking the exe like winscp from a script task

View 1 Replies View Related

Secure FTP

Apr 9, 2008

hi everybody ,
Can anybody tell me about Secure FTP
and how the code for uploading and downloading of files can be write using Visual C#
actually i have created code for Standad FTP(normal FTP), but when I am using it for secure FTP then the compiler is giving an Exception: "Unable to create Remote Server"
very confuse about what to do....??
even very small help would be very very appreciable
thanx .... Nics

View 9 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved