DB Engine :: How Security Log Is Much Secure Than Application Log
Sep 17, 2015SQL Server 2008 R2: How security log is much secure than application log?
View 3 Replies
ADVERTISEMENT
DB Engine :: Secure Deletion Of Data
Nov 16, 2015We have been asked whether it is possible to completely delete sensitive data. When data is deleted it is not actually completely removed from the database but is marked as deleted. It is possible to zero out that data using sp_clean_db_free_space but this doesn't affect the transaction log.
We had hoped that CHECKPOINT would clear the data from the log but we are not completely certain of this. So the question becomes is there a built-in command or function in SQL Server 2008, or subsequent versions, that will completely remove deleted data, both from the transaction log and the database itself? Or is there a 3rd party tool to accomplish the same thing?
Secure .NET 1.1 Application From Users
Jan 20, 2006Hi all.
I am developing an distributed VB.NET 1.1 application with a TripleDES capable socket layer for communication with my server app.
I need to secure the distributed app from the users within the organization I am developing it for (a franchise).
I do not wish to store any encryption keys in the source code as these would be obvious to any seasoned hacker through decompilation of my binaries (even with obfuscation). I have decided to use the windows DPAPI (under machine storage mode) to secure manually entered (at installation) encryption layer keys in the registry. The salt values for this DPAPI mode also need to be secured, as a disgruntled franchise owner may be the hacker (and hence would have admin privilege on the machine the software is installed on). Not as far fetched as you think !
This is the beginning of a vicious cycle. How do I secure and where do I store this salt value safely ? With it a hacker with admin privilige can easily decrypt my keys if they know I am using machine mode DPAPI. Can I use ACLs to protect the keys with an account I set up manually on the machine ? If so then I would need to be able to switch account identities in my code (which I haven't researched as yet) and then would need to store the password to that somewhere.
If anyone could offer any insight or direction it would be much appreciated.
SQL Security :: How To Secure MDF File
Sep 14, 2015I have a query regarding how to secure my mdf file.
I'm sending my mdf file at the time of installation of the software, so I want to know how to protect my mdf file from other clients.
(So that they cannot see or access my tables and data present in it).
Secure SQL Server Remote Access From ISV Application
May 8, 2007Hi guys
I'm writing a C# application which connects to a local SQL database for data access. The application connects to SQL Server through windows authentication, but opens up the port and sqlbrowser to others on the network wanting to access the database through SQL Server authentication, and also allows remote users to connect to this server remotely if they have the login and password (and because the port is already open)
I understand this is not secure and open to attack, and am unsure of how to secure these processes without blocking these three types of access, from A.) the local user, B.) the network user and C.) the remote user across the net.
Have researched this a fair bit, but get somewhat lost amongst all the jargon.
SQL Security :: How To Organize And Secure Database Users
Apr 21, 2015Is there any way in which I could distinguish a group of Database users from the other users. Say for e.g. store the Database users hierarchically, etc. Adding a Prefix/Suffix to the user name as a distinguish-er will not work in my case. I want to restrict the deletion of these Database users. Even the login with sysadmin or serveradmin rights should not be able to DROP those Database users.
View 11 Replies View RelatedSecure Social Security Number In My DataBase
Jun 13, 2006 Hi, i have a data base in SQL 2005 and i it has many tables with confidencial information Like Social Security numbers, Credit card Numbers, etc. And i would like to encrypt this information or make something to make this info invisible to any hacker, or any person that logs on the server.
Here are the limitations:
1 - I cant make any changes in the front end, so if i encrypt the data, I have to make all the modifications in the database, and if the front end needs some encrypted information, the database should dencrypt it.
Any one has any idea ???
Best Regards.
DB Engine :: Connection Closed From Application End
Jun 30, 2015The application server gets below error while the job is being run intermittently:
An error occurred while performing connection management
com.microsoft.sqlserver.jdbc.SQLServerException: The connection is closed.
at com.microsoft.sqlserver.jdbc.SQLServerException.makeFromDriverError(SQLServerException.java:171)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.checkClosed(SQLServerConnection.java:319)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.prepareStatement(SQLServerConnection.java:1839)
[Code] ....
There is no error reported in SQL logs.
Simple Search Engine (windows Application)
Sep 14, 2005I'd like to build a simple search engine against Sql Server. Does .NET Framework provide some class to help in this task? From what I've heard there is an interface which implements it..
View 1 Replies View RelatedDB Engine :: Restore Database When It Is Accessed By Application?
Oct 5, 2015Our application team make design changes of the database in their development server and asks me to restore the bak file from the development server into the production server with replace command. The database in the production server is connected to the application server and so when I try to restore the database error message comes that the database is in use.
So first I find out the sessions with the logins who is the user in the database with sys.dm_exec_sessions joined with sys.dm_exec_requests and then kill the sessions. And after that it is possible to restore. But many times when I kill the session and try to restore in between new sessions comes into effect which are generated from the web server and many times I have to resubmit the query in the dmv's and find the sessions and kill it again and again before restore can be done. Is there any correct method to restore an active database which is being accessed by the application from a web server with out stopping the web server?
DB Engine :: Application That Insert Some Data In Database
Jun 15, 2015What are the optimal values for this parameters? How it depends from queries characteristics?I create an application that insert some data in database. It'll work on different servers with different load and performance. I want to prevent timeout exceptions.
View 4 Replies View RelatedDB Security Vs. Application
Feb 3, 2004We are rolling out mssqlxpress to our development staff and would prefer to alter their permissions so that they can only make changes using mssqlxpress (since it integrates nicely with VSS).
So are choices are to uninstall SQL Enterprise Manager and SQL Query Analyzer, or more preferably, alter their NT Permissions so that they do not have the capability to change anything in the DB's.
My concern is that it seems we can only set their permissions from DB level and not the application, does that sound correct? Has anyone else had to deal with this predicament and is there an alternative to uninstalling the SQL Client tools?
DB Engine :: Export Data-tier Application Restrictions
Oct 27, 2015I want to create one bacpac file but it does fails, Need I delete all the descriptions before to begin? How odd! I don't understand why can we choose some scripting options such as we did on 'Generate Scripts' task..I get errors such as: dbo.table.field.Ms_Description is not supported when used as part of a data package
View 2 Replies View RelatedDB Engine :: Identifying Start Time For Application Hitting?
Jun 12, 2015We have an issue where servers goes slow from morning 2 AM EST to 10 AM EST.
Using SP_WhoIsActive we somehow found that there is netbackup from Symantec which runs during that time phrase.
As per Symantec team there backup should get over by 5 AM EST, per their testing for almost 100 Dbs on the server( not big in size , all of them in total would be 60 GB).
Using SP_whoisactive we only see, start time of that virtual backup occurring on tape, for one database at time.
So is there a way we actually determine when does the above backup kicks and stops?Also, could SQL server be the problem in making these backups run slow or there is something else i need to monitor?
Security- Application Roles
Jul 17, 2000We are looking to make our applications as secure as possible. I am interested in how well Application Roles work to make security tighter.
Have you used Application Roles. If you have, I'd like to know if it helped provide better security or not and if it did, how was it implmented in you production environment. I already know how to get it set up, I'm just wondering if it's really worth the trouble.
Thanks!
Designing Security In An Application
Apr 24, 2008With my next application, I'm thinking about establishing a new security paradigm for my programs, with respect to SQL Server.
In all my previous applications, connections are established using SQL Server authentication. So, all my users may log-in under a single log-in, mapping to a single user in a database. My application then has to use its own security arrangement to determine who has access to what forms within the application. There are three major problems with this design: 1) the user name and password to connect to the SQL server have to be resident as strings somewhere in the application code (or ancillary files), 2) everyone connecting to the SQL Server "looks" the same, and 3) you have to give the broadest rights to everyone with the same login and then pare those rights down within the application itself.
By implementing multiple SQL Server Authentication logins I can mitigate problems 2) and 3), but the only way to eliminate problem 1) is to move to Windows Authentication.
Windows Authentication would allow me to resolve all three design constraints, but there is one problem that I see coming as a result.
If I use Windows Authentication, each user must have an independent login to the SQL Server. If I have an application that may have 4,000 to 6,000 users, does that means I have to have 4,000 to 6,000 logins set up on SQL Server?
Is that true?
I could, of course, generate a script to build all 4,000 to 6,000 users, but I am concerned about this.
Is this a "normal" arrangement that SQL Server has no problem-with?
Yet Another Question On Application Security....
Sep 29, 2006Ok, i have read a few articles regarding application security and it sems to me the Microsoft just doesn't get it.
As others have posted, Vendor packages are not normally controlled by the IT staff... they do what they do. When an application is used for mission critical data, it becomes important to lock down that data as best as it can be under the limits of that application. Yet what is often lacking in a vendor package is thought about what opening up the database means.
We are using a Vendor package that does not allow for application security to be set. In other words, it uses windows authentication to grant Database access. As many others here have noted, this opens the database to manipulation via any other tool the user has at their disposal.
It seems that the general reply here is that we should get the vendor to change their package to allow for Application level security. Good Luck!
I am not a DBA (must be obvious at this point) and i do not know all the what's up and coming, but generally as a system support person, i must deal within the environment i am given. Here's what I see as the environment I am working under, the problem and the preferred solution.
Application only allows windows authentication.
The users must be allowed full access to the database in order for the application to perform updates as needed.
Security to specific data by company is controlled within the application to determine what a specific user can change.
Granting security to a user ID allows them to access and change data at will through an alternate product (E.G. Enterprise manager, MS Access etc.) without regards to the security built in to the application.
SQL Server knows what ID is requesting data and knows what application is generating the request (I have seen screen prints of the list of who is logged into the database and right alongside the UserID is the Apllication Name).
If SQL server knows these two bits of info, why is it so difficult to allow SQL server to append the Application name onto the user ID and allow access to the DB only via this combination? The permissions can be set up with some combination of UserID/Application name and no special security, no messing with special application passwords/aliases, no pleading with Vendors to make changes and best of all.... satisfying SEC rules for locking down DBs.
Am i missing something? Does anyone know how i can accomplish this simple task without stressing out the DBAs?
Thanks for all your help and creative ideas!
Rob
Security For Application Role
Sep 4, 2007We have an application use Approle to read from database. If the client login to windows as administrator or a name that has the administrator rights, the application can get all data. If the client login to windows as a domain user that has limited rights, the application can't get all data.
I run profiler and found that it seems, when application use approle to access a database, the login name is the domain user that log into windows. Is there anybody know what type of right the window login name should have in order to get all data from a database?
Second question, when I log in to window as domainusername( username is not administrator, but has administrator rights). In the profiler, I can see the application use this domainusername access database. However, under sql server login node, I didn't find domainusername. Is this because, the domainusername belongs to buildinadministrator?
Thanks
SQL Security :: Enable Encrypted Connections To Database Engine?
Nov 2, 2015The option:
SQL Server Configuration Manager>SQL Server Network Configuration>Protocol for SQL_xxx (right click)>Properties, we can see two Tabs:
Tab 1: Flags
Tab 2: Certificate
If I set the value of Hide Instance= Yes, does "Force Enctyption", need to be set YES as well?
Or Force Enctyption has to be enabled in order to hide instance?
What is the recommend settings?
[URL]
DB Engine :: Replicate Database On Another Server With / Without Bring Over Security?
May 6, 2015I have 2 SQL 2008 R2 Servers which are always running (on is Prod/one is Test).
is there a way to sync Prod to Test WITHOUT using the .bak and overriding Test's Security settings?
Application && Database Security Consultant
Dec 2, 2005Looking for a consultant with solid experience in application anddatabase security for a project in the GTA.CONTACT---------------------------------------------------Please send your resume to:Join Bytes!
View 1 Replies View RelatedApplication Login And Integrated Security
Aug 8, 2007Hello,
We're having a bit of a problem getting Integrated Security to work with a .Net 2.0 application and SQL 2005. While we're tweaking permissions on the SQL-side, we came across an account "Application Login" and wondered what its role is. First, our problem:
Currently, the users in the AD group get a connection error. This group is defined as follows at the instance level:
role: public
user mapping: to the database without any default schema
securables: none
status: grant and enabled
At the database security level:
general: none
securables: execute on all (100+) stored procedures
And we gave them "Execute" on the database itself.
A little background: we had detached and copied this database from one server to another. So we suspect that the Application Login may have been modified/corrupted, even though it appears to be identical between the original and the copied databases. So we redefined it on the copied DB to match the original.
Another group, which is defined as dbo on the database, has no problem at all connecting and running the application.
The Application Login has Execute permissions on all stored procedures and Delete, Insert, Select, Update, and View Definition on the ChangeLog table. It also has db_DataReader, db_DataWriter, and db_ddlAdmin roles associated with it.
Is there another SQL login required for initial connection to the database even though Integrated Security=SSPI is used in the connection string?
Does anyone see where we may be missing a security setting for the non-dbo user group to connect to the database?
Thanks very much for any suggestions, ideas ....
Cheers,
Tess
Connection Problem From Access Front End Application To SQL Desktop Engine Backend
Jul 23, 2005Hi there,I sincerely hope that someone out there can help. I have twoinstances of the SQL 2000 Desktop Engine running. One is on my localmachine for development and the other is on another machine on ournetwork which is the production environment. I have built an Access2003 front end application which connects to this database. Thisworks fine locally, as you would expect. I successfully installed thedatabase on the production machine and am able to connect to it viaAccess 2003 (using the Data Link Properties window) and from thirdparty database manager software (similar to Enterprise Manager). I amnot able to to connect to the database via my application.I am using the "sa" account with a strong password. This is myconnection string:strConnection = "Provider=sqloledb;DataSource=server02;UserId=sa;Password=strong;Initial Catalog=Test"The error I'm getting is:"Connection cannot be used to perform this operation. It is eitherclosed or invalid in this context."The connection string is the only thing that changes in my code when Iswitch from my local to my production database. Is there some reasonthat I can't use the "sa" account in this fashion that I'm not awareof? I'd rather not use integrated security for simplicity's sake asthis is a small, internal application. Also, I would have thoughtthat if that was the issue, I couldn't use "sa" at all, even locally.I'm going to post to the Access group as well but thought someone heremight have some advice to offer as well.Thanks,Barb
View 2 Replies View RelatedSQL Security :: User Login Failed For Web Application
Nov 19, 2015We have a Web application that requires user authentication. We have a Login Page for user's to login and be authenticated. We also manage the user accounts using SQL Server Membership Provider. We created aLogin user in SQL Server and used this user's privileges to connect to SQL Server in our website's connection strings. Example, in our Web.config file, the connection string is:
<connectionStrings>
<addname="MyConnectionString"connectionString="Server=MYSERVERNAMESQLSERVER2012;Initial
Catalog=MyDatabase;User Id=TUser;Password=MyPassword"providerName="System.Data.SqlClient"/>
</connectionStrings>
The problem now is when a user logs in, it's throwing an error that TUser's password has already expired. We did not enforce the password policy and expiration date for this user. So, I'm wondering why it's giving me this error.
SQL Server Security Setup For Web Application Access
Jun 6, 2007All:
I am writing an Internet/Extranet based (ASP.Net 2.0) web application that uses SQL server 2005 as the database. I am using forms authentication on my web application. I am also storing the connection string to SQL server in my web config file. The conn string is encrypted using DPAPI with entropy. I currently have created a SQL login account on my SQL server for use by the web application. This is the user ID I am using in my conn string. The reason for this is because all persons using the application will NOT have a windows login.
Here is my question: The login I created currently has defaulted to the "dbo" role and therefore has "dbo" rights to the database. I want to setup up this login account so that all it can do is execute stored procedures. I dont want this SQL login to be able to do anything else. In my application I am using stored procedures for ALL data access functions, via a data access layer in my application. Can someone guide me step by step as to how to setup this type of access for this SQL login.
Thanks,
Blue.
Unauthorized Operation Setting Application Security Through VS2005 (Why?)
Feb 12, 2007I'm attempting to setup the defaco MS security for membership and roles, using a newly created database under SQL 2005 (not express). I created the database using the aspnet_regsql.exe utility and that worked fine. I created my provider connection string logging in as 'sa' wit the proper password. All that seemed to work okay too. However when I attempt to change any of the settings like setting the authentication type or enabling roles, I get the follwing error message: The following message may help in diagnosing the problem: Attempted to perform an unauthorized operation. at System.Security.AccessControl.Win32.SetSecurityInfo(ResourceType type, String name, SafeHandle handle, SecurityInfos securityInformation, SecurityIdentifier owner, SecurityIdentifier group, GenericAcl sacl, GenericAcl dacl) at System.Security.AccessControl.NativeObjectSecurity.Persist(String name, SafeHandle handle, AccessControlSections includeSections, Object exceptionContext) at System.Security.AccessControl.NativeObjectSecurity.Persist(String name, AccessControlSections includeSections) at System.Security.AccessControl.FileSystemSecurity.Persist(String fullPath) at System.IO.File.SetAccessControl(String path, FileSecurity fileSecurity) at System.Configuration.Internal.WriteFileContext.DuplicateTemplateAttributes(String source, String destination) at System.Configuration.Internal.WriteFileContext.DuplicateFileAttributes(String source, String destination) at System.Configuration.Internal.WriteFileContext.Complete(String filename, Boolean success) at System.Configuration.Internal.InternalConfigHost.StaticWriteCompleted(String streamName, Boolean success, Object writeContext, Boolean assertPermissions) at System.Configuration.Internal.InternalConfigHost.System.Configuration.Internal.IInternalConfigHost.WriteCompleted(String streamName, Boolean success, Object writeContext, Boolean assertPermissions) at System.Configuration.Internal.InternalConfigHost.System.Configuration.Internal.IInternalConfigHost.WriteCompleted(String streamName, Boolean success, Object writeContext) at System.Configuration.Internal.DelegatingConfigHost.WriteCompleted(String streamName, Boolean success, Object writeContext) at System.Configuration.UpdateConfigHost.WriteCompleted(String streamName, Boolean success, Object writeContext) at System.Configuration.MgmtConfigurationRecord.SaveAs(String filename, ConfigurationSaveMode saveMode, Boolean forceUpdateAll) at System.Configuration.Configuration.SaveAsImpl(String filename, ConfigurationSaveMode saveMode, Boolean forceSaveAll) at System.Configuration.Configuration.Save(ConfigurationSaveMode saveMode) at System.Web.Administration.WebAdminPage.SaveConfig(Configuration config) at ASP.security_setupauthentication_aspx.UpdateAndReturnToPreviousPage(Object sender, EventArgs e) at System.Web.UI.WebControls.Button.OnClick(EventArgs e) at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) at System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) at System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)Anyone have any clue why this is happening? Do I need to add something to the database as far as users/roles go? I figured 'sa' would have free roam, but something permission-wise just isn't jiving.
View 2 Replies View RelatedSecurity Error When Execute Sp From An Application, But Not From SQL Management Studio.
May 8, 2008
Hello,
I am facing a very odd behavior with SQL server 2005.
I have a database role with specific permissions to execute only some of the stored procedures in the database. I also have a SQL login/user attached to the role.
If I execute one of the stored procedures from the application (web application, with Microsoft enterprise library database block) I am getting a security error stating that I need select permission for the schema.
However, If I execute the same sp with the same parameters from SQL management studio, connecting with the same SQL login as in the application I can execute the sp without any security errors. The SQL management studio is in on a different server than the targeted database.
Are there any differences between executing stored procedures from SQL MS and from application when using the same SQL login?
Thanks,
IT
SQL Server 2005 Security Setup For ASP.Net Web Application Data Access - HELP!
Nov 17, 2007
Here is my situation: I am creating a database driven ASP.Net web application that will be used over the internet. My ASP.Net application connects to my SQL server 2005 database/server by using a SQL server login. I am using the DPAPI API to encrypt my connection stings with a hidden entropy value for extra security. I am using the SQL login for obvious reasons, as my users will not have a windows login.
What I am trying to do: I want to limit this SQL login account to be able to just run/execute stored procedures and NOT access the tables or views directly. In my ASP.Net application I am using the MS applications data block, and I am using stored procedures for every single database access action. There is no inline SQL being executed from my web application.
What I have tried so far:
I created a new schema and made the above SQL login account owner of this schema. I then granted "Execute" permissions to the SQL login and DENY permissions to all other permissions.
I created an database role with "Execute" only permissions and DENY permissions to all other permissions.
What Happened: In BOTH of the above scenarios I tested a direct SQL statement against one of my tables, from my ASP.Net application and I was able retrieve data back, NOT GOOD, exactly what I am trying to STOP.
If someone could give me (Step-by-Step) guide on how to setup the situation I am looking for, I would be very grateful!
Thanks to all that help!
Application/Security Design: Stored Procedures Versus SQL Queries
Mar 7, 2007Hello everyone,
I don't know what category would be appropriate for this question but security seems to be close enough.
I have this case scenario: I am running an automated application that extracts data from a web site and stores the data into a table on SQL server 2005. This information is not confidential in the extreme of social insurance #'s, bank account #s, but should not be seen by a typical employee (it has no use for them). After the data has been stored, it retrieves the data from the same table, processes it, and updates the same table. This application runs every hour infinitely.
Should all the insert, update, and select queries be stored under a stored procedure? I am not concern with performance. My concern would fall under design and security.
Is it worth to hide the details of inserting/updating/selecting behind a stored procedure? Or should I just allow the program to send select/update/insert SQL queries?
No employee (other then the developer and the DB admin) or customer ever access this table (They do not have permission from SQL). The username and passwords were created with security in mind.
Any thoughts or ideas?
Thanks for your time, Adrian
SQL Server 2k Security Setup On Application Server
Apr 13, 2004Hi all
If i wanted to set up my SQL Server DB to run in an Application Server environment (i.e. clients connecting to a remote server)
would i be required to give every user a WINDOWS SERVER logon as well as a SQL Server logon or would i only need to setup just a SQL Server logon for them?
(obviously using SQL Server Security opposed to NT Integrated Security)
Thanks in advance for any help
How To Secure Mdf
Sep 24, 2005I am designing an application built on sql server 2000
how can I prohibit other sql server users from accessing my database and allowing only acceesing it through my application or through owner designer of sql server database.
my situation needs sometimes copying the db from the end user platforms to
my designer computer to analyze some problems or maintainenace or modification, and also I have no control on users windows environment and I need the end user professional not to enter the my db from outside my application.
So,
is there anything I can do to secure an MDF (MSDE/SQL Server 2000) file so that a user cannot see my schema under any circumstances.
Even if I lock the MDF down and secure the instance, a smart user can just shut off the SQL server, copy the MDF to another instance, sp_attachdb and open it with sa rights. I need a way to prevent others from getting inside my schema.
Secure FTP
Apr 28, 2008Hi,
Do you guys know how to call secure FTP from a script task in an SSIS package which can be done by invoking the exe like winscp from a script task
Secure FTP
Apr 9, 2008hi everybody ,
Can anybody tell me about Secure FTP
and how the code for uploading and downloading of files can be write using Visual C#
actually i have created code for Standad FTP(normal FTP), but when I am using it for secure FTP then the compiler is giving an Exception: "Unable to create Remote Server"
very confuse about what to do....??
even very small help would be very very appreciable
thanx .... Nics