IUSER Security Risk??
Jun 29, 2006
We have an old ASP application that authenticates to a SQL Server 2000 database using the IUSER account.
We are exploring the possibility of moving it to a DMZ so users can access from home. The IUSER account is being used for all database activity for this application. Is there any reason to be concerned about using IUSER as opposed to sql authentication for this tool, or any other security risks I should be wary of. Mind you there may be some sensitive information contained in the database. Thanks in advance.
View 1 Replies
ADVERTISEMENT
Sep 24, 2015
I've read a bunch of articles saying you should always remove the guest user from the user databases and model. It seems to me that if a user only has public access then the user can't do anything on the database. If the guest user only has public access to a user database how is it a security threat? I must be missing something.
View 0 Replies
View Related
Apr 8, 2008
Hi all,
I just read this article. The kind of select is called dirty read.
So select with nolock might have inaccurate result...? PLEASE COMMENT ON THIS. I am using it to count some huge tables, and has problem on the result..
http://www.4guysfromrolla.com/webtech/101100-1.2.shtml
NOLOCK
Using NOLOCK politely asks SQL Server to ignore locks and read directly from the tables. This means you completely circumvent the lock system, which is a major performance and scalability improvement. However, you also completely circumvent the lock system, which means your code is living dangerously. You might read the not-necessarily-valid uncommitted modifications of a running transaction. This is a calculated risk.
For financial code and denormalized aggregates (those little counters of related data that you stash away and try desperately to keep accurate), you should play it safe and not use this technique.
View 9 Replies
View Related
Jul 20, 2005
I am sertainly no SQL expert so I am looking for a bit of help(actually quite desperate).The extra CPU and 1GB of RAM to be added to a server (Compaq DL380 G2:1.4 GHz PIII with a Gig of RAM) have not come in and we are scheduledto go live tomorrow with a MS SQL Server web app. Will potentiallyinsufficient hardware resources endanger the data of other appsrunning on the SQL Server or will the system simply be slow foreveryone?Basically, I need to know whether SQl Server bogs down gracefully(under 2x-3x an acceptable load) or will we be corrupting the databasewith a crash.Thanks a million,Bert
View 3 Replies
View Related
Mar 21, 2006
Use the view master.sys.sql_logins (new in 2005) to get at the varbinary passwords like you did in your Sql Server 2000 scripts (instead of using passwords from master.dbo.sysxlogins).
I have altered the sp_help_revlogin (from Microsoft article # 246133 )
PLEASE TEST/FIX before you use this:
if exists (select * from dbo.sysobjects where id = object_id(N'[dbo].[sp_help_revlogin_2005]') and OBJECTPROPERTY(id, N'IsProcedure') = 1)
drop procedure [dbo].[sp_help_revlogin_2005]
GO
SET QUOTED_IDENTIFIER OFF
GO
SET ANSI_NULLS OFF
GO
CREATE PROCEDURE sp_help_revlogin_2005 @login_name sysname = NULL AS
DECLARE @name sysname
DECLARE @logintype char(1)
DECLARE @logindisabled int
DECLARE @binpwd varbinary (256)
DECLARE @txtpwd sysname
DECLARE @tmpstr varchar (256)
DECLARE @SID_varbinary varbinary(85)
DECLARE @SID_string varchar(256)
IF (@login_name IS NULL)
DECLARE login_curs CURSOR FOR
SELECT sid, name, type, is_disabled FROM master.sys.server_principals
WHERE name <> 'sa' and type in ('S','U','G')
ELSE
DECLARE login_curs CURSOR FOR
SELECT sid, name, type, is_disabled FROM master.sys.server_principals
WHERE name = @login_name
OPEN login_curs
FETCH NEXT FROM login_curs INTO @SID_varbinary, @name, @logintype, @logindisabled
IF (@@fetch_status = -1)
BEGIN
PRINT 'No login(s) found.'
CLOSE login_curs
DEALLOCATE login_curs
RETURN -1
END
SET @tmpstr = '/* sp_help_revlogin_2005 script '
PRINT @tmpstr
SET @tmpstr = '** Generated '
+ CONVERT (varchar, GETDATE()) + ' on ' + @@SERVERNAME + ' */'
PRINT @tmpstr
PRINT ''
PRINT 'DECLARE @pwd sysname'
WHILE (@@fetch_status <> -1)
BEGIN
IF (@@fetch_status <> -2)
BEGIN
PRINT ''
SET @tmpstr = '-- Login: ' + @name
PRINT @tmpstr
IF (@logintype = 'G' OR @logintype = 'U')
BEGIN -- NT authenticated account/group
IF @logindisabled = 1
BEGIN -- NT login is denied access
SET @tmpstr = 'EXEC master..sp_denylogin ''' + @name + ''''
PRINT @tmpstr
END
ELSE BEGIN -- NT login has access
SET @tmpstr = 'EXEC master..sp_grantlogin ''' + @name + ''''
PRINT @tmpstr
END
END
ELSE IF (@logintype = 'S')
BEGIN -- SQL Server authentication
SELECT @binpwd = password_hash FROM master.sys.sql_logins WHERE SID = @SID_varbinary
IF (@binpwd IS NOT NULL)
BEGIN -- Non-null password
EXEC sp_hexadecimal @binpwd, @txtpwd OUT
SET @tmpstr = 'SET @pwd = CONVERT (nvarchar(128), ' + @txtpwd + ')'
PRINT @tmpstr
EXEC sp_hexadecimal @SID_varbinary,@SID_string OUT
SET @tmpstr = 'EXEC master..sp_addlogin @loginame = ''' + @name
+ ''', @passwd = @pwd, @sid = ' + @SID_string + ', @encryptopt = ''skip_encryption'''
END
ELSE BEGIN
-- Null password
EXEC sp_hexadecimal @SID_varbinary,@SID_string OUT
SET @tmpstr = 'EXEC master..sp_addlogin @loginame = ''' + @name
+ ''', @passwd = NULL, @sid = ' + @SID_string
END
PRINT @tmpstr
END
END
FETCH NEXT FROM login_curs INTO @SID_varbinary, @name, @logintype, @logindisabled
END
CLOSE login_curs
DEALLOCATE login_curs
RETURN 0
GO
SET QUOTED_IDENTIFIER OFF
GO
SET ANSI_NULLS ON
GO
View 4 Replies
View Related
Oct 6, 2015
We are developing an application that requires change tracking.We tested it in development and test environments and we are preparing our production deployment.The very first thing that needs to be done is an
ALTER
DATABASE [db_name] SET
CHANGE_TRACKING =
ON (CHANGE_RETENTION
= 2 DAYS,
AUTO_CLEANUP =
ON)
We are holding on this first step because this statement alone executed for a good 4min on the development server. The production environment is many times larger and busier, and we can’t afford service disruption, so we are at the point where we need to understand what’s involved in running this ALTER DATABASE statement.Is there any documentation on what is happening behind the scene when this statement executes such that we can assess the risks of running it in production?
View 5 Replies
View Related
Dec 4, 2014
I use from sql server 2008. and c#
what is the best connectionstring?
I don't know if i use Persist Security Info and Integrated Security or not?
And if yes then their value must be true or false?
View 1 Replies
View Related
Oct 14, 2005
Hello there I have trying to figure out for days how to enable FullTrust for my Reporting Services security extension.
View 9 Replies
View Related
Jul 31, 2007
Hi,
I have posted this issue for a week, haven't got any reply yet, I posted it again and desperately need your help.
The article http://msdn2.microsoft.com/en-us/library/ms365343.aspx says:
Model Item Security can be set for differnt security filters, but when I use SQL Server Management Studio to set Model Item Security, it seems "Permissions" property surpass "Model Item Security" property. -- My report server is using Custom Authentication.
For example, in "Permissions" property of the model, if I checked "Use these roles for each group or user account" without setting any user or group, no matter what users I added to "Model Item Security" with "Secure individual model items independently for this model" checked, NO one user can see the model on report manager and report builder;
in above situation, if I added "user1" and gave role such as "Browser" role to "user1" in "Permissions" property, if I checked "Secure individual model items independently for this model" in "Model Item Security" property, even I did NOT grant "user1" to root model and any entities under the model, the "user1" is able to access the model and all entities in report builder.
My question is on the same report model, how to set "AdminFilter" (empty security filter) for administrator permissions and set "GeneralFilter" (filtered on UserID) for general user based on their UserID?
The article also says:
"Security filters are always applied, even for users who have Content Manager or Administrator permissions to the model. To allow administrators or other users to see all rows of an entity on which row-level security is defined, you can create an empty security filter (which always returns True) and then use the filter to grant those users access to all the rows."
So I defined 2 filters "GeneralFilter" and "AdminFilter" for "Staff" entity for my report model "SSRSModel", I expect after I deployed the report model, the administrator users use report builder to build reports with all rows available, and the non-admin users can only see rows based on their UserID.
I can only get one result at a time but not both:
either the rows are filtered or not filtered at all, no matter how I set the "SecurityFilter" for the entity: I tried setting both "AdminFilter" and "GeneralFilter" for SecurityFilter at the same time, combination of "DefaultSecurityFilter" and "SecurityFilter", or one at a time.
Your help is highly appreciated!
Desperate developer
View 1 Replies
View Related
Apr 26, 2007
hi i want to know what is the differance between
Persist Security Info=False;Integrated Security=Yes;
View 1 Replies
View Related
Oct 18, 2015
Is there any possibility to schedule SQL job execution as Windows Security Group? I need to run powershell script through SQL job with one of this group member's permissions.
View 4 Replies
View Related
Jul 6, 2007
I have Sql Server Express installed on Vista (service pack 2)
I have Visual Studio 2005 with an application that I'm trying to access it with within a WCF service.
The login ID of the service is added to the database.
The database has remote access turned on.
The ID is granted access to all databases within the server.
The thread is being set with WindowsProvider and the services set their thread to WindowsProvider.
The dataserver is set with using Windows Authentication for security.
When I open my connection to the database, though, it reports the typically useless message that the connection is not allowed and that the server may not allow remote connections.
How to I get past this? I've done everything right.
View 1 Replies
View Related
Jun 18, 2007
I want to use an Active Directory security group that is a Distribution List for a new role assignment for an existing report. Can someone tell me if this is possible? I get an error each time I try:
The user or group name <DLName> is not recognized. (rsUnknownUserName)"
View 1 Replies
View Related
Jul 20, 2005
Is there anybody out there with a MS SQL 2K Security Baseline orSecurity Checklist. Where can I get one????Thanks in advanceDavid
View 1 Replies
View Related
Feb 28, 2008
Hi;
I am looking for a way to log all security related events for SQL in Windows Security Log. I am trying to use SCOM for monitoring SQL and I am looking at ways to generate alerts in my SCOM Console for specific events in SQL e.g. A table is deleted, user is modified, deleted, etc. Is this possible and if yes how do I achieve the same?
Rgds;
View 6 Replies
View Related
Aug 3, 2006
In an environment where there are many initaitors speaking to a central target with frowarders in between, from what i can understand this best policy is to disable encryption on the endpoints, since dialog encryption will be enforced this is all that is really required, is this correct.
If the endpoints used encryption the message would need to be encrypted and decrypted at each forwarder resulting in slower perfromance, where as dialog encryption would only encrypt at the sender and decrypt at the target, so is this the best way to go?
Secondly is it best practice to open a dialog initally and send messages over this dialog for years never ending the conversation? This way the services only have to authenticate eachother once, if there are no reboots etc that is of course.
I would think performance wise sending each message and ending the conversation each time is a much greater overhead ? So would it be best practice to keep dialogs open and keep sending messages ?
Initally when i was learning service broker i thought that one must send a message and end the dialog until the next message, but i think the other way is the best option ?
Is this correct ?
Thanx
View 1 Replies
View Related
Feb 19, 2007
Hi
I'm designing a distributed application where I will have SQL Server 2005 distributed databases replicating data to my central hub which is again a SQL Server 2005 database using SQL Service Broker. Data will be sent from the central hub to the distributed sites and vice versa. I need to authenticate the communication and also secure the communication by encrypting the messages. Which security shall I use? Where do I configure the type of security being used? What is the difference between transport security Vs dialogue security - Full security model?
Thanks
View 4 Replies
View Related
Jun 19, 2000
Hi:
Can anybody tell me the advantage and disadvantage to use NT security for SQL Server 7.0? For a corporation with 400 users, what is your recommendation for the SQL Server security management. Thanks.
Joan
View 1 Replies
View Related
Jul 30, 2004
What's the better security to use? Currently I'm always registering using the Windows authentication. When I'm trying to register using SQL authentication I always get "Login failed for user 'sa'" error....
View 1 Replies
View Related
Jan 19, 2007
I have setup a linked server on the same computer but different instances of sql. When I call the sprocs an error occurs... The message is...
The OLE DB provider "SQLNCLI" for linked server LINKEDSQL does not contain the table ""product"."dbo"."AccountTable". The table either does not exist or the current user does not have persmissions on that table.
I've checked the table "AccountTable" and it does exist. The database exist also which is "product". I also configure the linked server's RPC to "true" and timeout to "200". The linked server is also configured to use a single username and password which exist on the instance of sql that the linked server is connecting. Also, I enabled the instances of sql to allow remote connections and use mixed authentications.
The mode of access is that different client pc will call a method created with .NET, which in turn, call the sprocs on the linked server. Should I add all the client pc that will be calling the method? Why I'm getting this error? Help please? Thanks
View 1 Replies
View Related
Feb 1, 2002
I would like to trap all of the hosts connecting to one of my sql servers and then determine if one of the hosts is not on my list of approved hosts. If the host is not approved, I would process an alert.
I have written a stored proc that queries the sysprocesses table and then raises the alert. The problem is that sysprocesses only includes entries for the length of the connection. Someone could access the server quickly in between my proc running and I would not capture it. I thought about putting a trigger on sysprocesses to write to a history table but I do not like to put triggers in the master db.
Has anyone tackled this issue before or know where I could get a history of all connections to the sql server?
View 1 Replies
View Related
Apr 3, 2002
We have a 3rd Party system running on SQL Server that has presented us with a security problem.
All logins are handled by the application but the end result is each user has an easily identifiable login and password on the sql server box itself.
At a basic level there is nothing to stop a user linking through Microsoft Access and deleting table contents. We could live with that as Access knowledge is very limited.
Unfortunately a couple of developers now have Enterprise Manager and Query Analyzer installed on their workstations and they have already begun poking their noses where they are not welcome. The possiblity of data edits without an audit trail is now much higher.
Is there something I can do to block access?
I have found a stored procedure sp_MSSQLDMO70 in the master database which when execute is denied the user cannot log on through EM but is there anything similar for QA?
Help, they are getting a bit too eager to take my job!!
Andy
View 1 Replies
View Related
May 6, 2002
when u run a job using sql agent, say like a backup job, which security account does SQL use to run the job ?
also how does it differ if you execute the same job from
the command prompt or query analyzer ?
Thanks
View 1 Replies
View Related
Mar 27, 2001
Hi there,
Is there a way of restricting users' access to the content of DTS packages?
Thanks,
Michael Gagne
View 1 Replies
View Related
Sep 28, 2001
Hi All,
Is there any script/TSQL I can run to list all the
users and their access on a database???
I'd like to document all the access on our server.
Thanks,
David.
View 1 Replies
View Related
Dec 29, 2000
We are currently deciding what security model to use for SQL 2000.
I would like to know the advantage and disadvantage between
Winnt Authentication vs. Mixed Authentication.
Thank You
View 1 Replies
View Related
Jun 23, 2000
When giving access to users, an application they are using will normally update tables correctly.
If the user connects with another product such as Access or Excel, they may be able to make invalid updates.
One way to prevent this seems to be to use Application Secrurity provided in SQL 7.0.
Is there a way to give users read access to tables when they are not using the main application, and update access when they are using the main application?
View 5 Replies
View Related
Jun 27, 2000
New to MS SQL, using v7.0. Need a way to allow developers to create, modify, delete stored procedures in a database. I've tried several things but can't seem to get it. Anyone doing this? Do not want to give them dbo, company wants DBA's to have authority for all objects in a database, but developers have only authority on developing Stored procedures. thanks in advance.
View 2 Replies
View Related
Oct 25, 2000
How can I institute a passwd for a DTS load packages, so
no unauthorized loading takes place?
View 1 Replies
View Related
Oct 15, 1999
I have 30 databases resides on SQL Server 7.o. These databases will be accessed from the outside from 30 different DBA's.
How can I eliminate their privileges so they can only work with their own database and see the other databases grayed out?
Knowingly that each of them will have the DBO privilege on their database.
I'm very confused between the server roles, dbo permissions that I can't change.
Thanks in advance
View 2 Replies
View Related
Sep 29, 1999
Hi everyone,
Here is my situation:
I have 2 NT workstation 4.0 in a Test_PDC domain. One of the workstation(Test1) has SQL server 7.0 installed. On my other workstation(Test2) I would like to access the SQL Server. My workstations do not log into the Test_PDC domain, they logged on their own domain. I would like for Test2 users to access Test1 SQL Server through ODBC connection without creating an NT user account for Test2 users on Test1 User Manager. Is this possible? Another word, I want to use SQL Server security mode instead of NT.
Thanks in advance...
Binh
View 2 Replies
View Related
Mar 24, 1999
I need your opinion.
If you change default standard security to integrated and forgot register
all NT accounts in SQL Security Manager... and no more access to SQL Server.
What to do?
Thanks,
Irana
View 3 Replies
View Related
Sep 18, 2001
Hi Everybody Experts There,
I Am presently hanging on One Sql server.
Now Probably there are lots of user in near future and then
if there is some problem with the server which is running.
i want to run parallel second sql server which have all
information currently having first one.i mean to save second server
have all data that much of first server.
At the time of failure in first one i automatically want to
connect into second server without any problem
how can i do all this and also how can i put that server parallel to
first one.
please tell me as early as possible
waiting please
View 1 Replies
View Related
