Microsoft Security Patches And SQL Server
Apr 23, 2008
I've just taken over the role of SQL Server DBA for my organization. I've been asked to go over the list of Microsoft patches that will be installed on our SQL Server boxes to see if there are any issues.
As of now, I'm going to Microsoft's site and reading up on the patches. But, they don't have any info on where there are any negative effects on SQL Server or other Microsoft products.
The patches are being installed on test servers and I plan on running a few jobs to test for any issues.
Does anyone know of any other resources I could check?
Thanks,
-jeff
View 2 Replies
ADVERTISEMENT
Feb 17, 2005
Hello all guru's,
How can I tell what security patches I have currently on sql server 2000 and if I am up to date on all the latest security patches?
Thanks in advance.
View 2 Replies
View Related
Sep 14, 2007
Please how are security patches for SQL Server Express 2005 made available (e.g., as seperate distributions or bundled into other Microsoft patch distribution mechanisms)? Are there specific procedures that I need to put in place to ensure that SQL Server Express 2005 gets patched on end user machines?
View 1 Replies
View Related
Oct 10, 2002
Is there any stored procedure or MS utility that will show me what security patches are installed/needed on an install of SQL Server 2000?
Thanks.
View 2 Replies
View Related
Jan 20, 2004
I HAVE CREATED A SECURITY DATABASE USING A NEW WORKGROUP FILE WITH A NEW MDW FILE NAME. THE DATABASE ITSELF CONTAINS SEVERAL GROUPS OF USERS AND SEVERAL USERS. THE DATABASE WORKS AS DESIGNED.
THE PROBLEMS IS IF I OPEN THIS DATABASE USING THE SYSTEM.MDW FILE, THE DATABASE OPENS AND GIVE ME COMPLETE ACCESS TO EVERYTHING.
CAN ANYONE EXPLAIN WHAT IS HAPPENING.
ANY HELP WILL BE APPRECIATED
THANKING YOU IN ADVANCE
JOSEPH FORD
View 14 Replies
View Related
Sep 27, 2007
Hi
I downloaded MBSA and ran it against my SQL 2005 Server. It tells me that I have a severe risk because
'The following databases have public access.Remove the public access if it is not required - tempdb , model , msdb , ReportServer , ReportServerTempDB'
I have checked these databases and each have the Guest User but it is disabled. If I check the database properties the public role has no permissions against the listed databases.
Is this a bug with MBSA? If not how do I remove Public Access?
View 11 Replies
View Related
Feb 21, 2002
-----BEGIN PGP SIGNED MESSAGE-----
- ----------------------------------------------------------------------
Title: SQL Server Remote Data Source Function Contain
Unchecked Buffers
Date: 20 February 2002
Software: Microsoft SQL Server
Impact: Run code of attacker's choice on server
Max Risk: Moderate
Bulletin: MS02-007
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-007.asp.
- ----------------------------------------------------------------------
Issue:
======
One of the features of Structured Query Language (SQL) in
SQL Server 7.0 and 2000 is the ability to connect to remote data
sources. One capability of this feature is the ability to use
"ad hoc" connections to connect to remote data sources without
setting up a linked server for less-often used data-sources. This
is made possible through the use of OLE DB providers, which are
low-level data source providers. This capability is made possible
by invoking the OLE DB provider directly by name in a query to
connect to the remote data source.
An unchecked buffer exists in the handling of OLE DB provider names
in ad hoc connections. A buffer overrun could occur as a result and
could be used to either cause the SQL Server service to fail, or to
cause code to run in the security context of the SQL Server.
SQL Server can be configured to run in various security contexts,
and by default runs as a domain user. The precise privileges the
attacker could gain would depend on the specific security context
that the service runs in.
An attacker could exploit this vulnerability in one of two ways.
They could attempt to load and execute a database query that calls
one of the affected functions. Conversely, if a web-site or other
database front-end were configured to access and process arbitrary
queries, it could be possible for an attacker to provide inputs that
would cause the query to call one of the functions in question
with the appropriate malformed parameters.
Mitigating Factors:
====================
- The effect of exploiting the vulnerability would depend on the
specific configuration of the SQL Server service. SQL Server
can be configured to run in a security context chosen by the
administrator. By default, this context is as a domain user.
If the rule of least privilege has been followed, it would
minimize the amount of damage an attacker could achieve.
- Both vectors for exploiting the vulnerability could be blocked
by following best practices. Specifically, untrusted users
should not be able to load and execute queries of their choice
on a database server. In addition, publicly accessible database
queries should filter all inputs prior to processing.
Risk Rating:
============
- Internet systems: Moderate
- Intranet systems: Moderate
- Client systems: Moderate
Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms02-007.asp
for information on obtaining this patch.
View 1 Replies
View Related
Feb 21, 2002
-----BEGIN PGP SIGNED MESSAGE-----
- ----------------------------------------------------------------------
Title: SQL Server Remote Data Source Function Contain
Unchecked Buffers
Date: 20 February 2002
Software: Microsoft SQL Server
Impact: Run code of attacker's choice on server
Max Risk: Moderate
Bulletin: MS02-007
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-007.asp.
- ----------------------------------------------------------------------
Issue:
======
One of the features of Structured Query Language (SQL) in
SQL Server 7.0 and 2000 is the ability to connect to remote data
sources. One capability of this feature is the ability to use
"ad hoc" connections to connect to remote data sources without
setting up a linked server for less-often used data-sources. This
is made possible through the use of OLE DB providers, which are
low-level data source providers. This capability is made possible
by invoking the OLE DB provider directly by name in a query to
connect to the remote data source.
An unchecked buffer exists in the handling of OLE DB provider names
in ad hoc connections. A buffer overrun could occur as a result and
could be used to either cause the SQL Server service to fail, or to
cause code to run in the security context of the SQL Server.
SQL Server can be configured to run in various security contexts,
and by default runs as a domain user. The precise privileges the
attacker could gain would depend on the specific security context
that the service runs in.
An attacker could exploit this vulnerability in one of two ways.
They could attempt to load and execute a database query that calls
one of the affected functions. Conversely, if a web-site or other
database front-end were configured to access and process arbitrary
queries, it could be possible for an attacker to provide inputs that
would cause the query to call one of the functions in question
with the appropriate malformed parameters.
Mitigating Factors:
====================
- The effect of exploiting the vulnerability would depend on the
specific configuration of the SQL Server service. SQL Server
can be configured to run in a security context chosen by the
administrator. By default, this context is as a domain user.
If the rule of least privilege has been followed, it would
minimize the amount of damage an attacker could achieve.
- Both vectors for exploiting the vulnerability could be blocked
by following best practices. Specifically, untrusted users
should not be able to load and execute queries of their choice
on a database server. In addition, publicly accessible database
queries should filter all inputs prior to processing.
Risk Rating:
============
- Internet systems: Moderate
- Intranet systems: Moderate
- Client systems: Moderate
Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms02-007.asp
for information on obtaining this patch.
View 3 Replies
View Related
Dec 21, 2006
I am struggling in calling an SSIS package programatically using the Microsoft.SqlServer.Dts.Runtime namespace.
I am succesfuly connecting to the package insofar as I am able to retrieve the package ID (GUID), but when I call package.Execute I get a 'login failed for user' error, which indicates a security problem.
My ASP.NET app is running as a domain user which has temporary 'SA' rights on the server where the package is hosted. In addition, I have set the protection level on the package to 'DontSaveSensitive'.
What am I missing to be able to execute the package remotely?
TIA,
Rick
View 1 Replies
View Related
Oct 25, 2003
Hi all
I just want to make sure I have the proper understanding of how to apply MS security patches in a replicated SQL2k environment.
1) Upgrade Distributor
2) Upgrade Publisher
3) Upgrade Subcriber(s)
Any comment or suggestion would be highly appreciated :-)
View 2 Replies
View Related
Jan 4, 2008
Just installed sql 2005 version 9.00.30.42
and on this site
http://www.sqlservercentral.com/articles/Administration/2960/
There is
9.00.3215 943656 http://support.microsoft.com/kb/943656/
Cumulative Update 5 contains hotfixes for SQL Server 2005 issues that have been fixed since the release of Service Pack 2.
Do i just get this one and apply this on top
View 8 Replies
View Related
May 31, 2015
what options do i have when i am unable to download resources from MS link:
I am trying to download Service packs for SQL server 2008 R2 from link [URL] But it says downloading and nothing shows up.
there is any alternative or what can be wrong with links?
View 2 Replies
View Related
Jun 21, 2007
Hi
I am trying to use Association Viewer Control in
Microsoft.AnalysisServices.Viewers.DLL dll in VS 2005 but sometimes it gives an error.
"Code generatio for property 'ConnecitonManager'" failed. Error was:'Property accesor 'ConnectionManager' on object 'AssosiactionViewer1' threw the following exception:'Object referance not set to instance of an object"
Is there anyone here who use
"Microsoft SQL Server 2005 Datamining Viewer Controls" in SQLServer2005 FeaturePack ?
http://www.microsoft.com/downloads/details.aspx?FamilyID=50b97994-8453-4998-8226-fa42ec403d17&DisplayLang=en
i am using VS2005 Version 8.0.50727.762 (SP.050727-7600)
and SQL Server 2005 SP2
thanks from now.
Cem Ãœney
View 9 Replies
View Related
Jul 23, 2005
Dear All,Access adp on sql-server 2000After upgrating to A2003 updating data with 1 perticular combobox causes theprogram to hangs without any error-msg.Traying to change te combobox recordsource i get this error:This version of Microsoft Access doesn't support design changes to theversion of Microsoft SQL Server your project is connected to. See theMicrosoft Office Update Web site for the latest information and downloads(on the Help menu, click Office on the Web). Your design changes will not besaved.The solution in :http://support.microsoft.com/defaul...kb;en-us;313298tolks about SP 'dt_verstamp007' but I have SP 'dt_verstamp006'What should I do.Is the failure of the combobox also caused by the absence of dt_verstamp007???Filip
View 2 Replies
View Related
Sep 25, 2007
Hi,
I'm trying to install Microsoft Dynamics 10.0 with SQL 2008 Dev but when launching the utilities this returns the following error message:
******************************************************************
Your current SQL Server is not a supported version.
Req: Microsoft SQL Server 8.0
Act: Microsoft SQL Server code name "Katmai" (CTP) - 10
You need to upgrade to SQL Server 8.0 before continuing.
******************************************************************
Any ideas could help or has this if anyone knows been desinged not to work with GP10 currently?
Assad
View 7 Replies
View Related
Mar 17, 2008
I have a query that executes just fine except that it won't recognize varchar(255) ( or any other value within the () ) and if I leave it off like this: varchar, then it executes but it leaves that value as 1 and that is just not very useful for my purposes. This also happens with anything else that requires () to add length such as char(), or nvarchar(), etc... Any ideas?
View 1 Replies
View Related
Oct 3, 2001
Hello,
"Failed to copy objects from Microsoft SQL Server to Microsoft SQL Server "
I keep getting this when trying to copy stored procs from one db to another on the same server. I am using the DTS wizard. I have been able to copy the tables but I need the sp's too, and there are too many to copy one at a time.
Help!
TIA,
Bruce
View 1 Replies
View Related
Mar 27, 2008
Pls tell me about the adjact difference between sql server 2005 and sql server 2008.
Why to upgrade for Sql Server 2008
View 1 Replies
View Related
Aug 30, 2006
In VS 2005, when we choose database connection, we can choose one of the above. My question is in what situations should we choose MS SQL Server Database File (SqlClient), and when should we choose Microsoft SQL Server?
I want to deploy a standalone desktop application with a backend database. Which backend database should I should and which of the above connection should I choose?
Thanks very much for your information.
View 1 Replies
View Related
Jun 14, 2004
I’m wondering if anyone can shed light on a problem I’ve noticed that's really made for a major thorn in my side. I recently had a Microsoft patch installed on my server, and now for some reason, trying to run INSERT or UPDATE queries against the SQL 2000 database are severely limited. I constantly get the error:
“Error: A severe error occurred on the current command. The results, if any, should be discarded.�
My Event Logs also return the following:
"Invalid buffer received from client."
I think I’ve isolated the problem to be that I can’t add new or modify existing records that try using a field which is of type TEXT, but now can’t be longer than 4,000 characters, else the error fires. This is really weird, as I’ve used the same ASP.NET script to call a stored procedure to INSERT/UPDATE records thousands of times before with 100% success.
I have a feeling this might have something to do with the patch, but has anyone come across this problem specifically, or know for sure which patch(es) cause it? Why all of a sudden would a TEXT field be so limited in capacity?
View 2 Replies
View Related
Dec 10, 2003
Hi Everybody,
On localhost this application works fine but when I put on remote server. I am getting following errors. For both localhost and server, I am using same remote sql 2000. I will appreciate any help.
Thanks,
Arif
Server Error in '/' Application.
--------------------------------------------------------------------------------
ERROR [42000] [Microsoft][ODBC SQL Server Driver][SQL Server]Line 1: Incorrect syntax near ')'.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: Microsoft.Data.Odbc.OdbcException: ERROR [42000] [Microsoft][ODBC SQL Server Driver][SQL Server]Line 1: Incorrect syntax near ')'.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[OdbcException: ERROR [42000] [Microsoft][ODBC SQL Server Driver][SQL Server]Line 1: Incorrect syntax near ')'.]
Microsoft.Data.Odbc.OdbcConnection.HandleError(IntPtr hHandle, SQL_HANDLE hType, RETCODE retcode) +27
Microsoft.Data.Odbc.OdbcCommand.ExecuteReaderObject(CommandBehavior behavior, String method) +838
Microsoft.Data.Odbc.OdbcCommand.ExecuteNonQuery() +80
Calgary.venues.Page_Load(Object sender, EventArgs e) in c:inetpubwwwrootCalgarySitevenuesvenues.aspx.vb:32
System.Web.UI.Control.OnLoad(EventArgs e) +67
System.Web.UI.Control.LoadRecursive() +35
System.Web.UI.Page.ProcessRequestMain() +731
View 5 Replies
View Related
Sep 12, 2007
Hi
We are checking VB 9 (Orcas).
we connected to database created under with sql server 7. with this code
Public cn As New ADODB.Connection
Public Sub OpenDB()
cn.Open("Provider=SQLOLEDB.1;Integrated Security=SSPI;Persist Security Info=False;Initial catalog=Reservation;Data Source=.")
End Sub
this code worked well.
we know sql7 is not compatiable with vista. please tell us how to connect it wiith sql2005 . we downloaded orcas express edition beta. we created a database also. please let u know how to connect with Microsoft SQL Server Compact 3.5 (.NET Framework Data Provider for Microsoft SQL Server Compact 3.5).
Rgds
Pramod
View 7 Replies
View Related
Aug 26, 2006
hello all member
View 14 Replies
View Related
Jul 23, 2005
I'm not asking a lot. I just want to know if I can connect from anExchange server to a SQl server without having to use Access linkedtables. Surely MS must have had a look at this but I can't findanything out there.Help appreciated.Ginters
View 1 Replies
View Related
Aug 9, 2005
I installed Microsoft SQL Server 2005 Express Manager and connect to SQL 2000 normally
View 10 Replies
View Related
Mar 23, 2008
I have just installed sql server 2005 but, now I have two types of server name: Microsoft SQL Server Developer EditionMicrosoft SQL Server Express Edition Which one should I use? Does it matter??thanks..
View 1 Replies
View Related
May 22, 2007
odbc_pconnect() [function.odbc-pconnect]: SQL error: [Microsoft][ODBC Microsoft Access Driver] System resource exceeded., SQL state S1001 in SQLConnect
we got the error with access 2000 database and PHP as prog. language .
we created dsn for the connection.
reboot solves the problem. but we need another solution better than this.
View 7 Replies
View Related
Jun 19, 2000
Hi:
Can anybody tell me the advantage and disadvantage to use NT security for SQL Server 7.0? For a corporation with 400 users, what is your recommendation for the SQL Server security management. Thanks.
Joan
View 1 Replies
View Related
Jun 6, 2007
Hi,
When I am trying to access SQL Server 2000 database from another machine i got this error
Server: MSg 17, Level 16, State 1 [Microsoft][ODBC SQL Server Driver][DBNETLIB]SQL Server does not exist or access denied
but I could access the database on same server and in that server i could access other databases in different server.
View 6 Replies
View Related
Jul 23, 2005
Dear all,On Win2000 server with SP3, I am trying to access a SQL Server 7.0database, "TestDB", from VB6 via a SQL Server ODBC system DSN using ADO2.7. In SQL Server Enterprise Manager, there is a login named "Tester".In its property window, NO "Server Roles" was assigned but its"Database Access" was set to "TestDB". This login was also made as theuser of "TestDB" with "public", "db_datareader" and "db_datawriter"selected as its "Database role membership". All the tables I am tryingto access in "TestDB" were created under "Tester".My code is like:Set conn = New ADODB.Connectionconn.Open "DSN=TestDSN;UID=Tester;PWD=test"Set cmd = New ADODB.Commandcmd.ActiveConnection = conncmd.CommandText = SQLset rs = cmd.Execute()If I set the SQL to something like "SELECT * FROM tbl_test", I alwaysget an error of "-2147217865" saying "[Microsoft][ODBC SQL ServerDriver][SQL Server] Invalid object name tbl_test". If I set the SQL to"SELECT * FROM Tester.tbl_test", everything runs properly. Could anyoneplease kindly advise why the first SQL is not working? Or in otherwords, why must I prefix the table name with its owner while the DBconnection is already made under that owner name? Thanks in advance.Tracy
View 10 Replies
View Related
Dec 4, 2014
I use from sql server 2008. and c#
what is the best connectionstring?
I don't know if i use Persist Security Info and Integrated Security or not?
And if yes then their value must be true or false?
View 1 Replies
View Related
Oct 14, 2005
Hello there I have trying to figure out for days how to enable FullTrust for my Reporting Services security extension.
View 9 Replies
View Related
Jul 31, 2007
Hi,
I have posted this issue for a week, haven't got any reply yet, I posted it again and desperately need your help.
The article http://msdn2.microsoft.com/en-us/library/ms365343.aspx says:
Model Item Security can be set for differnt security filters, but when I use SQL Server Management Studio to set Model Item Security, it seems "Permissions" property surpass "Model Item Security" property. -- My report server is using Custom Authentication.
For example, in "Permissions" property of the model, if I checked "Use these roles for each group or user account" without setting any user or group, no matter what users I added to "Model Item Security" with "Secure individual model items independently for this model" checked, NO one user can see the model on report manager and report builder;
in above situation, if I added "user1" and gave role such as "Browser" role to "user1" in "Permissions" property, if I checked "Secure individual model items independently for this model" in "Model Item Security" property, even I did NOT grant "user1" to root model and any entities under the model, the "user1" is able to access the model and all entities in report builder.
My question is on the same report model, how to set "AdminFilter" (empty security filter) for administrator permissions and set "GeneralFilter" (filtered on UserID) for general user based on their UserID?
The article also says:
"Security filters are always applied, even for users who have Content Manager or Administrator permissions to the model. To allow administrators or other users to see all rows of an entity on which row-level security is defined, you can create an empty security filter (which always returns True) and then use the filter to grant those users access to all the rows."
So I defined 2 filters "GeneralFilter" and "AdminFilter" for "Staff" entity for my report model "SSRSModel", I expect after I deployed the report model, the administrator users use report builder to build reports with all rows available, and the non-admin users can only see rows based on their UserID.
I can only get one result at a time but not both:
either the rows are filtered or not filtered at all, no matter how I set the "SecurityFilter" for the entity: I tried setting both "AdminFilter" and "GeneralFilter" for SecurityFilter at the same time, combination of "DefaultSecurityFilter" and "SecurityFilter", or one at a time.
Your help is highly appreciated!
Desperate developer
View 1 Replies
View Related
