SQL 2005 DBMail Security Question
Dec 7, 2007Can a regular user configure DBMail on a SQL 2005 Server?
Thanks
Can a regular user configure DBMail on a SQL 2005 Server?
Thanks
I have a stored proc that inserts records into a table, gets the identity, and uses that identity on a .net webpage. The page retrieves that identity key and processes some stuff on the page.
Everything was working fine until I tried to enable sql mail with triggers. I wanted to double-check some stuff, so I requested an sql email be sent whenever an insert occurs on the table above. Here's what I think is happening --- please correct and/or help me out with a work around?
I use the stored proc to insert a record.
I select the @@identity.
The trigger fires but uses select to retrieve the latest insert - thereby replacing the @@identity number returned to the page?
If this is true, could I do something like the following in the original stored proc? Is this a good idea or bad idea?
BEGIN
Declare @myID as int, @myBody1 as varChar(200)
Set @myID=0
INSERT INTO table (fields) VALUES (@PID, more stuff);
Set @myID = SELECT @@IDENTITY As [Identity];
If @myID<>0
Begin
Set @body1='<br />pid=' + more stuff.....
Exec msdb.dbo.sp_send_dbmail
@profile_name='profileName',
@recipients='email@email.com',
@subject='Temp History Insert',
@body=@body1,
@body_format= 'HTML' ;
End
END
I am attempting to use dbmail from an application that logs in to my database using an application role. Since the application role does not exist outside the database, I created an spSendEmail in the database with "execute as login='mailagent'" in it: I set the database to trustworthy, created a 'mailagent' account and added it to the msdb database with the databasemailuser role rights.
Email works just fine on the server when I use the execute as login='mailagent' to fire off the msdb..sp_send_dbmail. But from the .NET application, I get the error: "Cannot execute as the server principal because the principal 'mailagent' does not exist, this type of principal cannot be impersonated, or you do not have permission." When I run my spSendEmail stored procedure from the calling database, I get the same error.
Is it possible to embed a image datatype into a EMail message using sp_Send_DBMail?
For example, my query would select a saved print screen image held in a SQL table as datatype image. I would prefer not to attach this image but rather have it print in the message section.
Thanks in advance.
Hi,
I am using SQL Server 2005 and need to mail. I used sp_send_dbmail for mailing but I am able send to one @recipeint and one @copy_recipient.
How can I mail to many email addresses and/or group?
Any help is appreciated.
Thank you,
With Query Anylyser, I am sending mails with DBMail successfully. Each time mail is sent, bottom half window messages tab shows
"Mail (Id: 30242) queued."
Is there any way to capture Mail (Id: 30242) and update the same in a table?
Is anyone using a SP or Trigger to Create a HTML formated e-mail and send it useing DBmail?
If so could I see a sample of the code?
Jim
Users <> Logic
I have a stored proc that inserts records into a table, gets the identity, and uses that identity on a .net webpage. The page retrieves that identity key and processes some stuff on the page.
Everything was working fine until I tried to enable sql mail with triggers. I wanted to double-check some stuff, so I requested an sql email be sent whenever an insert occurs on the table above. Here's what I think is happening --- please correct and/or help me out with a work around?
I use the stored proc to insert a record.
I select the @@identity.
The trigger fires but uses select to retrieve the latest insert - thereby replacing the @@identity number returned to the page?
If this is true, could I do something like the following in the original stored proc? Is this a good idea or bad idea?
BEGIN
Declare @myID as int, @myBody1 as varChar(200)
Set @myID=0
INSERT INTO table (fields) VALUES (@PID, more stuff);
Set @myID = SELECT @@IDENTITY As [Identity];
If @myID<>0
Begin
Set @body1='<br />pid=' + more stuff.....
Exec msdb.dbo.sp_send_dbmail
@profile_name='profileName',
@recipients='email@email.com',
@subject='Temp History Insert',
@body=@body1,
@body_format= 'HTML' ;
End
END
Hi,
I'd like to have some feedback from the experts on SQL 2005.
The situations is the following.
I have an application .net/SQL server 2000 that send notification mails using the SQL mail feature. It works fine for years.
Sooner or later SQL 2000 will be out of service, so I decide to move my database to SQL 2005.
When I'm trying to put in production with my web hosting provider www.webhost4life.com, they said that are not supporting SQL DBMAIL on any SQL 2005 32/64 bits because the extra workload will slow down SQL 2005 performance.
My question is if somebody has experience of this situation in other installations or maybe is that provider who has some problems tuning the SQL servers.
We are having trouble configuring SQL Server 2005 to use MX records.
Basically, we want to use DBmail to utilize multiple mail relays.
The three mail relays are contained within internal DNS MX records.
smtphost.xxx.com. IN MX 10 mailhost1.xxx.com.
smtphost.xxx.com. IN MX 10 mailhost2.xxx.com.
smtphost.xxx.com. IN MX 10 mailhost3.xxx.com.
It doesn't seem to like using MX records? Any ideas?
Thanks KraftR
Tim.Kraft@Dowjones.com
I am using DBMail to send an email notification at the completion of service broker process and have been getting the following security error:
Msg 229, Level 14, State 5, Procedure sp_send_dbmail, Line 1
EXECUTE permission denied on object 'sp_send_dbmail', database 'msdb', schema 'dbo'.
I have given the userID used to run the Service Broker, databasemailuserrole in msdb as per instruction in the msdb. I have also given it execute permission on the sp_send_dbmail but keep getting the error. The service broker is run using a sql login and the dbmail profile is set as public profile. Any suggestions would be much appreciated.
Hi!
I try to use Service Broker and DBMail together, but have some trouble with that.
I need to create the queue with activation.
And the stored procedure activated on this queue must send e-mail using DBmail.
It's looks simple, but it doesn't work.
There is my script to create objects, but don't forget create dbmail profile before use it.
PS And replace my email by yours
Good morning,
I'm stumped on this trigger error and I'm hoping someone can help. Here's the background:
BACKGROUND
Running SQLServer2005 on WinServer 2003 RC2. We use a SQL-based business application that has it's own alert system that uses database mail sucessfully, meaning the built-in emailing functions of the application work and can communicate with the database mail profile and send mail without error.
PROBLEM
I'm trying to write a trigger that will automatically send out an email alert after certain actions are performed in the business application. When I enable the trigger and it tries to run it fails with the following error:
SQLDBCode: 229Alerts error: SQLSTATE = 4200Microsoft OLE DB Provider for SQL ServerEXECUTE permission denied on object 'sp_send_dbmail', database 'msdb', schema 'dbo'...
TROUBLESHOOTING
I've seen several articles about DatabaseMailUserRole permissions and have made sure that all users, admin and even guest (for testing) are members of this role. Other than that our setup is pretty vanilla so I'm not sure what else to do.
We only have one large dbase for the app and the fact that the internal emailing fuction works makes me think that the permissions for the msdb are already correct (although I could be wrong)
This problem is driving me crazy so I thank you in advance for any suggestions!
I would like to replace mymail@mail.com by mypdl@mail.com , where mypdl is basically a people distribution list with 2 emails: my own email and my coworker and fellow DBA.
IF EXISTS
(
SELECT TOP 1 [PercentUsed]
FROM [BackupSize]
WHERE PercentUsed>=70 AND [drivename]='D:' -- D is the internal drive
ORDER BY [MetricDate] DESC
[Code] ...
But I think this won't work by design. Maybe I need to create an operator?
When sending an email in HTML format, shouldn't this allow for 2gb of data? Mine is getting truncated after 4000 characters.
@body NVARCHAR(MAX) = NULL,
EXEC msdb.dbo.sp_send_dbmail
@recipients='someone@some.com',
@reply_to='someone'
@from_address='someone@here.com>',
@profile_name = 'profilename',
@body_format = 'HTML',
@body = 'lots of data'
If I use msdb..sp_send_dbmail or save query results as text (using sqlcmd) and include the column headers I get the dashed separator line.
e.g.
custID, name
------, ------
1,bob
2,jamesI would like this
custID, name
1, bob
2 ,james
I found this method [URL] ....
::
sqlcmd -E -S (local) -d myDB -W -w 1024 -s "," -i "SELECT * FROM tblCust" | findstr /V /C:- /B > C: emp.csv
Can the same result be achieved sending as attachment with dbmail?
EXEC msdb..sp_send_dbmail @attach_query_result_as_file = 1I don't want to have to add column names as part of the query
Change the query to return column headers in resultset
SELECT 'CustID' as f1, 'name' as f2
UNION ALL
SELECT CAST(CustID as Varchar(10)), name FROM tblCustand set
msdb..sp_send_dbmail @query_result_header = 0
Hi all !
I have a question regarding the security of SQL Server 2005 Express Edition.
What securities options that SQL server 2005 EE provide for its users?
I know that after I deploy my website to a hosting company or a web
server, my database file will be on the net. That means everybody can
type in the file name and download my database file then open it. Just
like that. For example, my database filename is EXAMPLE.MDF. then,
someone just goto my website, say
http://www.cool.com/app_data/example.mdf, and download the database.
To prevent that to happen, what the securities options that available to me beside putting password on my database file?
Thanks for taking time to answer my question. Any help will be appreciated. Have a good day!
Hi all,
Could anyone suggest me which is the recommended authentication mode for web applications with MS SQL Server 2005.
Also let me know how the new security features of MS SQL Server 2005 can be used for secured application access.
Thanks in advance
HHA
(1) To prevent unauthorised database access, is it ADEQUATE to delete / disable the BuiltInAdministrator login and the guest (database) user ?
(2) How can I delete / disable the BuiltInAdministrator login
in SQL Server 2005 Express ? It didn't allow me to disable or delete it.
(3) How can I delete / disable the guest (database) user
in SQL Server 2005 Express ? It didn't allow me to disable or delete it.
HI,
I am just starting out with SQL Server 2005 and really getting in a muddle with al the security stuff.
It seems i have LOGINS, DATABASE USERS, Server Roles, Database Roles, SCHEMAS and somehow they all tie in together. I am using Microsoft Press "SQL Server 2005 Implementation and maintenance" but it really isn't doing a good job of explaining it to me.
Can anyone point me to a reference that clearly explains all this stuff?
Hello, everyone
we have a tech department that adding new databases (restore from a backup), creating new logins and
assigning deferent database roles to those logins.
They used to have a sys admin role assigned on the system. They are using a windows account to connect.
I am planning to revoke that sa privilege from them and gave them dbcreator server account rights.
Apparently it's not enough. Any suggestions?
thank you
Hello,
I found scary topics with security treads for SQL 2005:
http://blogs.msdn.com/ikovalenko/archive/2007/01/15/db-securityadmin-is-very-powerfull-and-dangerous.aspx
http://blogs.msdn.com/ikovalenko/archive/2007/01/15/sql-server-2005-building-security-model-based-on-triggers.aspx
Igor has mentioned, that SQL Server team replied about db_securityadmin topic than this person should be trusted. I'm not buying this , especially for case if account/login for db_securityadmin will be compromised and hijacker will be aware about this options and can elevate own privileges and make a damage..
So I'm looking for clear answers there...
I am an Oracle DBA who inherited SQL Server administration. I have been to some 2005 training and I've been supporting several DB's for a while now but I still have some nagging security questions and would appreciate some help.
1) I needed to grant execute on a specific procedure but when I drilled down, I found that it already had execute in the EFFECTIVE PERMISSIONS. I would like to know how to tell where it got this permission from. I did some digging and found that execute appears to have been granted to the schema itself. I didn't know you could do that. Would this result in the effective permission that I observed?
2) I am trying to audit the permissions on existing principles. In Management Studio I drilled down and found permissions under Security and under Server Properties. There are also more permissions under Database Properties and Security and still more assigned at the specific object level. Where can I go or what can I query to see ALL the permissions a principle has been granted across the entire server?
3) If I grant a principle CONTROL to a schema does that also automatically confer DDL rights to said schema or would additional privs be required to perform DDL?
Thanks in advance,
Roger Westbrook
I am just looking for feedback and maybe pointers for research regarding securing SQL 2005 for IIS access. I am currently working on a project for building a new retail website and our sysadm guys have some concerns regarding exposing our SQL box to the DMZ via direct connections to the IIS box. Now we have not completely come to a conclusion of saying that it is not possible, but we are very concerned due to recent credit card and customer data problems in the industry.
So far we have mainly talked about just exposing web services(limiting the exposure of data that can be retrieved) on an internal IIS box that would be called allowed to be accessed from only the IIS box in the DMZ using User Accounts and Client SSL Certs. What I am most concerned about is the performance of this design. I would like to try and provide a connection to the SQL box directly for the devs, but I am not sure what the best practice would be for securing this connection through the firewall and also monitoring it in case our DMZ IIS box gets owned.
Any input or direction to resources would be much appreciated. I have read quite a few papers so far and just want to get feedback on architectures and designs.
Thanks in advance.
Hi All,
I have been building a database in SQL Server Express for some months now using the Windows level authentication login that has given me full access to everything in the database.
The time has now come where I need to create user accounts and grant permissions to specific stored procedures and I'm having trouble doing this.
Can anyone give me a brief rundown of the required T-SQL commands I need to set up a user account that can do nothing but run stored procs (not the system procs which apparently are being discontinued: http://msdn2.microsoft.com/en-us/library/ms182795.aspx).
So far I have:-
CREATE LOGIN db_test_user WITH PASSWORD = 'eXaMpL3Pwd
USE db_new
CREATE USER db_test_user
The above code executes successfully but when I try and connect (using Management Studio) I get error message 'The user is not associated with a trusted SQL Server connection (error 18452)' which means little to me.
I also tried creating a 'WITHOUT LOGIN' user for the database but could not figure out how to give it a password.
I don't know (/understand) roles/schemas and don't know if I really need them as I only need user access to specific stored procs. I don't ever want them to see the tables for example so they only need the most restricted access.
Can anyone help?
Thanks,
DG
I cannot block user access to tables. I have restriced accounts at theserver, database, group, schema, and table lavel and can still opentables right up.In other words, I have absolutely no security. Any ideas?
View 1 Replies View RelatedDon't know if this is possible or not:
Goal: set security on running specific stored procedures based upon user login and databse access
I have some DBA's who want to retain full control of databses / stored procedures as they now have but I want to restrict or rollback some of the changes that were implemented when the sql 2005 was set up. The sql 2005 EE is in a clustered system and uses Mixed Mode Authentication.
An example of what I want to restrict: The DBA's want to be able to view and kill processes for the different databases that are installed under their instance. The problem is other customer databases are also under the same instance.
Is their a way I can combine or have the stored procedure sp_lock only show the processes for the databases they have access to based upon their login? My concern is they will kill a process and affect the other customers.
Thanks for any info or pointers.
carl
Does anybody have a link to either of these two documents. My company is getting ready to go through an audit and we need some firepower and to know what is expected. Any help with obtaining microsoft SQL Server 2005 best practices documents is appreciated.
-Kyle
Couple of questions for the SQL Server Guru's out there.
SQLServer 2005
Web Hosting Provider
Ok I am developing a Web application in ASP.NET with AJAX, etc. etc. It will be some time before it is ready to roll out. As a mockup I created the same application in Microsoft Access and Visual Basic (VS 2008), which I can link the tables to the hosting provider on the internet. Works very well and speed is very acceptable. The want to start utilizing it with the mockup distributed app that I created.
My question is, is how secure is the data that is moving from the local application to SQLServer 2005 with the web hosting provider ? Is there anything that I can do to increase security ?
Thanks, any thoughts ?
Appreciate any suggestions or comments.
Has anyone compiled a list of out of the box features to disable (like sql mail in 2000)? Or even just a general security checklist for 2005?
I'm looking for one similar to http://www.microsoft.com/technet/prodtechnol/sql/2000/maintain/sp3sec04.mspx
I've been reconfiguring my Windows service accounts for the SQL Server service and the SQL Agent service to comply with the security best practices for SQL Server 2005. Specifically, I created two new network accounts. One account runs the SQL Server service, the other runs the SQL Agent service.
View 1 Replies View RelatedHi,
I'm having a lot of trouble trying to set up a custom security extension with Reporting Services 2005. Following the VB example from McGraw Hill Osborne (http://www.mhprofessional.com/product.php?cat=112&isbn=0072262397&cat=112), I've compiled the .dll for the extension and made the changes to the ReportManager and ReportServer .config files. After I reset IIS and return to the RS website, it displays "The report server has encountered a configuration error..." and I get a message in my System Event log:
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{BA126AD1-2166-11D1-B1D0-00805FC1270E}
to the user MYMACHINEASPNET SID (S-1-5-21-1708537768-839522115-1343024091-1005). This security permission can be modified using the Component Services administrative tool.
Wondering if anyone else has had similar trouble and how did they get around it?
Hi,
I wonder if SQL Server 2005 supports row based security?
I need to set some users to see data filtered by a specific field and value...
Example: User XPTO only sees data about vendor code = '123'
Is this possible in the box?
Best Regards,