SQL 2012 :: Closing A Security Hole
Jul 9, 2015
I have a purchased product that has a DB with several thousand tables in dbo. I can't change anything with the default dbo schema other than security. I have a table called dbo.ACCOUNT. It has information from multiple sites on it. I have a reporting team that need only access the information for SITE 1 on the ACCOUNT table and anything in the other 1000+ tables in the dbo schema.
I created a role (Analytics) and granted select access to dbo. I created a schema (Analytics) and assigned it the role. I created a view in the new schema called Analytics.ACCOUNT with a WHERE SITE = 1 clause on it. If they use the view, they see only the things they should. My problem is they can still do a select * from dbo.ACCOUNT and see everything they shouldn't see. How can I close that hole? I am not seeing a solution. If there is no way to fix this with roles/schemas/views, what else can I do?
Some of my pain points. I have this issue with about 30 tables. Creating custom table(s) to isolate data for each site will cost me another 2T of storage. Loading those custom tables every day would be cumbersome. Keeping the DDL in sync with the source table would be cumbersome. With the way I have it set up now, if I deny access to the source tables the view breaks because it needs access to the source tables to dynamically build the view. Here is the code I ran to create everything.
USE[DB]
--create test user login
CREATE LOGIN [Analytics_ETL] WITH PASSWORD=N'XXXXXXXXXXX'
GO
--create user in test database
CREATE USER [Analytics_ETL] FOR LOGIN [Analytics_ETL] WITH DEFAULT_SCHEMA=[Analytics]
[code]....
View 2 Replies
ADVERTISEMENT
Jul 20, 2005
here's my stored procedure:CREATE PROCEDURE proc@id varchar(50),@pswd varchar(20),@no_go int OUTPUTASSET NOCOUNT ONSELECT user_id FROM profileWHERE user_id=@id AND pswd=@pswdIF @@ROWCOUNT = 0BEGINSET @no_go = 1ENDELSEBEGINSELECT date,date_mod FROM ansWHERE user_id=@idSET @no_go = 0ENDUsing the PERL odbc_more_results function I can retrieve the data inthe second select statement whether the rowcount is 0 or not. Anysuggestions how to stop this
View 3 Replies
View Related
Dec 4, 2014
I use from sql server 2008. and c#
what is the best connectionstring?
I don't know if i use Persist Security Info and Integrated Security or not?
And if yes then their value must be true or false?
View 1 Replies
View Related
Jul 23, 2005
Hi all!I need your help to realize algorithm for stored proc or trigger.tool: MS SQL server 2000, T-SQLTABLE:[unique_id] [mynumber] [week][unique_id] - bigint,primary key, identity auto-increnment[week] - int, 1-53, week number[mynumber] - int, 1 - 7, for every week, daily record one per day, upto 7 per weekso, for every week we have a mynumber from 1 to 7or nothing (if no records for that day),we can insert or delete mynubers in any order, at willEXAMPLE:week 1, mynumber 1,2,3 - so if we insert a new record, mynumber value= 4week 2, mynumber 1,2,3,5,7 - so next mynumber = 4QUESTION:How to use _only_ T-SQL find a missed numbers for particular week whenI'm insert a records?Thanks.Chapai
View 14 Replies
View Related
Aug 8, 2004
Hi All
I use identity column in a Database.
when I delete some data, it cause the "hole" of identity column.
for example
1 John
2 Mary
3 Sam
4 William
when I delete Mary, the data in table are
1 John
3 Sam
4 William
so the hole of identity column is "2"
I don't want there is any hole of identity column..
I hope the result is
1 John
2 Sam
3 William
IS there any solution for this problem?
View 3 Replies
View Related
Sep 19, 2006
Whats the best type to hold a phone number in this format with a column in my sql table...should i use varchar???? or something else....any help would be great!!
View 4 Replies
View Related
Jan 5, 2007
I've tried letting in 1433,1434 443,444 and I still can't get through. When I turn off the firewall, it works. What Am I missing?
View 3 Replies
View Related
Oct 27, 2006
Table A, Table B. need to update table A balance field from table b sum of amount
UPDATE CUSTOMERS SET BALANCE=(SELECT SUM(AMOUNT) FROM PAYMENT,CUSTOMERS
WHERE CUSTOMERS.ID=PAYMENT.ID GROUP BY PAYMENT.ID)
Msg 512, Level 16, State 1, Line 25
Subquery returned more than 1 value. This is not permitted when the subquery follows =, !=, <, <= , >, >= or when the subquery is used as an expression.
The statement has been terminated.
View 4 Replies
View Related
Feb 19, 2014
In database we are planning to implement row level security.For this we need to create users or we need create login for each one?
View 1 Replies
View Related
Jan 5, 2015
Is it possible for a clustered instance of SQL2012 to have 2 network names ?
Reason: I need to segregate admin access to a clustered instance so that the admins and SSMS connect via a different IP address than the application. I know I can block SSMS access via application-level firewalls, but ideally the application would connect to CLUSTER1INSTANCE01 on , say, 10.192.5.5, and the admins would connect to CLUSTER1ADMININSTANCE01 on 172.168.2.2, and they'd be the same instance, just using different names and IPs
View 3 Replies
View Related
Sep 10, 2015
We have 3rd party app that dumps data into a repository Database for use in onward reporting purposes.When a user runs jobs in the app, the app creates new tables in the repository DB.The names of the new tables are created at runtime and unpredictable.
For reporting purposes, I then need to create more new tables/views that depend on these repository tables.As the table names will be unknown until they are created, I have created Stored Procedures to address.The Procedures look through information_schema, identify the tables created by the app, and then create new tables/views based on them.The stored procedures are called using a small tool made with MSAcess.
Problem is when it comes to our Integ & Production servers.My stored procedure will be doing a lot of create/alter/drop actions.Requesting ddladmin on production databases I know is going to set of a lot of alarms.
I need select users to use the MSAccess tool & trigger the Stored Procs that will execute DDL actions.
View 0 Replies
View Related
Feb 8, 2015
I am trying out merge replication and using web synchronization.However, I am worried that I am missing something because the way it is set up, it strikes me as a bit too insecure.
According to the best practices and security articles on Technet, I am given to understand that:
The SQL Replication Listener (read: the application pool account that will be running the replisapi.dll) has to be the db_owner to both distribution and publisher and be on the PAL list. Windows authenication should be used. That means the merge agents wouldn't need to know the password for those logins.
The basic authenication can be used (with SSL) to authenicate into a Windows user account to then connect to the replisapi.dll.
Here's the rub - I assumed that all I needed was a basic no-rights user account to be then given the execute permission on the replisapi.dll & read permissions to kick off the process. When I browse to the replisapi.dll and authenicate using the no-rights user, I get the expected "SQL Server WebSync ISAPI" message. But when I then run the merge agent, it fails saying that login to the distribution failed for the no-rights user. If I use the application pool's account, then I am able to run merge agent successfully.
But that means I am now looking at storing the password to the application pool account on client. I might have had missed a crucial step to ensure that the logins to the distribution & publication databases are done using the application pool account, not the user authenticated via IIS basic authentication?
View 0 Replies
View Related
Sep 20, 2015
There is a STIG Check that does not allow grant "Connect SQL" directly to any logins except SQL System and the SA account. My way of resolving this is to do the following:
Step One:
We create a Server Role called SQL_APPLICATIONS – for the application accounts
We create a Server Role called SQL_DBA – for the DBA accounts
and give them direct “Connect SQL’ server permissions. MAKE THE ROLE OWNER = sysadmin (group)
Note: I think that creating a Server Role is only available starting with SQL Server 2012, but not sure. I am using SQL 2012
Step two:
I add the members (Logins - SQL & Windows) – in this case any application accounts and DBA accounts to the new roles respectively
Step three:
I remove the “Connect SQL” Permission from each Login
The first problem i noticed is that the maintenance plans failed with "The owner domainusername of job db_backup does not have server access.I am currently using a test system and wondered If you think I will have trouble with the application connecting when I try and implement on the production systems.
View 3 Replies
View Related
Sep 24, 2015
I've read a bunch of articles saying you should always remove the guest user from the user databases and model. It seems to me that if a user only has public access then the user can't do anything on the database. If the guest user only has public access to a user database how is it a security threat? I must be missing something.
View 0 Replies
View Related
Aug 11, 2014
I work on test SSRS setup and trying to give one user enough rights so she can download RDLs from server, but no matter what I do on Folder leverl, on report level her security are still only as a <Browser>. Structure of our Server is:
Home/NewReports/Misc/Report01.
I'm checking those in <Folder Settings>/<Security> where this user is OK (Browser, Content Manager, Publisher, Report Builder).
So she looks OK in all folders Home/NewReports/Misc, but on report level she still only a browser.
Our db team tried everything on SSRS server working with Site settings and Folder option, how to make that report inherit security ?
View 3 Replies
View Related
Oct 30, 2015
We had a strange incident with our Database Mail today. We use sp_send_DBMail to send mail from stored procedures in our SQL Server 2012 (11.0.2138). There are 7 profiles available for use by different databases. The actual stored procedures are called by Web apps using a connection string that has a specific SQL user identified.
Last night app 1 was using profile 1 like usual and app 3 was using profile 3 like usual. This this morning (7 hours later) App 3 was sending from profile 1 everytime a call to sp_send_dbmail was made. Not good. App 1 was still correctly sending from profile 1.
We ran a call to sp_send_dbmail from a query window using profile 3 and it sent using the correct profile 3. We used the Database Mail right-click option of "Send Test Email..." to both profiles and they worked as expected.
Our investigation showed that in the Database Mail configuration wizard "Manage Profile Security" section Private Profiles tab... the User name that is used to call the stored procedures from web app 3's sp_send_DBMail did not have access to profile 3 anymore. It did have access to 5 of the other 7 profiles. 1 of the no access profiles was legitimate #7.
The only thing that has been changed lately was, 2 days ago a mail profile was deleted as it was no longer used. We used the Database Mail Configuration Wizard to remove it.
View 0 Replies
View Related
Feb 10, 2014
We've got 3 SQL Servers all SQL Server 2012. We have a Master server and 2 production servers (let's call them A and B). The Master has linked servers defined for both A and B in an identical way.
A and B both have the same databases and each has a Stored Proc that gets called by the Master server.
An SQL Agent job executes the stored proc on both A and B.
It works fine against A but not B.
If we execute the stored proc in a query window under our windows account (domainowner) it works, if we use SetUser to pretend to be the SQL Server Agent account (let's call it domainagent) A works and B doesn't.
Executing against B returns the error "Access to the remote server is denied because the current security context is not trusted."
domainagent is a sysadmin on both Server A and B.
Trustworthy is set to ON in both the Master Server Database it's executing from and the remote databases on both A and B.
All 3 databases have the same owner (let's call it domainowner).
View 5 Replies
View Related
Apr 4, 2007
I know it's "best practice" to dispose ado.net objects, but does it make a big difference if just the connection is closed? In other words, is the code below good enough or should the DataAdapter & Command be explicitly closed?using (SqlConneciton cn = new SqlConnection(connstr)){ SqlDataAdapter da = new SqlDataAdapter(sql,cn);DataSet ds = new DataSet();da.Fill(ds); SqlCommand cmd = new SqlCommand(someOtherSql,cn);cmd.ExecuteNonQuery(); }
View 2 Replies
View Related
Sep 24, 2007
hello to alli am finding my self in confusing problem.
everyay log file of my application increase by 10 GB.every time i found more than 100 connections open in SDQL Server 2005 under my database.
i an using SQLHELPER Class by microsoft.i ma not putting my code in try-catch block. example
of one of my frequently used function is as follows:
protected Int64 GetMemberID() { String SqlSelect = "SELECT * FROM MemberMaster WHERE MemberUserName= '" +
Session["UserName"].ToString() + "'"; SqlDataReader dr1 =
SqlHelper.ExecuteReader(ConfigurationManager.ConnectionStrings["CowcallConnectionString2"].T
oString(), CommandType.Text, SqlSelect); while (dr1.Read()) { CurrentMemberID = Int64.Parse(dr1["MemberID"].ToString().Trim()); } return CurrentMemberID; }
well i doubt i am opening connection and do not closing it. moreover i do not know how to close connection in above code when i am using sql helper class.please give me yours suggestion regarding my code even if it is not solving above two problems.
View 1 Replies
View Related
Nov 15, 2004
How do I set up a job so that I close all open database connections? I think we have a leak in our code which causes our DB to go down (max connections used) roughly once every month, so we just restart the SQL server. Until we can find the exact problem I'd like to do this.
For simplicities sake let's say my database name is just "test."
Thank you.
View 4 Replies
View Related
Feb 23, 1999
I have an app that people frequently disconnect without a logout and the connection remains open in SQL Server. Does anyone know of a script or program that will go through and kill inactive connections?
View 1 Replies
View Related
Feb 27, 2008
Hi Friends,
We need a small suggestion regarding releasing the resources utilized before closing the session we established with the SQL CE database. To the best of our knowledge we are releasing the resources properly but still some how some resources get locked and we were not able to open a new session after closing the existing session.
Are there any functions or methods available to identify the existing resources, rowsets and other components who have connection with the existing session, kindly help us in this regard since we struck up mainly with this issue.
We work with EVC++ 3.0 and SQL CE 2.0
Thanks in advance.
Regards,
Sasi.
View 2 Replies
View Related
Mar 7, 2008
Hello:
I have the following script wrtten in VB that opens a connection to an Analysis Services db in a script task within my control flow:
Dim oConnectionSR As ConnectionManager
oConnectionSR = Dts.Connections("OLAPServer.Sales")
This script is used by a script task within each of three child packages that are called by a parent package. Each call is made to a different OLAP cube. The first package makes the connection and runs fine. When the second package runs, it still sees the connection value from the first package and fails.
What is the best way to close the connection once it is no longer needed? I have tried the dispose() method, and that did not work.
Thanks for your help!
Tim
View 4 Replies
View Related
Nov 1, 2007
I have a VB (sorry!) app using SQL Express DB. It was all created using the wizard so I didn't have to manually deal with opening connections etc.
Now, I need to be able to email the .mdf file from within the application, but I can't do this because the file is in use.
I have tried closing all forms with DB connections and then doing it but it takes around 6 minutes before the file becomes "free" and attachable to the email.
Can anyone suggest a way of releasing the file so that I can email it?
Many thanks,
Rich
View 6 Replies
View Related
Jun 26, 2007
I have setup my loop to loop through textboxes and fill the according textboxes with data it retrives, if seems to work fine, but there is a problem with opening and closing the connection below is my codeint i = 0;for (i = 1; i <= 3; i++)
{
//This gets the stock ID from the textbox.string stock_ID = ((TextBox)Panel1.FindControl("txtID" + i.ToString())).Text;
//This is the sql statement.string sql = "SELECT [n_or_sh], [title], [cost_price], [selling_price] FROM tbl_stock WHERE stock_ID = " + stock_ID;
//This creates a sql command which executes the sql statement.SqlCommand sqlCmd = new SqlCommand(sql, myConn);
myConn.Open();
//This is a reader for the results to go in.SqlDataReader dr = sqlCmd.ExecuteReader();
//This reads the first result from the sqlReader
dr.Read();
//This sets the title label text to the value of the description column.TextBox currentBox1 = (TextBox)Panel1.FindControl("txtDesc" + i);
string strtxtDesc = currentBox1.Text;
strtxtDesc = dr["title"].ToString();
} // end of loop
myConn.Close();
} // end of button click
i have tried putting the myConn.Close() in different places but it dosnt seem to work!
any advice or tips ?
RegardsJez
View 1 Replies
View Related
Feb 27, 2008
Hi Guys I am facing a problemI am getting error Timeout
expired. The timeout period elapsed prior to obtaining a connection
from the pool. This may have occurred because all pooled connections
were in use and max pool size was reachedI have checked
my whole code and no Connection leakage is there... but still
Connections are sleeping... I have increse my pool size to 500 and now
i have chaos of 500 sleeping connections... How ever
I have found that even after Opening Enterprize manager i can not kill
Process... How ever my administrator can kill the process from his
enterprize manager... Is there some problem with my credentials or do i need to find out the leakage in my code...How ever I have checked twice or thrice but my code is Ok and i have Closed connection properly every where... I am using SQL Server 2000 and ASP.Net 1.1
View 5 Replies
View Related
Mar 16, 2008
Hi most of my code follows the following format in a lot of my pages, my question is; Am i approaching it the right way in terms of performance, sql injection attacks and anything someone more knowledgeable than myself can think off, please feel free to criticise the code. Thank youprotected void Page_Load(object sender, EventArgs e)
{string strID = Request.QueryString["id"];
SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["streamConnectionString"].ConnectionString);SqlCommand command = new SqlCommand("stream_EventsByID", conn);
command.CommandType = CommandType.StoredProcedure;command.Parameters.Add("@eventID", SqlDbType.Int).Value = Request.QueryString["id"];
conn.Open();
SqlDataReader reader = command.ExecuteReader(CommandBehavior.CloseConnection);
eventList.DataSource = reader;
eventList.DataBind();
conn.Close();
}
}
View 7 Replies
View Related
Dec 12, 2005
I have a DAL that I'm trying to implement - the issue is that I want to call a reader from the DAL, but I'm not sure how to close it. I got best practices from MSDN (located here: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfsystemdatasqlclientsqldatareaderclasstopic.asp ) regarding the SqlDataReader, but can't seem to figure out how to close when using DAL.
Here is sample code in C#:
NOTE: Everything WORKS just fine, however in the DAL for GetRoutes, I can't seem to figure out how to close the reader (see comments in function):
mydatapage.aspx...//Populating some Drop Down List:private void ddlRoutes_SelectedIndexChanged(object sender, System.EventArgs e) { SqlDataReader dr = DAL.GetRoutes(ddlRoutes.SelectedValue.ToString()); while (dr.Read()) { . . . }}
DataAccessLayer.cs...public static SqlDataReader GetRoutes(string sIdx){ cnn = new SqlConnection(ConnectionString); cnn.Open(); SqlCommand cmd = new SqlCommand(); SqlParameter par = new SqlParameter(); cmd.Connection=cnn; cmd.CommandType = CommandType.StoredProcedure; cmd.CommandText = "sp_GetRoutes";
return cmd.ExecuteReader();
//Everything works above, however I would think that something //like this SHOULD work, but doesn't: // // SqlDataReader dr; // dr = cmd.ExecuteReader() // return dr; // cnn.close(); }
View 2 Replies
View Related
Apr 20, 2006
If Someone could please show me some example VB code where i can open the my Sqlconnection in the Page_Load subroutien... and then close that SqlConnection in the Page_Unload routine. I want to be able to execute Sql command without having to re-open and re-close the connection.
Thanks,
Greg
View 4 Replies
View Related
Jun 20, 2006
I'm new to ASP.NET and I've searched before posting. I have a simple form containing a FormView control. The FormView uses a SQLDataSource. This works fine and in 30 seconds I have a working form without writing any code.A form built this way causes problems with connection pooling because I am not closing the connection. What is the best method for me to remedy this? Every resource I've found explains that I have to explicitly close the connection. How do I do that in this case? Dispose the SQLDataSource in the FormView DataBound event? Rewrite the form so I can control opening and closing of the connection?Thanks in advance.
View 1 Replies
View Related
Sep 18, 2007
Hello,
I have a package which runs several child packages. All works well and everything runs, but when it runs each of the children packages, it opens it, runs it and then it stays open. When the whole thing is done, there are about 25 or so open packages. Should they close after they run? Is there a setting I need to do this?
The point I am in SSIS is that I have gotten a decent feel for creating packages, but everything is still in debug mode. I need to take the next step to learn how to have this stuff run automatically or from a procedure outside the SSIS interface. Does that make any sense? If so, where can I learn about that.
Thanks for the help.
-Gumbatman
View 3 Replies
View Related
Jan 31, 2008
I am experiencing a strange problem on a new installation of SQL Server 2000, installed on Windows 2003 server. SQL server has been service packed to SP3a
The users connect to the SQL database via an MS Access project front end, when they log out of the front end the SQL server still show them as connected in Management > Current activity > process info. I can kill the processes left behind but i am confused as to why this is happening.
The database was recently moved from an SQL installation on a Windows 2000 server to this new Windows 2003 server, the problem didnt occur on the old server and no upgrades have been applied to the database or the front end since the move, which makes me think something is not right about the install.
Any advice would be gratefully received
Thanks
Nick
View 1 Replies
View Related
Jul 4, 2007
Hi all
I have a couple of windows forms which share tables or parts of tables.
When I edit a tables data on one form (form2), where it ,s data is linked to another form ( form1), when I go back to form1 I find that the fields have not been updated until I close the form and reopen it.
Is there a way to refresh the field on form1 by using a button in the menu bar and what would the code behind look like. I use vb .
Thanks
Rob
View 10 Replies
View Related
