SQL Security :: How To Create A Low Privilege User And Role For Server Session State
May 26, 2015
An old website I inherited uses sa to connect to SQL SessionState and had the details in the web.config. This is bad for security.The session state database is of -sstype "t" which is defined as:Temporary. Session state data is stored in the SQL Server tempdb database. Stored procedures for managing session state are installed in the SQL Server ASPState database. Data is not persisted if you restart SQL. This is the default.What kind of WIndows user, SQL Login, role and permissions do I need to create to make Session State secure? (Windows Server 2012 and SQL Server 2012 mixed mode authentication, Webfarm).
The 2.0 version of ASPSTATE is slightly different than the 1.1 version in that one table has one additional column and another table uses a different data type and size for the key. The 2.0 version also has a couple additional stored procedures.
We'd like to manage just one session state database if possible so we're trying to figure out if Microsoft supports using the new schema for 1.1 session state access (it seems to work, but our testing has been very light).
Is there any official support line on this? If not, can anyone comment on whether or not you'd expect it to work and why?
I have a requirement to allow a user to restore a database and then create database users and add them to the db_owner database role. The user must not have sysadmin rights on the server.
The database restore works ok by placing the user in the dbcreator role.
There is a stored procedure to create the database user and alter role membership, I want the user to execute the sp as a different, higher privilege account so as not to give the user underlying permission to create users in the database.
USE [master] GO
/****** Object: StoredProcedure [dbo].[sp_create_db_users] Script Date: 22/07/2014 13:54:46 ******/ SET ANSI_NULLS ON GO
[Code] ....
The user has execute permission on the stored procedure but keeps getting the error:
Msg 916, Level 14, State 1, Line 2
The server principal "Mydomainadmin1" is not able to access the database "Mydatabase" under the current security context.
Mydomainadmin1 has dbowner to Mydatabase and sysadmin rights for server. If the 'execute as' is changed to 'caller' and run by mydomainadmin1 it works so the issue is between the execute sp and the actual running of the procedure.
My company has a Windows 2008 R2 server which is running SQL Server v11.0.5058. This server was previously running SQL Server 2008 and was recently upgraded. Since the upgrade I have noticed that when I connect to this server using SSMS and Windows authentication it seems as though I have a limited user context as I cannot see SQL Agent in the server tree at all and underneath the server security > logins folder I can only see the sa and SQL Server Windows service accounts (there are many more).
If I connect to the server using SSMS and the sa credential then I can see everything I expect to be able to see as a sysadmin.
I tried connecting as sa, then deleting my Windows AD account from the security > logins folder and reading my Windows AD account with the sysadmin role however this yielded the same result, when I connect using Windows authentication I still appear to be in a limited user context.
We have several other SQL 2008 / 2012 servers within our organization and all of them appear to be working fine / none of them exhibit this problem.
I have an ASP.Net (C# 2.0) application that has been using SQL Server 2005 Standard Edition with Service Pack 1 to hold the session state in a testing environment. Currently, the session state is being stored in TempDB, rather than the ASPState database. This has worked very well for us until yesterday. We installed SQL Server 2005 Service Pack 2, as well as the Critical Update for Service Pack 2 (KB933508). Once the SQL server was rebooted, I got the following error message when I tried to access the web application. The SELECT permission was denied on the object 'ASPStateTempApplications', database 'tempdb', schema 'dbo'.The SELECT permission was denied on the object 'ASPStateTempApplications', database 'tempdb', schema 'dbo'.The INSERT permission was denied on the object 'ASPStateTempApplications', database 'tempdb', schema 'dbo'. In the web.config file for the application, I have a SQL username and password defined that can access the ASPState database. To correct this issue, I had to give this user db_datareader and db_datawriter access to tempDB.
Has anyone else run across this problem, and is it related to SQL Server 2005 Service Pack 2?
I am contemplating storing session state data in a SQL server database (created by running the installSqlState.sql script included in the .NET framework installation) and have established a functioning connection to the database but I am constantly getting "access denied". I've found that tweeking the permission settings in SQL for the ASP.NET user is resolving each specific error that arises but was wondering if there is a more "global" resolution? I'm finding myself having to manually check off each individual object and every option or is this what is needed to resolve the "access denied" error?
Hi, I hv an application which is using ASP.net. The connectionstring in web.config is <appSettings> <add key = "constring" value = "Initial Catalog=mydatabase;Data Source=mypc-pc;User ID=User1; Password=password1"/> </appSettings>"
Then, i hv created a user in SQL Server 2000 which is User1. What should i put for the database role? db_owner or just db_datareader and db_datawriter?
I get the following errors associated with trying to create an SP.
Server: Msg 170, Level 15, State 1, Procedure AddFortuneUser, Line 8 Line 8: Incorrect syntax near '@newuser'. Server: Msg 137, Level 15, State 2, Line 1 Must declare the variable '@newuser'.
Can anyone explain why I have to do a declare. I suspect I have to issue "declare @newuser sysname" somewhere but I'm not sure why.
The following is the code I'm trying to run. My intent would be to create a form for the Admin Clerk that would call this SP. That way they can create a generic login. They have an application that allows them to change the password after the fact. /* Created for Admin person to allow them to add a basic SQL Login Account forcing the user to be a member of a specific role 'helmsman' in a specific database 'Fortune' */ CREATE PROCEDURE AddFortuneUser @newuser char(128) AS EXEC master..sp_addlogin @loginame=@newuser, @passwd =substring(@newuser,1,8), @defdb =Fortune GO if not exists (select * from dbo.sysusers where name = @newuser and uid < 16382) EXEC sp_grantdbaccess @loginame=@newuser, @name_in_db=@newuser GO exec master..sp_addrolemember @rolename ='helmsman', @membername =@newuser GO
My server administrator has created a few users as domain user privilege for connecting SQL server from my application. However it faild to connect, and
with Domain Admin privilege, my app is running ok.
I asked admin person to upgrade domain user privilege to connect SQL server,
but he couldn't do this for security reason, and told it should work with domain user.
Is it true for domain user to connect SQL server without any problem?
Do I need to add the user, domain user, into Logins of Security inside SQL server Enterprise Manager?
Or inside users of my database section of SQL server EManager?
- restore a backup of a 3rd party database onto one of our servers - this has no users that I can use - there is some ETL processing so we're using Control-M to manage the process - create a database user and grant it db_reader.
I'd like to do this without granting any users elevated privileges if possible.
What I've done so far is grant the Control-M user (this is a domain user) dbcreator rights and made it owner of our copy of the database that is being refreshed.
The refresh is completing, but Control-M is not able to log onto the database to create the user.
What is the best way to accomplish this task without granting the control-m user sysadmin rights?
Would I be able to do it if I used a SQL Agent job for the restore and user creation?
I am relatively new to sql developer. There is a new user that just joined our organization. I am trying to grant him the same direct grants privilege to the tables that an existing user has. The existing user has a ton of direct table access privileges and it will take days if I had to do each grant one by one like: grant select,insert,delete,update on 'table name' to 'user id'. Is there a way of copying or inserting an existing user's privilege and granting it to a new user.
HiCan anyone help me with Session Management in ASP.NET. I have a webapplication with a login page and i need to retain the username afterhe logs in. This is what I have in Config FilesGlobal.asax<OBJECT RUNAT="SERVER" SCOPE="SESSION" ID="MyInfo"PROGID="Scripting.Dictionary"></OBJECT>web.config<configuration><!-- This section stores your SQL configuration as an appsettingcalledconn. You can name this setting anything you would like.--><appSettings><add key="conn"value="server=ADVAITH;database=tis;uid=sa;pwd=;" /></appSettings><!-- This section sets the authentication mode to formsauthenticationand routes all traffic to the specified page. It alsospecifies atimeout. The authorization section below denies all users notauthenticated. For testing purposes, custom errors was turnedoff.The section below allows pages to be trace enabled fordebugging--><system.web><sessionStatemode="InProc"cookieless="false"timeout="20" /><authentication mode="Forms"><forms name="MyFormsAuthentication" loginUrl="login.aspx"protection="All" timeout="720" /></authentication><authorization><deny users="?" /></authorization><customErrors mode="Off" /><trace enabled="true" requestLimit="0" pageOutput="true" /></system.web><system.web></system.web></configuration>When i assign the user name in the log in page it workssession("username") = txtUsername.TextBut if I use a new session variable or the username(session variable asdeclared in the login page, in the menu page it gives me error sayingthat Decralation is expected . Is there any files that i need to importb4 using sessions??Please help me out. My email:bramanujam@gmail.com
I'm currently storing session state in a sql 2000 server for my vs.net 2002 projects. I'm currently developing a new project using vs.net 2005 and was wondering if I could store the session state in the same sql server. Does anyone know if this is possible? If so can someone point me in to an article or code example. All of the examples I have come across are for sqlExpress. Thanks in advanceJason
I have SQL 2005 mmirroring sucessfully working in an ASP.NET 2.0 web application. I also have session state being maintained in SQL Server using the built-in functionality in ASP.NET. The problem is, even with "allowCustomSqlDatabase=True" and specifying a failover partner in the DSN, it appears that ASP.NET does not work with the failover partner. It always tries to get the session info from the "data source" server specified in the DSN.
Is there a way to get the session state to fail over to the mirrored server without writing a custom session state provider?
There is a STIG Check that does not allow grant "Connect SQL" directly to any logins except SQL System and the SA account. My way of resolving this is to do the following:
Step One: We create a Server Role called SQL_APPLICATIONS – for the application accounts We create a Server Role called SQL_DBA – for the DBA accounts and give them direct “Connect SQL’ server permissions. MAKE THE ROLE OWNER = sysadmin (group)
Note: I think that creating a Server Role is only available starting with SQL Server 2012, but not sure. I am using SQL 2012
Step two: I add the members (Logins - SQL & Windows) – in this case any application accounts and DBA accounts to the new roles respectively
Step three: I remove the “Connect SQL” Permission from each Login
The first problem i noticed is that the maintenance plans failed with "The owner domainusername of job db_backup does not have server access.I am currently using a test system and wondered If you think I will have trouble with the application connecting when I try and implement on the production systems.
it is possible to grant all privilege (CRUD) to specified table to user. But, now, i want to grant all privilege (CRUD) of all tables, views, sp, ... of database to the user. is it possible?regards,
I need the application not to expire the session always. I need to maintain the session always even if the user keeps the web application idle for long time.
I'm not sure what happened, but all of a sudden my SQL Server Agent service won't start. When I try to start it, I get the following error in the event logs:
"SQLServerAgent could not be started. Error creating a new session".
When I look in the Agent log file, i see the following:
Execute permission denied on object sp_sqlagent_has_server_access
Execute permission denied on object sp_sqlagent_get_startup_info
hi, can anyone help me out with this report.I need to produce a report for the database level user permission.like for a database: DB_A, I want to output as such:[SELECT] [INSERT] [UPDATE] [DELETE] [CREATE TABLE] .... otherpublic G Dguest D D D D Ddbo G G G G Guser_A G D D D GG stands for Grant and D stands for Deny.I need not only to look at direct grant/deny but also whether that useris a member of fixed database role and fixed server role. like dbo willhave G on all.I am trying to look into sysprotects table and looking at lines with id= 0 but I just can't get to know what different action and protecttypenumbers means!Many thanks
Hi friends, I have created a database DB1 using CREATE DATABASE DB1 command. Then i created login name using CREATE LOGIN login1 WITH PASSWORD = 'password1' command and created user name using CREATE USER user1 FOR LOGIN login1 command. Now i have to assign the user1 to the database DB1. Any one please tell me how to assign DB1 access privilege to user1?
I want to use an Active Directory security group that is a Distribution List for a new role assignment for an existing report. Can someone tell me if this is possible? I get an error each time I try:
The user or group name <DLName> is not recognized. (rsUnknownUserName)"
Hi. Thru a sproc, I drop & re-create some temp tables.When I call that sproc from the client, though, I cannot drop thetables.I need to allow the user, say "Alex", to drop/create tables (actually,that would be DDL). Which role should "Alex" assume ? How do I do that?I run the following sproc named, say, "CREATE_TABLE" (SNIP):__________________________________________________ __________________Set @StrSQL = 'if exists (select * from dbo.sysobjects where id =object_id(N''[dbo].[' + @TableName + ']'') and OBJECTPROPERTY(id,N''IsUserTable'') = 1) drop table [dbo].[' + @TableName + ']'Exec (@StrSQL)Set @StrSQL = 'CREATE TABLE [dbo].[' + @TableName + '] ([GROUP] [varchar] (6) COLLATE SQL_Latin1_General_CP1_CI_AS NULL ,...........[Stuff] [varchar] (20) COLLATE SQL_Latin1_General_CP1_CI_AS NULL) ON [PRIMARY]'Exec (@StrSQL)Set @StrSQL = 'GRANT SELECT , UPDATE , INSERT , DELETE ON [dbo].['+ @TableName + '] TO [Alex]'Exec (@StrSQL)__________________________________________________ __________________As you can see, it is dynamic, because I need to repeat it for many@TableName values - that means, further more, that I will be executingthis in the context of the current user, Alex, and therefore I have togive Alex rights to both executing the sproc and to the tables referredto by the sproc, as specified by @TableName.I created a _TEST sproc which contains only the following:_______________________________________________CREATE PROCEDURE _TEST ASDROP TABLE [dbo].[SomeTable]RETURN_______________________________________________When I execute it from the client, thru ADODB, on user Alex, I get"User does not have permission to execute this operation on tableSomeTable"The table has been created thru "CREATE_TABLE", abovePlease help, I have to finish this tomorrow, and I'm under tons ofpressure.Thanks a lot,Alex.
After adding the Witness Server to the Mirror session, the Witness Connection state between the Mirror and Witness Connection is Disconnected and the state between Principal and Witness Connection is Connected.
The procedures defined in Books Online was used to setup Database Mirroring...when the Witness server was added to the Mirror session, only the alter database T-SQL statement was executed on the Principal server.
ALTER DATABASE <db_name> SET WITNESS = 'TCP://<servername>:<port>'
After executing the above statement, a few seconds later the state between Principal and Witness Connection changed to Connected and the state between Mirror and Witness Connection remains Disconnected.
The Mirror session is not using Certificates, every server is on the same domain, using the same domain login account, and all servers have SP2 installed running Enterprise Edition.
Any idea's why the state between Mirror and Witness Connection remains Disconnected?
I have a user with DBCREATOR Server role only. That user is able to create database but create table permission denied. how would I set permission on this user, so that this user can create databases and automatically becomes the DBOWNER of that database and can do any action on that database.
I would like to determine if a particular user has sysadmin serverrole. Is there a way to do this via the connection string? Currentlyour code checks if a login is valid using SQLDriverConnect, however weneed to be certain that the user can login and modify the schema.Is it possible to fetch a user's server role to determine if it has asysadmin server role?
I wish to create a user that can backup any or all databases in our SQLServer 2000 Instance. I thought there would be a server role for thisfunction, however I can only find that after I grant access of adatabase to the user, then I can choose ds_backupoperator.I want to create a user that will have the ability to backup all thedatabases. I dont wish to have to come back to the server after a newtable is created and add the backup user to that table.I want SA w/o the full privilage...am I crazy?Any Suggestions?TIARobBackgroup: We currently have about 10 SQL servers, and adding more inthe future. I am using SQLBackup from Idera along with HP SurestoreTape library (60 slots,2- DLT8000 drives with 40/80 GB capacity) withArcServe from Computer Associates. I want to have this automated tobackup to file then tape, regardless of what databases get created.
SQL Server 7 i did a restore of a database, then tried to add the User login to it, but when i select database access, i get the followinf error :- "Error 15023, user or role already exists !
the user did exist on the Database, but when i select Database,Users or Database,Roles the User doesn't exist !! so i can't drop it !
I had thought that I had posted this yesterday but since I cannot findit here we go again.I have searched the archives but either the code I want is not postedor I missed it.I have a user create role in a database that I need to reproduce inanother version of the database. Does anyone out there have the SQLor T-SQL necessary to generate all the grants to a role?-- Mark D Powell --
I am having a problem with creating databases in MS SQL 2005 Server. When I attempt to assign an User Mapping for my SQL user account to the newly created database, the "dbo" user and schema is already assigned. When I try to drop this user in favor of my own, I receive an error message: Cannot alter the user "dbo" (Microsoft SQL Server, Error: 15150). I am connected to my database engine through the "sa" account.
How do you handle user level security with SQL Server 2005?
Say I have an HR database.
In Active Directory I have two groups: Managers, Employees.
Now in this HR Database I want to setup permissions in such a way that Managers can see all employees under them (but not other managers) and the employees can only see themselves.
(I'd have various levels of management defined in a table somewhere, so that each employee has a manager ID that links to another employee so that the CEO would be manager of everyone by working down the chain).
What I'm trying to understand is the best way to handle the permissions.
I'm not entirely clear on how to deal with that.
Would I use user chaining to do that, I wouldn't need impersonation (that's just for instances where you want dynamic SQL and it won't execute with user chaining, correct?)
Anyway, just looking for some general direction on this (obviously I need to get a good book it would seem).
Would I create a stored procedure that runs with EXECUTE AS permissions so that I'd have a non-interactive login it uses that has table access then all the other users have permission to execute the sproc?
So that sproc runs, pulls back a SELECT * FROM tbl_HRINFO and using a WHERE constraint limits who is returned WHERE SupervisorID = CurrentLoggedInEmployeeID ?
Also: How can I determine who is logged in and running the procedure, would the sproc use the SELECT USER_NAME command to see who was running it?
As you can see, I'm working from square one on all of this. Not sure if my posting entirely made sense, but hopefully someone can get me pointed in the right direction, thanks!