Secure SQL Server + IIS 6.0 Setup - System DSN Problem
Sep 25, 2007
Greetings all,
Please allow me to describe my setup briefly and then I will jump into my problem/questions. I am trying to setup a shared hosting/DB type environment in a secure manner. I have two Windows Server 2003 boxes where Machine 1 is the DB server (MS SQL Server 2005) and Machine 2 is the web server (IIS 6.0). The web server may ultimately have 5-6 different customers (web applications/domains) on it.
In order to keep an exploit/poor code in one customer's application from accessing the files of another, the server is being setup so each website instance runs with a different low-privileged domain account (in Domain Guests). For example, for Website 1, the Directory Security will be setup so it runs with DOMAINIUSR_website1 and for Website 2, the Directory Security will be setup so it runs as DOMAINIUSR_website2. Both of these accounts are in the Domain Guests group and no other groups. This was chosen so that the DB used by each websites on the SQL Server could have read/write permissions granted to the appropriate user. On the web server the SYSTEM DSN is setup to access each database. This way if there is a DB setup with permissions for IUSR_website1 and it gets called by IUSR_website2, access will be denied. If I ran each website instance as the same user, they could in theory still called this DSN and access someone else's database.
Now here is the problem I get. First, the website access works just fine with it setup as the Domain Guest user account. However, when I go to the called the System DSN for DB access I get this error:
---------
Microsoft OLE DB Provider for ODBC Drivers error '80040e4d'
[Microsoft][SQL Native Client][SQL Server]Login failed for user ''. The user is not associated with a trusted SQL Server connection.
/login.asp, line 7
--------
Line 7 of login.asp is as follows:
objConn.Open "DSN=DSN_CTO_SQL"
--------
So it appears there is something that is failing here. For troubleshooting purposes I have taken that IUSR_website1 account and placed them into the Domain Users group instead of Domain Guests. This fixes the problem. However, it's not the most secure setup to run the web/SQL stuff as a Domain User. Any ideas on why it works fine if the account is in Domain Users but not with Domain Guests? I even went to the registry key for HKLMSoftwareODBC and gave DOMAINIUSER_website1 specific read permissions. This did not fix the problem.
Can anyone make a suggestion or know what the issue is? How are people running secure IIS 6.0 + SQL Server setups for shared environments?
I have XP Pro SP2 with MDAC 2.8.1022. It had a problem so I tried to reinstall MDAC and got a Fatal Setup Error. This setup does not support installing on this operating system. I downloaded MDAC 2.8 1177 and get the same error.
I thought of uninstalling/reinstalling SP2, but this is a 2 month old Dell Latitude 610 with factory installed XP. There is no Windows Service Pack 2 option listed in the Control Panel > Add/Remove Programs.
There's some other strange things, so I wonder if they are related.
1) I have Paul set up as an administrator account. Some folders like MSSQL show that account with no permissions. I grant all the permissions to Paul for that folder. I come back later and the permissions are gone.
2) I deleted 20 files in Explorer, but 7 of them did not go away. I deleted those 7 again and they instatnly reappeared. I deleted those 7 again and then they finally went away.
3) I get a slow reaction time for things like Windows Explorer and opening and closing programs. This is suprising since it has 2 gig of RAM and 2.3 Gig processor. Could it be a memory handling problem that's causing OS problems. Probably, the memory didn't handle the OS installation well and the whole system is compromised now.
I am trying to save my package (using MS Visual Studio) with ProtectionLevel = ServerStorage but it is failing with the following error "failed to apply package protection with error 0xC0014061, the protection level, serverstorage, cannot be used when saving to this destination. The system could not verify that the destination supports secure storage capability...". I am trying to test a scenario on which the package is saved in SQL Server/msdb and schedule the package via SQL Job Agent. Can someone show me how to save a package using serverstorage and schedule it via SQL Job Agent?
Help please... We have developed a system for a medium size company in NYC using SQL Server 2000. We are about to go live and thought it may be a good idea to upgrade first from SQL Server 2000 to 2005.
I believe standard edition would be sufficient but I am not 100% sure... There isn't a whole lot of data but high availability is crucial. I was thinking of a 2-node fail over cluster setup and/or mirroring. We need only one instance of SQL Server with about 30 client machines accessing the same databases.
Any thoughts/comments as far as: Standard or Enterprise? What type of licensing? Support agreement? What about the best setup for highest availability? (fail over cluster vs. mirroring vs. replication)
I've been asked to build a 64bit Windows 2003 server which will SQL Server Enterprise 2000 64bit edition on it. This is my first foray into the world of 64 Server OSs, so hoping to get some advise from the wise. This will be used as a back end to a web application. This server has been purchased with 5 disks (all 146GB disks) in it. Currently this has been setup from the manufacturer as RAID 1+1 with 1 disk not allocated.
I was going to reconfigure the logical drives to have RAID 1 (2 drives) which has OS and swapfile on it, and RAID 5 (3 drives) with all SQL data (the main DB I am estimating to be 20-30GB) on it.
Reading through a couple of forums and google results regarding determining stripe size, it seems some people are recommending putting the tempdb and logs on a seperate drive to the rest of the SQL data, as well as trying to get the optinum strip size.
Can you let me know your opinions on if my proposed logical drive setup seems OK (or just keep one logical drive as either RAID5 or 6), and if tempdb and logs should be on the OS, or should stay on the RAID 5 array? Also, for the stripe size, should I think the same as a 32bit OS, and just use 128/64 or 64/64?
I am using windows 8 and I have only one user in laptop. While installing SQL 2014, I am getting an error (Missing System Administrator). Under SQL Server Agent and SQL Server Database I have select the system user and gave the password but still I am getting the error.
When I install SQL 2012 on MS Server 2008 R2, I get this error..The following error has occurred: The system cannot open the device or file specified. Click 'Retry' to retry the failed action, or click 'Cancel' to cancel this action and continue setup.
The file in question is Install_VSShell_CPu32_Action. when I retry, the error is..The following error has occurred:SQL Server Setup has encountered an error when running a Windows Installer file.Windows Installer error message: This update package could not be opened. Verify that the update package exists and that you can access it, or contact the application vendor to verify that this is a valid Windows Installer update package. Windows Installer file:
Windows Installer log file: C:Program FilesMicrosoft SQL Server110Setup BootstrapLog20130522_143111VSShell_Cpu32_1.logClick 'Retry' to retry the failed action, or click 'Cancel' to cancel this action and continue setup.
I'm running W2K3 SP1. The MDAC Configuration Checker reports MDAC 2.8 SP2. The only discrepancy is MSADCO.DLL, where the expected version is 2.82.1830.0 and my actual version is 2.82.2651.0 (svr03_sp1_gdr.060301-1546).
The error message I'm getting when I use the ODBC Administrator dialog to set up a new entry is: "The setup routines for the SQL Server ODBC driver could not be found. Please reinstall the driver."
This is followed by a dialog titled: "Driver's ConfigDSN, ConfigDriver, or ConfigTranslator failed." The body text of the dialog is "Component not found in the registry."
hi this is my 1st time on this forum, I need to keep my DB secure on SQL server, that no body can enter into my DB and couldnt see my tables and other elements of DB.
When I'm getting data from sqlserver using ado.net and a sqldataadapter, are the resultant network traffic packets secure? If I wanted to deploy my objects at a remote site, would I still be safe going straight to my sql server from there or should I build a web service and then auto generate 'remote' versions of my objects that will then communicate to the web service on https?
I've been provided with a server at a hosting company. The server is running W2K3 SP2 in its own workgroup (i.e., non-AD) configuration, but is not behind any type of hardware firewall; there is no VPN in place, either. I connect to the server via RDP using an extremely long and complex password. I'm using the newest version of the RDP client. The article "Hacking RDP" and the ensuing reader comments (http://mcpmag.com/columns/article.asp?EditorialsID=1699) indicate that using RDP in this fashion is relatively safe.
I installed SQL Server 2005 SP2 on this server. I set server authentication to 'SQL Server and Windows Authentication mode'. I created one obscure SQL Server login, using another extremely long and complex password. I also disabled the login for the 'sa' account.
Since installing SQL Server on this server, I've noticed thousands of Failure Audit events in the server's Application log:
Source: MSSQLSERVER
Description: Login failed for user X
where X equals 'administrator', 'root', 'server', 'database' 'sql', 'sa', etc.
These failure events occur almost non-stop, about a dozen per second, and come from a small pool of unknown IP addresses. The IP address seems to change every few hours. I'm guessing that someone is hoping that one of these names is an actual SQL Server login and is trying a brute-force attack to try to stumble upon a matching password. None of these logins are valid, but it's still disconcerting. Is this anything to be concerned about? I could have the hosting company block the IP addresses, but that seems like a losing battle.
Lastly, I used the Surface Area Configuration tool to allow local and remote connections, using TCP/IP only--so that I could begin interacting with this SQL Server from my PC, using both SQL Server Management Studio and my own Visual Studio code. For each method, I'm using the obscure SQL Server login that I created earlier--the one with the extremely long and complex password. How (un)secure is my traffic to/from this SQL Server? I don't believe that my credentials are encrypted, but I'm not sure how much of a risk this is nor do I know how else to more securely connect to SQL Server.
Given these circumstances, is there any way to make this resource more secure? Thanks!
I am running a number of SQL instances on my PC. Within the network, I have think server with various System Center components. For compatibility reasons, some features of System Center 2012 R2 had to be delegated to different SQL databases. My question is, because there is now more than one IP address on my system, and each instance of SQL is assigned to its own IP, is there a way to setup DNS and SQL so the namespace points to the desired IP address? For Instance:
MSSQL2008 instance is set to run on = 11.12.13.1 MSSQL2012 is set to run on = 11.12.13.2 IN DNS: A Record: Mike-PC = 11.12.13.1 A Record: Mike-PC = 11.12.13.2
If I want to use MSSQL2008 by specifying Mike-PC as the DNS name, how would I do that with 100% accuracy? If there is another way to get the job done, I am more than willing to approach this differently.
I'm writing a C# application which connects to a local SQL database for data access. The application connects to SQL Server through windows authentication, but opens up the port and sqlbrowser to others on the network wanting to access the database through SQL Server authentication, and also allows remote users to connect to this server remotely if they have the login and password (and because the port is already open)
I understand this is not secure and open to attack, and am unsure of how to secure these processes without blocking these three types of access, from A.) the local user, B.) the network user and C.) the remote user across the net.
Have researched this a fair bit, but get somewhat lost amongst all the jargon.
I have some doughts when i am securing my MsSql Server 2005 report service project, Currently i have secured using windows authentication mode, Now my problem is how to authenticate the users using forms authentication and custom authentication method ? and how do i implement the access rights to the users (authorize the users )? Any idea ? has anybody got any smaple code or article ? thanks regards sujithf
We currently have a few reports running on a external website. The users have to log in to the website using their Domain Username and Password. Our network admin wants to move from simply http, to a secure https protocol.
My question is: Are there any conciderations for making this move? ...Will it break my reports?
I am trying to deploy reports to my secure report server. When I attempt to deploy it's not authenticating me and I get an error:
TITLE: Microsoft Report Designer ------------------------------ A connection could not be made to the report server https://reports.******.com/ReportServer. ------------------------------ ADDITIONAL INFORMATION: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. (System.Web.Services) ------------------------------ The remote certificate is invalid according to the validation procedure. (System) ------------------------------ BUTTONS: OK ------------------------------
my package requires a send mail task and i must use a secure non-windows smtp server. can someone please tell me how to configure the smtp connection manager so i can do this? thanks.
I am trying to get my hosting company to provide a way to make secure encrypted connections from my desktop (where I am using Enterprise Manager and Aqua Data Studio) to their shared MS SQL Server.
I've seen some references to SSH, but I don't understand how this works or how the host would implement it. I also read that an SSL certificate can be installed on SQL Server, but it doesn't seem as if EM or ADS can make SSL connections to SQL Server. (In case it makes any difference for either of these solutions, the hosting company has port 1433 open, and will not close it because some clients connect to the DB server from web apps on their own intranets.)
Finally, if a web-based admin is used instead (like phpMyAdmin for MySQL), then which machine is the software installed on? Can it be on a web server that makes a local connection to the DB server or does it have to be on the DB machine? E.g., if I had a VPS or dedicated server at the same hosting company would I be able to install web-based admin software which would then connect to the host's shared SQL Server?
Anyway, my host is giving incomprehensible (to me) objections to all of these ideas. Is there a reasonably simple way to do this on a shared DB server?
My question is about allowing and securing connections to SQL Server 2000 over the internet. The company that I work for has an application server that several of our clients connect to via the internet using secure .NET remoting. Basically, the clients have a desktop application that they run that creates a remoting connection to our server software and we handle the server/database part. Anyway, one of our clients now wants to use Crystal Reports to run ad hoc queries on their data that is hosted on our SQL 2000 database server behind our firewall. Obviously, opening up a port in our firewall and allowing someone to run ad hoc queries on the database makes us all more than a little nervous about security.
Has anyone else here had to deal with this sort of situation before? We'd like to set up a secure, encrypted connection for this one client, but still keep it locked down for everyone else. Is it as simple as enabling encryption and generating SSL certificates for the client machine and our server? I've only been able to find a few resources that help with bits and pieces of the problem, never anything tackling the issue as a whole. If anyone has any thoughts, experiences, links, etc. to share it would be greatly appreciated. We are a small company and no one here has experience with this sort of thing.
Ok guys, I am trying to install Sql server 2005 on Vista but I am still stuck with this warning message in the System Configuration Check during Sql server 2K5 installation :
SQL Server Edition Operating System Compatibility (Warning) Messages * SQL Server Edition Operating System Compatibility
* Some components of this edition of SQL Server are not supported on this operating system. For details, see 'Hardware and Software Requirements for Installing SQL Server 2005' in Microsoft SQL Server Books Online.
Now, I know I need to install SP2 but how the hell I am going to install SP2 if Sql server 2005 doesn't install any of the components including Sql server Database services, Analysus services, Reporting integration services( only the workstation component is available for installation)?
Any work around for this issue?
P.S.: I didn't install VS.NET 2005 yet, can this solve the problem?
I am developing an application for a big office which uses SQL Server 2000. Apart from my database, on that server, there are two databases by other companies. The administrator also has access to server but the client only wants him to backup the database.
I have two questions:
1) First of all (if it is possible) I would like to protect my own database from the other companies.
I don't want them to:
see the data in the tables (around 20 tables) make changes to the stored procedures (more than 100 stored procedures) be able to backup the database
2) The client will save sensitive data to the database (mainly currency amounts, salaries etc) which he wants to keep hidden. I am using float type for these fields and I would like to make the data encrypted. I could do it for nvarchar fields but changing these float to nvarchar would be time consuming.
I am a bit stumped by error generated when attempting to connect to the report url.
The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
The only thing I can think of is a certificate is issued to the server (all domain devices) via group policy by cert authority running on the domain.
If I check the bindings within Report Services Configuration Manager the certificate is referenced.
I have tried removing 443 but I am still unable to connect.
A neutron walks into a bar. "I'd like a beer" he says. The bartender promptly serves up a beer. "How much will that be?" asks the neutron. "For you?" replies the bartender, "no charge."
I have an issue with SMTP server " send mail task ". we see the following error [Send Mail Task] Error: An error occurred with the following error message: "The SMTP server requires a secure connection or the client was not authenticated.In SMTP connection manager what we should give in SMTP SERVER, if we use gmail id's in send mail task editor.
I have created a windows library control that accesses a local sql database
I tried the following strings for connecting
Dim connectionString As String = "Data Source=localhostSQLEXPRESS;Initial Catalog=TimeSheet;Trusted_Connection = true"
Dim connectionString As String = "Data Source=localhostSQLEXPRESS;Initial Catalog=TimeSheet;Integrated Security=SSPI"
I am not running the webpage in a virtual directory but in
C:Inetpubwwwrootusercontrol
and I have a simple index.html that tries to read from an sql db but throws
the error
System.Security.SecurityException: Request for the permission of type 'System.Data.SqlClient.SqlClientPermission, System.Data, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed. at System.Security.CodeAccessSecurityEngine.Check(Object demand, StackCrawlMark& stackMark, Boolean isPermSet) at System.Security.PermissionSet.Demand() at System.Data.Common.DbConnectionOptions.DemandPermission() at System.Data.SqlClient.SqlConnection.PermissionDemand() at System.Data.SqlClient.SqlConnectionFactory.PermissionDemand(DbConnection outerConnection) at System.Data.ProviderBase.DbConnectionClosed.OpenConnection(DbConnection outerConnection,
etc etc
The action that failed was: Demand The type of the first permission that failed was: System.Data.SqlClient.SqlClientPermission The Zone of the assembly that failed was: Trusted
I looked into the .net config utility but it says unrestricted and I tried adding it to the trusted internet zones in ie options security
I think that a windows form connecting to a sql database running in a webpage should be simple
I want to make the ReportServer and Reports pages secured i.e not allow anyone to access these pages via browser.
I login to a machine as user ABC. This user does not have permission on reports. if this user accesses ReportServer or Reports, expected is that access should be denied unless I enter an account that has been given permissions. for e.x. following pages should be secured. http://<reportserver>/Reports http://<reportserver>/Reports/Pages/Report.aspx?ItemPath=%2f<Report_Project>%2f<Report_Name> http://<reportserver>/ReportServer http://<reportserver>/ReportServer?%2f<Report_Project>&rs:Command=ListChildren
Actual result is that I am able to access these pages. When I click on the report I get the error (this is expected) but then user ABC should be shown error on first page itself.
In short, for all the accounts that do not already have permissions on reports, the server should challenge me to enter an account and password. Is there some setting in the configuration file? Any help would be appreciated Thanks in advance!
We're doing upgrades from SQL 2008 R2 to SQL 2014. This is blocked due to RS is installed but not configured. Our desired action is to uninstall RS and proceed with the upgrade. But when setuparp.exe is raised, it does not list all the features on the 'Select Features' page. In fact, it only lists the last 2 shared features (SQ Client Connectivity SDK and Microsoft Sync Framework). However, all items appear to be listed on the 'Select Instance' page including RS. I've seen this issue on 2 of our SQL 2008 R2 Servers already.
I'm trying to install SQL Server Management studio 2012 on my Windows 7 (x64) standalone laptop. When I click "New SQL stand-alone installation..." it runs a Setup Support Rules check and always fails "Setup Account Privileges". I've looked into the error and I keep getting that I need to change security rules but I don't have that option in window 7. How do I get around this without having to resort to a computer running Windows Server?
I have Visual Studio 2013 premium installed along with Localdb v11. I just want to connect and manage my database engine through SSMS when developing any application.
This forum is intended for users who are new to SQL Server, and have basic usage questions. If you have setup or installation issues or questions, you should check out the Setup forum.
I am designing an application built on sql server 2000 how can I prohibit other sql server users from accessing my database and allowing only acceesing it through my application or through owner designer of sql server database.
my situation needs sometimes copying the db from the end user platforms to my designer computer to analyze some problems or maintainenace or modification, and also I have no control on users windows environment and I need the end user professional not to enter the my db from outside my application.
So, is there anything I can do to secure an MDF (MSDE/SQL Server 2000) file so that a user cannot see my schema under any circumstances.
Even if I lock the MDF down and secure the instance, a smart user can just shut off the SQL server, copy the MDF to another instance, sp_attachdb and open it with sa rights. I need a way to prevent others from getting inside my schema.