Securing Microsoft SQL Server
Mar 9, 1999Hi all,
Does anyone know were to find any articles/information on how to Secure Microsoft SQL 6.5 Server? . Apart from SQL online books
Panchal
Hi all,
Does anyone know were to find any articles/information on how to Secure Microsoft SQL 6.5 Server? . Apart from SQL online books
Panchal
Rayd Abdou writes "hi all, i have an SQL server at my home and i think i got hacked from it :( and i really want to know what to do to secure the SQL Server from, disable permissions ?
what commands ?
Thanks for helping me..
Rayd."
Hi all,
I have been given a task of securing an SQL server 2005 that is currently open to SQL injection attacks. I have identified 3 main areas that I need to secure, these being:
1.Different SQL server logins - currently all database work from the site is performed using the sa account (don't ask me why they've left it so open to attack, I've not long started here!)
2.Custom error pages - to reduce feedback to a potential attacker on the database structure
3.Query Validation - any dynamically generated queries will be passed through a validator in order to possibly strip out any commands that we identify as those that an attacker would attempt to pass via the url.
Obviously, point number one is the big one. Based on this, my question is, what are the series of steps I would need to go through in order to;
a) setup a user login that has read access to many of the database tables (and execute access to some of them)
b) setup a user login that has read/write/update/execute access to other tables and stored procedures
I have read a lot about schema's, but I haven't had that many dealings with SQL server 2005 (yet), and haven't been able to find a step-by-step guide to setting up a schema/users and assigning permissions to them.
If someone could point me in the right direction of an "idiots guide to", that would be great, or if theres anyone that could list the steps I need to perform, that would be even better.
Also, if anyone has any other suggestions about how i could secure the server, I am all ears.
Thanks in advance,
Paul
Hi all,
What is the best way to keep the data secure in my SQL Server 2005? and what is the best way to secure the communication between the client application and SQL Server 2005?
Thanks,
Shyam
I have what some might consider a dumb question but I really don't know the answer.
Until recently all our .Net work ahs been hosted on our internal network and the Sql Server (2000) was not open to the outside. However recently our company is looking at hosting other outside SQL Server applications that require users across the country to connect directly to our SQL Server (not through an ASP.Net app).
The concerns we have is that ASP.Net runs on the NETWORK SERVICE account. If a user outside our network were to know the IP and name of onw of our databases could they connect with ASP.Net using a Trusted Connection or do trusted connections only work if the application is hosted on the same network?
One of the applications we are looking at hosting is showing a list of all databases on our server (I did find the article on modifying sp_MSdbuseraccess but that didn't seem to work) so if someone got a hold of this list would they be able to connect?
Thanks
I want to know how I can protect my SQL Server database. SQL Server 2000 does not have Database Encryption feature and using only Authentication is not a fool-proof solution, as far as stand-alone desktop application is concerned.
Does password protection of SQL Server 2000 database really works when you have all types of cracking tools widely available on the net?
Hi,
How can we restrict the copying of MDF and Log Files.
Thanks
Avi
Hello,
I developed a small desktop system using SQL Server 2005 Express as the data backend. The machine that hosts SQL Server 2005 Express, as well as all the workstations that interact with it, belong to the same private LAN segment. All of them have non-public IP addresses from class 192.168.0... which means they're not directly visible from the outside world, despite having internet access through a router that does NAT. As we all know this is the typical scenario for sharing internet access in a small LAN.
Now, my concern is with the security of the host running SQL Server 2005 Express. In particular, what measures do I have to implement to minimize the risk that may come from the public internet ? It's naive to think that because the potential attack surface is NATted behind a router, security is guaranteed and data theft or DoS attacks won't simply happen.
What are the guidelines for securing SQL Server 2005 Express in a scenario like this ?
(Side note: SQL Server 2005 Express is running on Windows XP Pro)
Thanks.
Fernando
Hello,
We are currently live with a CRM solution (Siebel) that uses SQL Server 6.5 as the back end. All is fine and dandy, except I have some reservations about security.
Quite simply, it is possible for anyone to open up MS Access and link to any of the SQL Server database tables via the ODBC DSN used by the Siebel front end. This DSN is necessary for Siebel to function.
I am bit worried that someone (out of incompetence or spite) might do just that and cause some serious damage. Its probably technically beyond the large proportion of our users (especially those that could make mistakes!), but I can't get the nagging fear out of my head.
Does anyone know of anyway to combat this problem? I have scoured the web, including this site, and cant seem to get any information on this.
Thanks and Regards
Dike
Hello.
Not an SQL admin. We have an SQL 2005 server that has about 5 DB's on it. One database is maintained primarily by a third party. Often when they need to do upgrades they login remotely to the desktop of our SQL server. Is there a way to apply permissions to specific databases like you would for NTFS? That way they can only backup their database and not do anything to any other databases? Thanks.
Hello!
I developed database driven .NET application and I need to deploy it. I faced a problem, which is "how to protect my database against direct access". I use MS SQL Server 2005 Express Edition as a DBMS and appropriate database.
I want to make possible to manipulate with data in my database only through my client application.
1. How do I define SA password and instance name in silent mode of MS SQL 2005 EE installation with Mixed type of Authentication?
1.1. Can I change SA password after the installation?
2. If my database be attached to my new instance... Is it possible to copy my database, attach it to another instance and get a direct access to its objects?
Is there solution that make impossible to connect to my database on third-partie's side Idirectly, without using the client application?
I appriciate for a help.
Hi
I am trying to use Association Viewer Control in
Microsoft.AnalysisServices.Viewers.DLL dll in VS 2005 but sometimes it gives an error.
"Code generatio for property 'ConnecitonManager'" failed. Error was:'Property accesor 'ConnectionManager' on object 'AssosiactionViewer1' threw the following exception:'Object referance not set to instance of an object"
Is there anyone here who use
"Microsoft SQL Server 2005 Datamining Viewer Controls" in SQLServer2005 FeaturePack ?
http://www.microsoft.com/downloads/details.aspx?FamilyID=50b97994-8453-4998-8226-fa42ec403d17&DisplayLang=en
i am using VS2005 Version 8.0.50727.762 (SP.050727-7600)
and SQL Server 2005 SP2
thanks from now.
Cem Ãœney
Dear All,Access adp on sql-server 2000After upgrating to A2003 updating data with 1 perticular combobox causes theprogram to hangs without any error-msg.Traying to change te combobox recordsource i get this error:This version of Microsoft Access doesn't support design changes to theversion of Microsoft SQL Server your project is connected to. See theMicrosoft Office Update Web site for the latest information and downloads(on the Help menu, click Office on the Web). Your design changes will not besaved.The solution in :http://support.microsoft.com/defaul...kb;en-us;313298tolks about SP 'dt_verstamp007' but I have SP 'dt_verstamp006'What should I do.Is the failure of the combobox also caused by the absence of dt_verstamp007???Filip
View 2 Replies View Related
Hi,
I'm trying to install Microsoft Dynamics 10.0 with SQL 2008 Dev but when launching the utilities this returns the following error message:
******************************************************************
Your current SQL Server is not a supported version.
Req: Microsoft SQL Server 8.0
Act: Microsoft SQL Server code name "Katmai" (CTP) - 10
You need to upgrade to SQL Server 8.0 before continuing.
******************************************************************
Any ideas could help or has this if anyone knows been desinged not to work with GP10 currently?
Assad
I have a query that executes just fine except that it won't recognize varchar(255) ( or any other value within the () ) and if I leave it off like this: varchar, then it executes but it leaves that value as 1 and that is just not very useful for my purposes. This also happens with anything else that requires () to add length such as char(), or nvarchar(), etc... Any ideas?
View 1 Replies View RelatedHello,
"Failed to copy objects from Microsoft SQL Server to Microsoft SQL Server "
I keep getting this when trying to copy stored procs from one db to another on the same server. I am using the DTS wizard. I have been able to copy the tables but I need the sp's too, and there are too many to copy one at a time.
Help!
TIA,
Bruce
Pls tell me about the adjact difference between sql server 2005 and sql server 2008.
Why to upgrade for Sql Server 2008
In VS 2005, when we choose database connection, we can choose one of the above. My question is in what situations should we choose MS SQL Server Database File (SqlClient), and when should we choose Microsoft SQL Server?
I want to deploy a standalone desktop application with a backend database. Which backend database should I should and which of the above connection should I choose?
Thanks very much for your information.
Hi Everybody,
On localhost this application works fine but when I put on remote server. I am getting following errors. For both localhost and server, I am using same remote sql 2000. I will appreciate any help.
Thanks,
Arif
Server Error in '/' Application.
--------------------------------------------------------------------------------
ERROR [42000] [Microsoft][ODBC SQL Server Driver][SQL Server]Line 1: Incorrect syntax near ')'.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: Microsoft.Data.Odbc.OdbcException: ERROR [42000] [Microsoft][ODBC SQL Server Driver][SQL Server]Line 1: Incorrect syntax near ')'.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[OdbcException: ERROR [42000] [Microsoft][ODBC SQL Server Driver][SQL Server]Line 1: Incorrect syntax near ')'.]
Microsoft.Data.Odbc.OdbcConnection.HandleError(IntPtr hHandle, SQL_HANDLE hType, RETCODE retcode) +27
Microsoft.Data.Odbc.OdbcCommand.ExecuteReaderObject(CommandBehavior behavior, String method) +838
Microsoft.Data.Odbc.OdbcCommand.ExecuteNonQuery() +80
Calgary.venues.Page_Load(Object sender, EventArgs e) in c:inetpubwwwrootCalgarySitevenuesvenues.aspx.vb:32
System.Web.UI.Control.OnLoad(EventArgs e) +67
System.Web.UI.Control.LoadRecursive() +35
System.Web.UI.Page.ProcessRequestMain() +731
Hi
We are checking VB 9 (Orcas).
we connected to database created under with sql server 7. with this code
Public cn As New ADODB.Connection
Public Sub OpenDB()
cn.Open("Provider=SQLOLEDB.1;Integrated Security=SSPI;Persist Security Info=False;Initial catalog=Reservation;Data Source=.")
End Sub
this code worked well.
we know sql7 is not compatiable with vista. please tell us how to connect it wiith sql2005 . we downloaded orcas express edition beta. we created a database also. please let u know how to connect with Microsoft SQL Server Compact 3.5 (.NET Framework Data Provider for Microsoft SQL Server Compact 3.5).
Rgds
Pramod
hello all member
View 14 Replies View RelatedI'm not asking a lot. I just want to know if I can connect from anExchange server to a SQl server without having to use Access linkedtables. Surely MS must have had a look at this but I can't findanything out there.Help appreciated.Ginters
View 1 Replies View RelatedI installed Microsoft SQL Server 2005 Express Manager and connect to SQL 2000 normally
View 10 Replies View RelatedHi, I am using ASP.Net 2005 with C# language and SQL SERVER 2005...
I am developing an web based application and have to deploy it on server.
I need to prevent my site from the SQL Injection and have to use some algorithms.
What is the best technique or method (Algorithm) in .Net ?
Give some measures to prevent from Hackers.
We are looking for a way to tightly secure the database of a product
being developed in MSDE 2k & C# so that even the db design
cannot be viewed or data retrieved through any migration tools.
The NetLib database security tool perfectly matches our requirement but
is overpriced. Any suggestions on the next best alternative?
Hi All,
I am currently creating a SQLServer 7 server. This server will be used to host customer databases that I will restore on to the server. However, I want to prevent these customers accessing any other databases on the server, apart from their own. By removing the public database role from each customer database, and granting them very limited rights (basically exec rights on their own Stored Procs)on their own db, I plan to limit them to their own db. However, my problem is this:
As you cannot remove the public role from the master db, a user could easily exec the following in a stored proc to read from the master:
Select * from master..sysusers
How do I prevent the users from accessing the master in this fashion.
Will removing every permission from the public role in master be enough?
Will removing every permission from the public role in master have any other side effects?
Will removing the public role from other user dbs be enough to secure them?
Any suggestions/pointers would be appreciated.
Gary.
Morning Guys,
I'm trying to figure out a way of securing a DTS package and understanding how it works more and more.
I have system administrators that have accesss to sql server.
As dbas here we work with dts packages. We would like our packages secured from the system administrators that want to poke around with our work.
how would we lock our objects down without messing them up from executing.
The packages have been created under the servernameAdministrator.
servernameAdministrator is the owner of the package.
What would be the best way to start to understand all this.
1). Using an owner password a user password
2). Denying access to the sp_add_dtspackage & sp_get_dtspackages...
3). When generating a DTS RUN util to make a job using the dts package
usually the password is embedded in the string even after encrypting the pacakage in clear text....
any suggestions to lead me in the right direction......
jonathan
If you have an owner password with no user password, you cannot execute the package without the owner password. Click OK to continue saving.
Dear All,
I have developed a application using SQL express.
One of my client wats to protect his database so that if some body takes the backup he/she is not able to view data either directly or from the application i am delivering (may be he can buy my software and use his database or simply use demo version of my data)
Previously I used Access database and use database password protection (which every body knows is not good enough).
Now what I should do to protect my database (I am not worried about database structure or other objects but clients data that he will enter into the software like accounts data)
I need a moderate and a hard solution so that depending upon clients ability to affort I can implement at client side. There is no need to deliver protection in distrbution of my software.
Thanks in advance
MANOJ JAIN
can we secure mdf file, if it's copied from one location to anothercould not be used ???*** Sent via Developersdex http://www.developersdex.com ***Don't just participate in USENET...get rewarded for it!
View 1 Replies View RelatedI have a situation where I have an app that uses a sql server (msde)database. The app will be used in environments where no one should beable to manipulate the data except the developers (app admins) - noteven site database admins. When the application and msde is installed,a default instance of the database gets attached to msde or built byscript. by default, a built in server acct and approle acct exist tosecure the data accordingly with passwords concealed. What can be doneto keep someone from copying the mdf and ldf files to another machinewhere they have admin rights and manipulating data?Thanks.
View 1 Replies View RelatedHi,
I want to make some steps towards securing production database.
1. Give limited rights to Developers, i.e. db reaonly, db writedeny
2. Make strong password for local and Domain
3. Use Windows authentication
4. Enable log for 'Failed Login' attempts.
What steps I need to take in addition to those?
Hi,
I€™m trying to secure my SQL Server 2005 infrastructure, and I€™m seeing that some sites are recommending that certain extended procedures be restricted to sysadmin only.
http://www.sqlsecurity.com/FAQs/SQLSecurityChecklist/tabid/57/Default.aspx
This site recommended securing the following extended procedures:
Extended Procedurs:sp_sdidebug xp_availablemedia xp_cmdshell
xp_deletemail xp_dirtree xp_dropwebtask
xp_dsninfo xp_enumdsn xp_enumerrorlogs
xp_enumgroups xp_enumqueuedtasks xp_eventlog
xp_findnextmsg xp_fixeddrives xp_getfiledetails
xp_getnetname xp_grantlogin xp_logevent
xp_loginconfig xp_logininfo xp_makewebtask
xp_msver xp_perfend xp_perfmonitor
xp_perfsample xp_perfstart xp_readerrorlog
xp_readmail xp_regread xp_revokelogin
xp_runweb
http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=3184075&SiteID=1
This thread recommended (implicitly) securing the following extended procedures:
Extended Procedures:sp_OACreate sp_OADestroy sp_OAGetErrorInfo sp_OAGetProperty
sp_OAMethod sp_OASetProperty sp_OAStop sp_sdidebug
xp_availablemedia xp_cmdshell xp_deletemail xp_dirtree
xp_dropwebtask xp_dsninfo xp_enumdsn xp_enumerrorlogs
xp_enumgroups xp_enumqueuedtasks xp_eventlog xp_findnextmsg
xp_fixeddrives xp_getfiledetails xp_getnetname xp_grantlogin
xp_logevent xp_loginconfig xp_logininfo xp_regread
xp_perfend xp_perfmonitor xp_perfsample xp_perfstart
xp_readerrorlog xp_readmail xp_revokelogin xp_runwebtask
xp_schedulersignal xp_sendmail xp_servicecontrol xp_snmp_getstate
xp_snmp_raisetrap xp_sprintf xp_sqlinventory xp_sqlregister
xp_sqltrace xp_sscanf xp_startmail xp_stopmail
xp_subdirs xp_unc_to_drive xp_dirtree
Looking at these lists, I can see they might have missed other extended procedures like xp_regwrite, xp_regdeletekey, and xp_regdeletevalue.
My questions are: Is there any way I can find an exhaustive list as to what extended procedures should be restricted? Is there a website/Microsoft resource that can help me identify what to restrict?
Any other information you can point me to to secure our infrastructure would be appreciated.
Hye guys,
I am not the perfect database designer nor the programmer. I have designed and developed a simple database application which uses VB as frontedt and SQL as backend. My Program worked fine.. Now I have 2 deploy it in clients computer where DBA is another person by which I am worried abt the data in the table. As X person is a DBA there he can easily change data of my tables in the database.
So I want an easy way by which the X person can't edit the data of the tables of my database only I can change the contents of my tables but i should be able 2 change the data from my program only..
Plz Help..