SQL Server Journey with SQL Authority » SQL Security

SQL SERVER – 2012 Auditing Enhancement – On Audit Log Failure Options – Maximum Rollover Files

pinaldave — Fri, 16 Dec 2011 01:30:44 +0000

Recently I was exploring SQL Server Audit and found something very interesting. I found two enhancements in the SQL Server 2008 Create Audit Screen.

SQL Server 2012 Create Audit Screen

SQL Server 2008 Create Audit Screen

On Audit Log Failure Options

You can see that in SQL Server 2012 they have added two more options for audit log failure. In earlier version the only option was to shut down the server when there was audit log failure. Now you can fail the operation as well continue on log failure. This new options now give finer control on the behavior of the audit failure scenario.When target is not available due to any reason and audit cannot log the event, it can be now continued, in another word the audit continues to attempt to log events and will resume if the failure condition is resolved. This is very important feature because earlier when Audio was failing the option which we had was to shutdown the server. There were the cases when shutting down the server is not the good option but continuing the business operation is the priority, this option should be exercised. Additionally, note that the new default value is now CONTINUE. User has option to select Fail Operation where the Audit will not attempt when the target is available or continuing auditing is possible.

Maximum Rollover Files

Earlier, there were two options – have infinite number of log files or roll over the files after fixed number. Now in SQL Server 2012 there is option to keep the fixed number of the files along with no roll-over. This gives additional control to user when they want to save every single data and do not want to lose any critical information due to rollover.

Reference : Pinal Dave (http://blog.sqlauthority.com)

Filed under: Pinal Dave, PostADay, SQL, SQL Authority, SQL Query, SQL Security, SQL Server, SQL Tips and Tricks, T SQL, Technology

SQL SERVER – ‘Denali’ – A Simple Example of Contained Databases

pinaldave — Thu, 31 Mar 2011 01:30:16 +0000

Recently I was asked with the question: What is new for Database Security in SQL Server “Denali”?

I think this is a very interesting question as I always wanted to talk about Contained Database, and this question gives me the chance to do so. Let us start with discussing contained database.

A Contained Database is a database which contains all the necessary settings and metadata, making database easily portable to another server. This database will contain all the necessary details and will not have to depend on any server where it is installed for anything. You can take this database and move it to another server without having any worries.

The real question is, “What about users who are connecting to this database?” Once the contained database is moved, the users are moved as well, and users who belong to the contained database will have no access outside the contained database.

In summary, “Database is now self-contained. Database which is ’contained’ will not depend on anything on the server where it is installed.”

Let us try out this feature on SQL Server Denali. We will do the following steps:

Enable Contained Database
Create Contained Database
Create User in Contained Database
Try if the user can access outside Contained Database

We can do various tests on this subject; however, in this blog post we will limit out exercise to the above four points.

Enable Contained Database

Run the following code on SQL Server Denali. This code will enable the settings for the contained database.

sp_configure 'show advanced options',1 GO RECONFIGURE WITH OVERRIDE GO sp_configure 'contained database authentication', 1 GO RECONFIGURE WITH OVERRIDE GO

Create Contained Database

CREATE DATABASE [ContainedDatabase] CONTAINMENT = PARTIAL ON PRIMARY ( NAME = N'ContainedDatabase', FILENAME = N'C:\ContainedDatabase.mdf') LOG ON ( NAME = N'ContainedDatabase_log', FILENAME = N'C:\ContainedDatabase_log.ldf') GO

Create User in Contained Database

USE [ContainedDatabase] GO CREATE USER ContainedUser WITH PASSWORD = 'pass@word'; GO

Try if this user can access out side Contained Database

To test this, we will attempt to login in the database with default settings (where login database is the master).

When we attempt this, we will be not able to login in the server simply because the user does not exist at the server level.

Now, let us try to login in the system using the username which was created in the Contained Database.

You will notice that the login would be successful in the server. When expanded it, the user will have access to the contained database only, and not to any other database.

We will tackle more about this interesting subject in the future.

Reference: Pinal Dave (http://blog.SQLAuthority.com)

Filed under: PostADay, SQL, SQL Authority, SQL Query, SQL Security, SQL Server, SQL Tips and Tricks, T SQL, Technology

SQL SERVER – Securing TRUNCATE Permissions in SQL Server

pinaldave — Mon, 20 Dec 2010 01:30:28 +0000

Download the Script of this article from here.

On December 11, 2010, Vinod Kumar, a Databases & BI technology evangelist from Microsoft Corporation, graced Ahmedabad by spending some time with the Community during the Community Tech Days (CTD) event. As he was running through a few demos, Vinod asked the audience one of the most fundamental and common interview questions – “What is the difference between a DELETE and TRUNCATE?“

Ahmedabad SQL Server User Group Expert Nakul Vachhrajani has come up with excellent solutions of the same. I must congratulate Nakul for this excellent solution and as a encouragement to User Group member, I am publishing the same article over here.

Nakul Vachhrajani is a Software Specialist and systems development professional with Patni Computer Systems Limited. He has functional experience spanning legacy code deprecation, system design, documentation, development, implementation, testing, maintenance and support of complex systems, providing business intelligence solutions, database administration, performance tuning, optimization, product management, release engineering, process definition and implementation. He has comprehensive grasp on Database Administration, Development and Implementation with MS SQL Server and C, C++, Visual C++/C#. He has about 6 years of total experience in information technology. Nakul is an member of the Ahmedabad and Gandhinagar SQL Server User Groups, and actively contributes to the community by actively participating in multiple forums and websites like SQLAuthority.com, BeyondRelational.com, SQLServerCentral.com and many others.

Please note: The opinions expressed herein are Nakul own personal opinions and do not represent his employer’s view in anyway.

All data from everywhere here on Earth go through a series of four distinct operations, identified by the words: CREATE, READ, UPDATE and DELETE, or simply, CRUD. Putting in Microsoft SQL Server terms, is the process goes like this: INSERT, SELECT, UPDATE and DELETE/TRUNCATE.

Quite a few interesting responses were received and evaluated live during the session. To summarize them, the most important similarity that came out was that both DELETE and TRUNCATE participate in transactions. The major differences (not all) that came out of the exercise were:

DELETE:

DELETE supports a WHERE clause
DELETE removes rows from a table, row-by-row
Because DELETE moves row-by-row, it acquires a row-level lock
Depending upon the recovery model of the database, DELETE is a fully-logged operation.
Because DELETE moves row-by-row, it can fire off triggers

TRUNCATE:

TRUNCATE does not support a WHERE clause
TRUNCATE works by directly removing the individual data pages of a table
TRUNCATE directly occupies a table-level lock.
(Because a lock is acquired, and because TRUNCATE can also participate in a transaction, it has to be a logged operation)
TRUNCATE is, therefore, a minimally-logged operation; again, this depends upon the recovery model of the database
Triggers are not fired when TRUNCATE is used (because individual row deletions are not logged)

Finally, Vinod popped the big homework question that must be critically analyzed:

“We know that we can restrict a DELETE operation to a particular user, but how can we restrict the TRUNCATE operation to a particular user?”

After returning home and having a nice cup of coffee, I noticed that my gray cells immediately started to work. Below was the result of my research.

As what is always said, the devil is in the details. Upon looking at the Permissions section for the TRUNCATE statement in Books On Line, the following jumps right out:

“The minimum permission required is ALTER on table_name. TRUNCATE TABLE permissions default to the table owner, members of the sysadmin fixed server role, and the db_owner and db_ddladmin fixed database roles, and are not transferable. However, you can incorporate the TRUNCATE TABLE statement within a module, such as a stored procedure, and grant appropriate permissions to the module using the EXECUTE AS clause.“

Now, what does this mean? Unlike DELETE, one cannot directly assign permissions to a user/set of users allowing or revoking TRUNCATE rights. However, there is a way to circumvent this. It is important to recall that in Microsoft SQL Server, database engine security surrounds the concept of a “securable”, which is any object like a table, stored procedure, trigger, etc. Rights are assigned to a principal on a securable. Refer to the image below (taken from the SQL Server Books On Line).

urable”, which is any object like a table, stored procedure, trigger, etc. Rights are assigned to a principal on a securable. Refer to the image below (taken from the SQL Server Books On Line).

SETTING UP THE ENVIRONMENT – (01A_Truncate Table Permissions.sql) Script Provided at the end of the article.

By the end of this demo, one will be able to do all the CRUD operations, except the TRUNCATE, and the other will only be able to execute the TRUNCATE.

All you will need for this test is any edition of SQL Server 2008. (With minor changes, these scripts can be made to work with SQL 2005.)

We begin by creating the following:

1. A test database

2. Two database roles: associated logins and users

3. Switch over to the test database and create a test table. Then, add some data into it. I am using row constructors, which is new to SQL 2008.

Creating the modules that will be used to enforce permissions

1. We have already created one of the modules that we will be assigning permissions to. That module is the table: TruncatePermissionsTest

2. We will now create two stored procedures; one is for the DELETE operation and the other for the TRUNCATE operation. Please note that for all practical purposes, the end result is the same – all data from the table TruncatePermissionsTest is removed

Assigning the permissions

Now comes the most important part of the demonstration – assigning permissions. A permissions matrix can be worked out as under:

To apply the security rights, we use the GRANT and DENY clauses, as under:

That’s it! We are now ready for our big test!

THE TEST (01B_Truncate Table Test Queries.sql) Script Provided at the end of the article.

I will now need two separate SSMS connections, one with the login AllowedTruncate and the other with the login RestrictedTruncate.

Running the test is simple; all that’s required is to run through the script – 01B_Truncate Table Test Queries.sql. What I will demonstrate here via screen-shots is the behavior of SQL Server when logged in as the AllowedTruncate user. There are a few other combinations than what are highlighted here. I will leave the reader the right to explore the behavior of the RestrictedTruncate user and these additional scenarios, as a form of self-study.

1. Testing SELECT permissions

2. Testing TRUNCATE permissions (Remember, “deny by default”?)

3. Trying to circumvent security by trying to TRUNCATE the table using the stored procedure

Hence, we have now proved that a user can indeed be assigned permissions to specifically assign TRUNCATE permissions. I also hope that the above has sparked curiosity towards putting some security around the probably “destructive” operations of DELETE and TRUNCATE.

I would like to wish each and every one of the readers a very happy and secure time with Microsoft SQL Server.

(Please find the scripts – 01A_Truncate Table Permissions.sql and 01B_Truncate Table Test Queries.sql that have been used in this demonstration. Please note that these scripts contain purely test-level code only. These scripts must not, at any cost, be used in the reader’s production environments).

01A_Truncate Table Permissions.sql

/* ***************************************************************************************************************** Developed By : Nakul Vachhrajani Functionality : This demo is focused on how to allow only TRUNCATE permissions to a particular user How to Use : 1. Run through, step-by-step through the sequence till Step 08 to create a test database 2. Switch over to the "Truncate Table Test Queries.sql" and execute it step-by-step in two different SSMS windows, one where you have logged in as 'RestrictedTruncate', and the other as 'AllowedTruncate' 3. Come back to "Truncate Table Permissions.sql" 4. Execute Step 10 to cleanup! Modifications : December 13, 2010 - NAV - Updated to add a security matrix and improve code readability when applying security December 12, 2010 - NAV - Created ***************************************************************************************************************** */ -- Step 01: Create a new test database CREATE DATABASE TruncateTestDB GO USE TruncateTestDB GO -- Step 02: Add roles and users to demonstrate the security of the Truncate operation -- 2a. Create the new roles CREATE ROLE AllowedTruncateRole; GO CREATE ROLE RestrictedTruncateRole; GO -- 2b. Create new logins CREATE LOGIN AllowedTruncate WITH PASSWORD = 'truncate@2010', CHECK_POLICY = ON GO CREATE LOGIN RestrictedTruncate WITH PASSWORD = 'truncate@2010', CHECK_POLICY = ON GO -- 2c. Create new Users using the roles and logins created aboave CREATE USER TruncateUser FOR LOGIN AllowedTruncate WITH DEFAULT_SCHEMA = dbo GO CREATE USER NoTruncateUser FOR LOGIN RestrictedTruncate WITH DEFAULT_SCHEMA = dbo GO -- 2d. Add the newly created login to the newly created role sp_addrolemember 'AllowedTruncateRole','TruncateUser' GO sp_addrolemember 'RestrictedTruncateRole','NoTruncateUser' GO -- Step 03: Change over to the test database USE TruncateTestDB GO -- Step 04: Create a test table within the test databse CREATE TABLE TruncatePermissionsTest (Id INT IDENTITY(1,1), Name NVARCHAR(50)) GO -- Step 05: Populate the required data INSERT INTO TruncatePermissionsTest VALUES (N'Delhi'), (N'Mumbai'), (N'Ahmedabad') GO -- Step 06: Encapsulate the DELETE within another module CREATE PROCEDURE proc_DeleteMyTable WITH EXECUTE AS SELF AS DELETE FROM TruncateTestDB..TruncatePermissionsTest GO -- Step 07: Encapsulate the TRUNCATE within another module CREATE PROCEDURE proc_TruncateMyTable WITH EXECUTE AS SELF AS TRUNCATE TABLE TruncateTestDB..TruncatePermissionsTest GO -- Step 08: Apply Security /* *****************************SECURITY MATRIX*************************************** =================================================================================== Object | Permissions | Login | | AllowedTruncate | RestrictedTruncate | |User:NoTruncateUser| User:TruncateUser =================================================================================== TruncatePermissionsTest | SELECT, | GRANT | (Default) | INSERT, | | | UPDATE, | | | DELETE | | -------------------------+-------------+-------------------+----------------------- TruncatePermissionsTest | ALTER | DENY | (Default) -------------------------+-------------+----*/----------------+----------------------- proc_DeleteMyTable | EXECUTE | GRANT | DENY -------------------------+-------------+-------------------+----------------------- proc_TruncateMyTable | EXECUTE | DENY | GRANT -------------------------+-------------+-------------------+----------------------- *****************************SECURITY MATRIX*************************************** */ /* Table: TruncatePermissionsTest*/ GRANT SELECT, INSERT, UPDATE, DELETE ON TruncateTestDB..TruncatePermissionsTest TO NoTruncateUser GO DENY ALTER ON TruncateTestDB..TruncatePermissionsTest TO NoTruncateUser GO /* Procedure: proc_DeleteMyTable*/ GRANT EXECUTE ON TruncateTestDB..proc_DeleteMyTable TO NoTruncateUser GO DENY EXECUTE ON TruncateTestDB..proc_DeleteMyTable TO TruncateUser GO /* Procedure: proc_TruncateMyTable*/ DENY EXECUTE ON TruncateTestDB..proc_TruncateMyTable TO NoTruncateUser GO GRANT EXECUTE ON TruncateTestDB..proc_TruncateMyTable TO TruncateUser GO -- Step 09: Test --Switch over to the "Truncate Table Test Queries.sql" and execute it step-by-step in two different SSMS windows: -- 1. one where you have logged in as 'RestrictedTruncate', and -- 2. the other as 'AllowedTruncate' -- Step 10: Cleanup sp_droprolemember 'AllowedTruncateRole','TruncateUser' GO sp_droprolemember 'RestrictedTruncateRole','NoTruncateUser' GO DROP USER TruncateUser GO DROP USER NoTruncateUser GO DROP LOGIN AllowedTruncate GO DROP LOGIN RestrictedTruncate GO DROP ROLE AllowedTruncateRole GO DROP ROLE RestrictedTruncateRole GO USE MASTER GO DROP DATABASE TruncateTestDB GO

01B_Truncate Table Test Queries.sql

Thank you Nakul to take up the challenge and prove that Ahmedabad and Gandhinagar SQL Server User Group has talent to solve difficult problems.

Reference: Pinal Dave (http://blog.SQLAuthority.com)

Filed under: Best Practices, Pinal Dave, Readers Contribution, Readers Question, SQL, SQL Authority, SQL Query, SQL Scripts, SQL Security, SQL Server, SQL Tips and Tricks, T SQL, Technology

SQL SERVER – Best Practices for DBA Before Taking Vacation

pinaldave — Tue, 10 Aug 2010 01:30:18 +0000

This blog post is written in response to T-SQL Tuesday hosted by Jason Brimhall.

Everybody wants to take a vacation. Who does not love vacation, anyway? However, it seems that it has been getting more and more difficult to take vacation recently. There are two reasons why a person is not able to enjoy his vacation. First is due to company policies (bad boss!), and second is your responsibilities. Well, I cannot guide you much about company policy issues simply because I cannot do something about it. I have a wonderful boss and I have been taking many vacations, doing a few things whenever I’m on vacations.

Do not think about your Job!

This is the most difficult task. A very usual scenario when one goes to vacation is that he continuously thinks about his job even though he is actually on vacation. Here are a few reasons regarding this dilemma:

He thinks that without him, the office would not be able to function.
He thinks that without him, someone else would do better on the job and so he would lose the title “the Superhero”.
He would miss the gossips at work.
He is too comfortable in his job, and doing anything else scares him, even taking vacation.

Relax! None of the above would happen. Organizations always function with or without you. It is not about you; in fact, it is never about you. If you take a vacation, stop thinking about work and everything else. Just think of how you would enjoy your vacation.

Handling Job responsibilities

If you are a DBA, you’ll notice that sometimes it is very difficult to go out on vacation because there are so many critical tasks you are handling and you simply cannot leave them for vacation. I have faced this situation many times. I remember that time when I was on vacation; the Jr. Guy who is supposed to take over my job responsibility ended up calling me with issues or problems. In IT, we all know that we are not always able to talk on the phone and solve the problems. In fact, I always have to see the screen when I am advising or talking technical subject.

After working for many years, I have finally figured out how to avoid this kind of situation. Here are things I like to do regarding this problem:

No Super Hero!

I never try to become the only man in the organization who knows everything because it does not work out that well. Job security is good, but overdoing things is not good as well. There are many problems that arise with a certain situation. I always teach the critical task to another person in my organization. I make sure that he knows it very well. In fact, even though I am present in the organization, I often ask him to take care of the situation for me. This way, I make sure there’s a person besides me who knows how to handle the critical task. Now, I do not worry about this at all when I am on vacation.

Automation!

Well, we are working on this actively. There are so many different tasks which can be automated, yet we have ignored all these years. Many times, the argument is very simple. For example, a machine is still a machine so we need to at least take a look before approving final changes. All of these are true but there is something more than that for sure. We do not want to go back to “start”, as described in the futuristic movies like I, Robot. However, there are a few things we can automate and leave with the machine. When I automate any task which I used to do manually, I make sure that I check the data being passed to or from me. I make sure that the data passed is proper and valid, and there are enough checkpoints in the process. Although I double-check these checkpoints, I do promote automation. We are currently looking into Powershell to automate a few tasks. I will post a detailed article about this subject when we are done with examining it.

Backup and Restore!

This task is very straightforward. Before I go on vacation, I always take one full backup of all the settings, jobs, and database. I keep them in a safe location and inform the next person in-charge the where I placed them. I was once asked to return from vacation earlier because something very bad happened and no one remembered what the original setting of the system was before it went down. This kind of the note can be useful during such cases.

Document, and Document it Again!

Well, let us assume you have explained everything to the next person in-charge and he has understood everything you wanted to explain. Then you went to vacation and something bad really happened, and he forgot what you have explained. Well this happens and, in fact, the guy who claims he has a sharp memory faces this issue the most. I keep it very standard; I always write down all the procedures and send an email to the person in-charge. There is a good probability that he will not remember your instructions, but he will surely remember when he reads your email or document.

Keep the phone on!

I think this can be an issue when one goes for vacation. I have seen many of my friends turning off their phones or pagers when they go on a vacation. Their argument is: “Well, it is vacation and this how it’s supposed to be.” However, I do the absolute opposite. I like to keep my phone on. This way, you will still know what happens when you’re not at work, plus, you would know a bit of what’s happening in your friends’ and relatives’ lives. This is the same thing for me. When I am on vacation, I like to keep things updated with what’s going on at work. I check my work email once a day and keep my phone on in case of emergency. I politely say “No” when I think I do not want to attend something and so far, I have never faced any problem with that. My co-worker and boss is very nice to me and I have never received any interruption in my vacation, unless it is so urgent that someone is dying.

There are many things to do on this subject, but these are what I usually do.

Let me know your idea about going on vacation!

Reference: Pinal Dave (http://blog.SQLAuthority.com)

Filed under: Best Practices, Pinal Dave, SQL, SQL Authority, SQL Query, SQL Security, SQL Server, SQL Tips and Tricks, T SQL, Technology

SQLAuthority News – Wireless Router Security and Attached Devices – Complex Password

pinaldave — Thu, 06 May 2010 01:30:08 +0000

In the last week, I have received calls from friends who told me that they have got strange emails from me. To my surprise, I did not send them any emails. I was not worried until my wife complained that she was not able to find one of the very important folders containing our daughter’s photo that is located in our shared drive. This was alarming in my par, so I started a search around my computer’s folders. Again, please note that I am by no means a security expert. I checked my entire computer with virus and spyware, and strangely, there I found nothing. I tried to think what can cause this happening. I suddenly realized that there was a power outage in my area for about two hours during the days I have mentioned. Back then, my wireless router needed to be reset, and so I did. I had set up my WPA-PSK [TKIP] + WPA2-PSK [AES] very well. My key was very simple ( ‘SQLAuthority1′), and I never thought of changing it. (It is now replaced with a very complex one).

While checking the Attached Devices, I found out that there was another very strange computer name and IP attached to my network. And so as soon as I found out that there is strange device attached to my computer, I shutdown my local network. Afterwards, I reconfigured my wireless router with a more complex security key. Since I created the complex password, I noticed that the user is no more connecting to my machine.

Subsequently, I figured out that I can also set up Access Control List. I added my networked computer to that list as well. When I tried to connect from an external laptop which was not in the list but with a valid security key, I was not able to access the network, neither able to connect to it. I wasn’t also able to connect using a remote desktop, so I think it was good.

If you have received any nasty emails from me (from my gmail account) during the afore-mentioned days, I want to apologize. I am already paying for my negligence of not putting a complex password; by way of losing the important photos of my daughter. I have already checked with my client, whose password I saved in SSMS, so there was no issue at all. In fact, I have decided to never leave any saved password of production server in my SSMS. Here is the tip SQL SERVER – Clear Drop Down List of Recent Connection From SQL Server Management Studio to clean them.

I think after doing all this, I am feeling safe right now. However, I believe that safety is an illusion of many times. I need your help and advice if there is anymore I can do to stop unauthorized access.

I am seeking advice and help through your comments.

Update: Edited first line to remove dates.

Reference : Pinal Dave (http://www.SQLAuthority.com)

Filed under: SQL, SQL Authority, SQL Query, SQL Security, SQL Server, SQL Tips and Tricks, SQLAuthority News, T SQL, Technology

SQL SERVER – Difference Between GRANT and WITH GRANT

pinaldave — Sat, 03 Apr 2010 01:30:28 +0000

What is the difference between GRANT and WITH GRANT when giving permissions to the user? This is a very interesting question recently asked me to during my session at TechMela Nepal.

Let us first see the syntax and analyze.

GRANT:
USE master; GRANT VIEW ANY DATABASE TO username; GO

WITH GRANT:
USE master; GRANT VIEW ANY DATABASE TO username WITH GRANT OPTION; GO

The difference between these options is very simple. In case of only GRANT, the username cannot grant the same permission to other users. On the other hand, with the option WITH GRANT, the username will be able to give the permission after receiving requests from other users.

This is a very basic definition of the subject. I would like to request my readers to come up with a working script to prove this scenario. Please submit your script to me by email (pinal ‘at’ sqlauthority.com), or in comment field.

Reference : Pinal Dave (http://blog.SQLAuthority.com)

Filed under: Pinal Dave, SQL, SQL Authority, SQL Query, SQL Scripts, SQL Security, SQL Server, SQL Tips and Tricks, T SQL, Technology Tagged: SQL Permissions

SQL SERVER – Get the List of Object Dependencies – sp_depends and information_schema.routines and sys.dm_sql_referencing_entities

pinaldave — Thu, 04 Feb 2010 01:30:43 +0000

Recently, I read a question on my friend Ritesh Shah‘s SQL site regarding the following: sp_depends does not give appropriate results whereas information_schema.routines does give proper answer.

I have quite often seen that information_schema.routines gives proper dependency relationship where assp_depends returns an incorrect answer. However, as per book online sp_depends will be deprecated, and instead, sys.dm_sql_referencing_entities and sys.dm_sql_referenced_entities are recommended.

Let us quickly see where sp_depends fail and other solutions work fine.

Let us first create two scenarios.

Scenario 1: Normal Table Creation Order, where objects are created first and then used afterwords.

USE TempDB GO CREATE TABLE dbo.TestTable ( ID INT, Name VARCHAR(100)) GO -- dbo.First is not created yet CREATE PROCEDURE dbo.Second AS EXEC dbo.First GO CREATE PROCEDURE dbo.First AS SELECT ID, Name FROM TestTable GO

Scenario 2: Objects are created afterwords and they are referenced first.

USE TempDB GO CREATE TABLE dbo.TestTable ( ID INT, Name VARCHAR(100)) GO CREATE PROCEDURE dbo.First AS SELECT ID, Name FROM TestTable GO -- dbo.First is already created CREATE PROCEDURE dbo.Second AS EXEC dbo.First GO

Now let us run following three queries on both the scenarios.

-- Method 1: Using sp_depends sp_depends 'dbo.First' GO -- Method 2: Using information_schema.routines SELECT * FROM information_schema.routines ISR WHERE CHARINDEX('dbo.First', ISR.ROUTINE_DEFINITION) > 0 GO -- Method 3: Using DMV sys.dm_sql_referencing_entities SELECT referencing_schema_name, referencing_entity_name, referencing_id, referencing_class_desc, is_caller_dependent FROM sys.dm_sql_referencing_entities ('dbo.First', 'OBJECT'); GO

Result from Scenario 1

Result from Scenario 2

It is clear that sp_depends does not give proper/correct results when the object creation order is different or following deferred name resolution.

I suggest the use of the third method, in which sys.dm_sql_referencing_entities is used.

Use the following script to get correct dependency:

SELECT referencing_schema_name, referencing_entity_name, referencing_id, referencing_class_desc, is_caller_dependent FROM sys.dm_sql_referencing_entities ('YourObject', 'OBJECT'); GO

Let me know the type of scripts you use for finding Object Dependencies. I will post your script with due credit.

Reference: Pinal Dave (http://blog.SQLAuthority.com)

Filed under: Pinal Dave, Readers Question, SQL, SQL Authority, SQL Query, SQL Scripts, SQL Security, SQL Server, SQL System Table, SQL Tips and Tricks, SQLServer, T SQL, Technology

SQL SERVER – Fix: Error: 262 : SHOWPLAN permission denied in database

pinaldave — Tue, 05 Jan 2010 01:30:06 +0000

During one of my recent training class when I asked students to check the execution plan using (can be enabled using CTRL+M), they received error as following.

Msg 262, Level 14, State 4, Line 1
SHOWPLAN permission denied in database ‘AdventureWorks’.

This is quite common that now all the developers have admin rights. It was very easy to fix this issue.

Fix Workaround:

USE AdventureWorks GO GRANT SHOWPLAN TO UserName GO

Just run above statement in the database where user is getting error and he will be able to see the query execution plan without any issue.

Reference: Pinal Dave (http://blog.SQLAuthority.com),

Posted in Pinal Dave, SQL, SQL Authority, SQL Error Messages, SQL Query, SQL Scripts, SQL Security, SQL Server, SQL Tips and Tricks, SQLServer, T SQL, Technology

SQLAuthority News – Database Encryption in SQL Server 2008 Enterprise Edition

pinaldave — Sat, 03 Oct 2009 01:30:36 +0000

Database Encryption in SQL Server 2008 Enterprise Edition
SQL Server Technical Article
Writers: Sung Hsueh
Technical Reviewers: Raul Garcia, Sameer Tejani, Chas Jeffries, Douglas MacIver, Byron Hynes, Ruslan Ovechkin, Laurentiu Cristofor, Rick Byham, Sethu Kalavakur
Published: February 2008

TDE does not replace cell-level encryption, EFS, or BitLocker. This white paper compares TDE with these other encryption methods for application developers and database administrators. While this is not a technical, in-depth review of TDE, technical implementations are explored and a familiarity with concepts such as virtual log files and the buffer pool are assumed. The user is assumed to be familiar with cell-level encryption and cryptography in general. Implementing database encryption is covered, but not the rationale for encrypting a database.

Read Database Encryption in SQL Server 2008 Enterprise Edition

Abstract courtesy : Microsoft

Reference: Pinal Dave (http://blog.sqlauthority.com)

Posted in SQL, SQL Authority, SQL Query, SQL Security, SQL Server, SQL Tips and Tricks, SQL White Papers, SQLAuthority News, T SQL, Technology Tagged: SQL Server Encryption

SQL SERVER – Cryptography in SQL Server 2008

pinaldave — Tue, 15 Sep 2009 01:30:35 +0000

SQL Server, particularly the 2005 and 2008 versions, offers the functionality of cryptography. In the following, this functionality is briefly explained.

Introduction

Any database professional will support the encryption of data. However, the encryption of data has to be carried out at the database engine level. This is quite tricky as there the database performance can be affected by the process of decryption, data manipulation, and then re-encryption when data is being updated. SQL Server offers robust data security. Further, it is important to have strong knowledge of cryptography in SQL Server in order to avoid many problems that are encountered by DBAs while implementing cryptography.

SQL Server Authentication

When users log in to the database, there are two major steps of identifying the user: authentication and authorization (permissions).

Authentication implies the verification of user’s identity or the security principal. Encryption and signature play an important role in the authentication process.
Authorizations (also known as permissions) are the rights granted to a particular user. Permissions to a signature in SQL Server.

Protection of SQL Server Data by Encryption

At times, one can adequately protect data by controlling access to a table by using SQL Server robust permissions architecture. Therefore, what is the necessity of encrypting data on the server.

In general, if the storage medium such as SAN and backup tapes is completely secure, it is not necessary to encrypt data. If an attacker can break the permissions architecture, then he/she can possibly access the encryption keys of your database with very little effort. In such case, encryption cannot help.

However, if an attacker wants to access the file system, encryption defends the system to a greater depth.

Encryption is necessary for the data that fall in the following categories:

For vulnerable storage media, wherein there are chances of loosing the backup data from PC or tapes.
In some cases, the data has to be protected from sysadmins. In such an instance, it is advisable to use the middle tier to perform encryption and decryption, rather than SQL server internal encryption. However, if the keys are stored in the SQL Server, it is almost impossible to protect the data from a sysadmin who is determined to find the keys.
If a sets of records (rows) within the same table needs to be protected, then users with cryptographic keys can be allowed to access the specific records, but not the other records within the same table. Encryption makes this process of hiding rows easy. In the case of regulating the permissions to columns, permissions on views can be enforced.
Highly sensitive data requires encryption for storage. Such data include information on credit cards and military projects.

Third-party backup options that enable the encryption of backup files can be considered in situations wherein offsite tape storage is less secure and the disk storage access is secure.

Conclusion

The cryptographic functionality of SQL Sever has to deal with problems that were not taken into consideration during its design. Some common examples are as follows:

The use of asymmetric key pairs in cases where key communication is not a crucial issue; for example, when data is stored in the SQL Server database.
SQL Server permissions are sufficient to control access to data, except in situations where the access to the storage media is compromised. In such case, the security via encryption stands unnecessary.

Importantly, by using the cryptographic functionality of SQL Server, it is easy to create robust security. The native functionality offers access control and key storage, and the built-in encryption functionality offers robust security (including random salt and authenticator values). The ease in implementation of this functionality makes it an attractive choice for all types of users.

Reference: Pinal Dave (http://blog.sqlauthority.com), White paper by John Hicks, Microsoft Industry Solutions Group

Posted in Pinal Dave, SQL, SQL Authority, SQL Query, SQL Security, SQL Server, SQL Tips and Tricks, T SQL, Technology

SQL SERVER – FIX : ERROR : Cannot open database requested by the login. The login failed. Login failed for user ‘NT AUTHORITY\NETWORK SERVICE’.

pinaldave — Thu, 20 Aug 2009 01:30:47 +0000

This error is quite common and I have received it few times while I was working on a recent consultation project.

Cannot open database requested by the login. The login failed.
Login failed for user ‘NT AUTHORITY\NETWORK SERVICE’.

This error occurs when you have configured your application with IIS, and IIS goes to SQL Server and tries to login with credentials that do not have proper permissions. This error can also occur when replication or mirroring is set up.

If you search online, there are many different solutions provided to solve this error, and many of these solutions work fine. However, I will be going over a solution that works always and is very simple.

Fix/Workaround/Solution:

Go to SQL Server >> Security >> Logins and right click on NT AUTHORITY\NETWORK SERVICE and select Properties

In newly opened screen of Login Properties, go to the “User Mapping” tab. Then, on the “User Mapping” tab, select the desired database – especially the database for which this error message is displayed. On the lower screen, check the role db_owner. Click OK.

In almost all such cases, this should fix your problem.

Reference : Pinal Dave (http://blog.sqlauthority.com)

Posted in Pinal Dave, SQL, SQL Authority, SQL Error Messages, SQL Query, SQL Scripts, SQL Security, SQL Server, SQL Tips and Tricks, T SQL, Technology Tagged: SQL Login

SQL SERVER – Reason for SQL Server Agent Starting Before SQL Server Engine Service

pinaldave — Thu, 13 Aug 2009 01:30:57 +0000

Nakul, a dedicated member of the Gandhinagar SQL Server User Group, recently emailed me with a very interesting, but quick question. He asked me why the SQL Server Agent starts before SQL Server Engine does? He made the very valid point that as the SQL Server Engine is the core service, it should start first, and there is little point to running the SQL Server Agent without it.

Off the top of my head, I can offer the following quick reasons for this sequence:

The SQL Server Engine does not only run jobs for SQL Server Engine itself. It also runs jobs for other core services like the SQL Server Analysis Service, Integration Service, Reporting Service etc.;
The SQL Server Agent can run almost any kind of task that an Operating system can run. For example invoking any program or running shell scripts;

The SQL Server Agent also starts jobs which are scheduled to run the second the SQL Server Engine starts, and for this reason it is needed; and
Replication, mirroring and a few other tasks also depend on Agent Jobs.

These are the reasons that I have come up with so far. Can you think of any more? Let us have your views.

Reference : Pinal Dave (http://blog.SQLAuthority.com)

Posted in Database, Pinal Dave, Readers Question, SQL, SQL Authority, SQL Query, SQL Security, SQL Server, SQL Tips and Tricks, T SQL, Technology Tagged: SQL Server Agent

SQL SERVER – Forgot the Password of Username SA

pinaldave — Tue, 04 Aug 2009 01:30:24 +0000

I just received a call from an old friend with whom I used to work in Las Vegas. He told me about a password-related issue he faced in his organization. They had changed the password of username SA and now they are not able to recall the new password. I am sure that he is not the first person who has faced this issue. There may be many more similar situations where employees who have sysamin password leaves the job or a hacker disables the SA account.

Resetting the password of SA is a breeze!

Option 1 :

If there is any other SQL Server Login that is a member of sysadmin role, you can log in using that account and reset the password of SQL Server. Change the password of SA account as described here : SQL SERVER – Change Password of SA Login Using Management Studio.

Option 2 :

If there is any other Windows Login that is a member of Windows Admin Group, log in using that account. Start SQL Server in Single User Mode as described here : SQL SERVER – Start SQL Server Instance in Single User Mode.
Create a new login and give it sysadmin permission.

Note : If you have SQL Server Agent enabled, it starts before SQL Server service. If you have enabled SQL Server in a single user mode, it will connect it first, so it is recommended to turn that off before attempting any of the above options.

Reference : Pinal Dave (http://blog.SQLAuthority.com)

Posted in Pinal Dave, SQL, SQL Authority, SQL Query, SQL Scripts, SQL Security, SQL Server, SQL Server Management Studio, SQL Tips and Tricks, T SQL, Technology Tagged: Password, Username

SQL SERVER – 2008 – Policy-Based Management – Create, Evaluate and Fix Policies

pinaldave — Tue, 30 Jun 2009 01:30:44 +0000

This article will cover the most spectacular feature of SQL 2008 – Policy-based management and how the configuration of SQL Server with policy-based management architecture can make a powerful difference. Policy based management is loaded with several advantages. It can help you implement various policies for reliable configuration of the system. It also provides additional administration assistance to DBAs and helps them effortlessly manage various tasks of SQL Server across the enterprise.

1 Introduction
2 Basics of Policy Management
3 Policy Management Terms
4 Practical Example of Policy Management
4.1 Exploring of Facets
4.2 Create a Condition
4.3 Create a Policy
4.4 Evaluate a Policy
4.5 Fix Non-complying Policy
5 Summary

Read complete article here.

Reference : Pinal Dave (http://blog.SQLAuthority.com)

Posted in Pinal Dave, SQL, SQL Authority, SQL Query, SQL Scripts, SQL Security, SQL Server, SQL Tips and Tricks, T SQL, Technology Tagged: Policy Management

SQLAuthority News – Using SQL Server 2008 Extended Events – White paper By Jonathan Kehayias

pinaldave — Sun, 07 Jun 2009 01:30:23 +0000

Strange it may sound but being a SQL Server pro has its downside too. Common information on SQL does not interest me, while a good document is hard to find. So the reader in me is mostly discontented and constantly keeps looking for interesting documents. Recently, I chanced upon a really good white paper by Jonathan Keyhayias on SQL Serve r2008 extended events. I have known Jonathan through forums but have not met him in person yet. But I hope to meet him soon.

The white paper starts with introduction to the extended event and then elaborates on its architecture, system objects, confusing target data and other important aspects of the extended events. This white paper ends with life of an event, and I would recommend that you read this portion at least if you do not have sufficient time to read the whole white paper.

Let us go through the first paragraph taken from the white paper which lucidly defines extended events.

What is extended events?
As SQL Server matures with time, the diagnostics tools available to administrators to troubleshoot problems when they arise have also matured. SQL Server 2000 had very limited diagnostic tools when compared with SQL Server 2005. SQL Trace and SQL Server Profiler were often the tools of choice for administrators to identify problems with performance, along with DBCC and individual trace flags like 1205 for deadlocks, and 3605 to log results to the SQL Server error log. With SQL Server 2005, the diagnostic tools expanded to include the dynamic management views, which provide a deep view into the internal workings of SQL Server, additional trace events for SQL Trace and SQL Server Profiler including the deadlock graph and Showplan XML events, the ability to import performance counter logs in SQL Server Profiler to view trace events along with their impact on the system, and WMI events which use Service Broker endpoints for event notifications. SQL Server 2008 continues to build upon the diagnostic tools with a new feature called Extended Events.

You can continue reading the white paper Using SQL Server 2008 Extended Events here.

Let me have your views about this white paper.

Reference : Pinal Dave (http://blog.SQLAuthority.com)

Posted in SQL, SQL Authority, SQL Documentation, SQL Query, SQL Security, SQL Server, SQL Tips and Tricks, SQL White Papers, T SQL, Technology

SQL SERVER – Find Hostname and Current Logged In User Name

pinaldave — Tue, 26 May 2009 01:30:12 +0000

I work in an environment wherein I connect to multiple servers across the world. Time and again, my SSMS is connected to a myriad of servers that kindles a lot of confusion. I frequently use the following trick to separate different connections, which I mentioned in my blog sometime back SQL SERVER – 2008 – Change Color of Status Bar of SSMS Query Editor. However, this trick does not help when a huge number of different connections are open. In such a case, I use the following handy script. Do not go by the length of the script; it might be very short but always works great!

Now, let’s take a look at the execution of this script in two different scenarios.

1) Logged in using SQL Authentication

SELECT HOST_NAME() AS HostName, SUSER_NAME() LoggedInUser

2) Logged in using Windows Authentication

SELECT HOST_NAME() AS HostName, SUSER_NAME() LoggedInUser

It is quite evident from both the above cases that we get correct logged-in username and hostname. Let me know if this script is helpful to you when you face a similar situation.

Reference : Pinal Dave (http://blog.SQLAuthority.com)

Posted in Pinal Dave, SQL, SQL Authority, SQL Function, SQL Query, SQL Scripts, SQL Security, SQL Server, SQL Tips and Tricks, T SQL, Technology Tagged: Username

SQL SERVER – FIX : ERROR : is not a valid Win32 application. (Exception from HRESULT: 0x800700C1)

pinaldave — Thu, 30 Apr 2009 01:30:51 +0000

Just a day ago, one of my friend sent me email requesting help with following error:

is not a valid Win32 application. (Exception from HRESULT: 0x800700C1)

In fact this is not SQL Server error but it is of .NET application. The solution of this error is just changing configuration of IIS7.

Fix/Solution/Workaround:

Go to IIS.
Click on Application Pool.
Look for your web application in application pool.
Go to Advanced Settings by right clicking on previously selected application pool.
Enable 32-Bit Applications by checking it.

Reference : Pinal Dave (http://blog.SQLAuthority.com)

Posted in Pinal Dave, Readers Question, SQL, SQL Authority, SQL Error Messages, SQL Query, SQL Security, SQL Server, SQL Tips and Tricks, T SQL, Technology

SQL SERVER – Introduction to SQL Server Encryption and Symmetric Key Encryption Tutorial with Script

pinaldave — Tue, 28 Apr 2009 01:30:57 +0000

SQL Server 2005 and SQL Server 2008 provide encryption as a new feature to protect data against hackers’ attacks. Hackers might be able to penetrate the database or tables, but owing to encryption they would not be able to understand the data or make use of it. Nowadays, it has become imperative to encrypt crucial security-related data while storing in the database as well as during transmission across a network between the client and the server.

Encryption hierarchy is marked by three-level security. These three levels provide different mechanisms for securing data across networks and local servers. Different levels of hierarchies allow multiple instances of services (e.g., SQL Server Services) to run on one physical server.

Windows Level – Highest Level – Uses Windows DP API for encryption
SQL Server Level - Moderate Level – Uses Services Master Key for encryption
Database Level – Lower Level – Uses Database Master Key for encryption

There are two kinds of keys used in encryption:

Symmetric Key – In Symmetric cryptography system, the sender and the receiver of a message share a single, common key that is used to encrypt and decrypt the message. This is relatively easy to implement, and both the sender and the receiver can encrypt or decrypt the messages.
Asymmetric Key – Asymmetric cryptography, also known as Public-key cryptography, is a system in which the sender and the receiver of a message have a pair of cryptographic keys – a public key and a private key – to encrypt and decrypt the message. This is a relatively complex system where the sender can use his key to encrypt the message but he cannot decrypt it. The receiver, on the other hand, can use his key to decrypt the message but he cannot encrypt it. This intricacy has turned it into a resource-intensive process.

Yet another way to encrypt data is through certificates. A public key certificate is a digitally signed statement that binds the value of a public key to the identity of the person, device, or service that holds the corresponding private key. A Certification Authority (CA) issues and signs certifications. Download complete script here.

Please create a sample database that we will be use for testing Encryption. There are two different kinds of encryptions available in SQL Server:

Database Level – This level secures all the data in a database. However, every time data is written or read from database, the whole database needs to be decrypted. This is a very resource-intensive process and not a practical solution.
Column (or Row) Level – This level of encryption is the most preferred method. Here, only columns containing important data should be encrypted; this will result in lower CPU load compared with the whole database level encryption. If a column is used as a primary key or used in comparison clauses (WHERE clauses, JOIN conditions) the database will have to decrypt the whole column to perform operations involving those columns.

Let’s go over a simple instance that demonstrates the encryption and the decryption process executed with Symmetric Key and Triple DES encryption algorithm.
/* Create Database */ USE master GO CREATE DATABASE EncryptTest ON PRIMARY ( NAME = N'EncryptTest', FILENAME = N'C:\EncryptTest.mdf') LOG ON ( NAME = N'EncryptTest_log', FILENAME = N'C:\EncryptTest_log.ldf') GO

First, let’s create a sample table and then populate it with sample data. We will now encrypt one of the two columns of the table.
/* Create table and insert data in the table */ USE EncryptTest GO CREATE TABLE TestTable (FirstCol INT, SecondCol VARCHAR(50)) GO INSERT INTO TestTable (FirstCol, SecondCol) SELECT 1,'First' UNION ALL SELECT 2,'Second' UNION ALL SELECT 3,'Third' UNION ALL SELECT 4,'Fourth' UNION ALL SELECT 5,'Fifth' GO /* Check the content of the TestTable */ USE EncryptTest GO SELECT * FROM TestTable GO

The preceding code will return the result depicted in the subsequent figure.

: Result of the SQL query

Every database can have one master key. Database master key is a symmetric key used to protect the private keys of certificates and asymmetric keys present in the database. It uses Triple DES algorithm together with user-provided password to encrypt the keys.
/* Create Database Master Key */ USE EncryptTest GO CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'SQLAuthority' GO

Certificates are used to safeguard encryption keys, which are used to encrypt data in the database. SQL Server 2005 has the capability to generate self-signed X.509 certificates.
/* Create Encryption Certificate */ USE EncryptTest GO CREATE CERTIFICATE EncryptTestCert WITH SUBJECT = 'SQLAuthority' GO

The symmetric key can be encrypted by using various options such as certificate, password, symmetric key, and asymmetric key. A number of different algorithms can be employed for encrypting key. The supported algorithms are DES, TRIPLE_DES, RC2, RC4, RC4_128, DESX, AES_128, AES_192, and AES_256.
/* Create Symmetric Key */ USE EncryptTest GO CREATE SYMMETRIC KEY TestTableKey WITH ALGORITHM = TRIPLE_DES ENCRYPTION BY CERTIFICATE EncryptTestCert GO

Now add a column of type varbinary to the original table, which will store the encrypted value for the SecondCol.
/* Encrypt Data using Key and Certificate Add Columns which will hold the encrypted data in binary */ USE EncryptTest GO ALTER TABLE TestTable ADD EncryptSecondCol VARBINARY(256) GO

Before the key is used, it needs to be decrypted using the same method that was used for encrypting it. In our example, we have used a certificate for encrypting the key. Because of the same reason, we are using the same certificate for opening the key and making it available for use. Subsequent to opening it and making it available for use, we can use the encryptkey function and store the encrypted values in the database, in the EncryptSecondCol column.
/* Update binary column with encrypted data created by certificate and key */ USE EncryptTest GO OPEN SYMMETRIC KEY TestTableKey DECRYPTION BY CERTIFICATE EncryptTestCert UPDATE TestTable SET EncryptSecondCol = ENCRYPTBYKEY(KEY_GUID('TestTableKey'),SecondCol) GO

We can drop the original SecondCol column, which we have now encrypted in the EncryptSecondCol column. If you do not want to drop the column, you can keep it for future comparison of the data when we decrypt the column.
/* DROP original column which was encrypted for protect the data */ USE EncryptTest GO ALTER TABLE TestTable DROP COLUMN SecondCol GO

We can run a SELECT query on our database and verify if our data in the table is well protected and hackers will not be able to make use of it even if they somehow manage to reach the data.

/* Check the content of the TestTable */ USE EncryptTest GO SELECT * FROM TestTable GO

: Result of the previous SQL query

Authorized user can use the decryptbykey function to retrieve the original data from the encrypted column. If Symmetric key is not open for decryption, it has to be decrypted using the same certificate that was used to encrypt it. An important point to bear in mind here is that the original column and the decrypted column should have the same data types. If their data types differ, incorrect values could be reproduced. In our case, we have used a VARCHAR data type for SecondCol and EncryptSecondCol.

/* Decrypt the data of the SecondCol */ USE EncryptTest GO OPEN SYMMETRIC KEY TestTableKey DECRYPTION BY CERTIFICATE EncryptTestCert SELECT CONVERT(VARCHAR(50),DECRYPTBYKEY(EncryptSecondCol)) AS DecryptSecondCol FROM TestTable GO

: Result of the previous SQL query

If you drop the database after the entire processing is complete, you do not have to worry about cleaning up the database. However, in real world on production servers, the database is not dropped. It is a good practice for developers to close the key after using it. If keys and certificates are used only once or their use is over, they can be dropped as well. Dropping a database will drop everything it contains – table, keys, certificates, all the data, to name a few.

/* Clean up database */ USE EncryptTest GO CLOSE SYMMETRIC KEY TestTableKey GO DROP SYMMETRIC KEY TestTableKey GO DROP CERTIFICATE EncryptTestCert GO DROP MASTER KEY GO USE [master] GO DROP DATABASE [EncryptTest] GO

Summary

Encryption is a very important security feature of SQL Server 2005. Long keys and asymmetric keys create unassailable, stronger encryption and stronger encryption uses lots of CPU to encrypt data. Stronger encryption is slower to process. When there is a huge amount of data to encrypt, it is suggested to encrypt it using a symmetric key. The same symmetric key can be encrypted further with an asymmetric key for additional protection, thereby adding the advantage of a stronger encryption. It is also recommended to compress data before encryption, as encrypted data cannot be compressed.

Reference : Pinal Dave (http://blog.SQLAuthority.com), DotNetSlackers,Download complete script here

Posted in Pinal Dave, SQL, SQL Authority, SQL Query, SQL Scripts, SQL Security, SQL Server, SQL Tips and Tricks, T SQL, Technology Tagged: SQL Server Encryption

SQL SERVER – FIX : Error: 18486 Login failed for user ‘sa’ because the account is currently locked out. The system administrator can unlock it. – Unlock SA Login

pinaldave — Thu, 23 Apr 2009 01:30:22 +0000

Today, we will riffle through a very simple, yet common issue – How to unlock a locked “sa” login?

It is quite a common practice that SQL Server is hosted on a separate server than application server. In most cases, SQL Server ports or IP are exposed to the web, which makes them risk prone. For hackers, System Admin login “sa” is the preferred account which they use for hacking. In fact, a majority of hackers try to hack into SQL Server by attempting to login using “sa” account. Once hackers gain access to server using “sa” login, they get a complete control over the SQL Server.

Hackers apply Brute Force method to hack “sa” login. Brute Force method is an attempt to guess a password using every possible combination. Be it in your machine where SQL Server is hosted or in your domain, if you have a policy setting that disables any account after a certain number of unsuccessful attempts, it will also disable all your SQL Server logins including “sa” login. In this scenario, SQL Server will display the following error:

msg: 18486
Login failed for user ‘sa’ because the account is currently locked out. The system administrator can unlock it.

Fix/Solution/Workaround:

1) Disable the policy on your system or on your domain level. However, this may not be the most appropriate option as it will adversely affect your security protection level.

2) If this is a one-time issue, enable “sa” login WITH changing password of “sa” login.

ALTER LOGIN sa WITH PASSWORD = 'yourpass' UNLOCK ; GO

3) If this is a one-time issue, enable “sa” login WITHOUT changing password of “sa” login.

ALTER LOGIN sa WITH CHECK_POLICY = OFF; ALTER LOGIN sa WITH CHECK_POLICY = ON; GO

4) If you are not using “sa” login, switch your authentication from mixed mode authentication to windows authentication to remove your “sa” login account.

5) BEST Practice: Create another user with systemadmin role having the same rights as “sa” login and let “sa” login get disabled. Use the newly created account as this will not be exposed on the Internet and for hackers it will be a tough nut to crack! They will find it difficult to guess the right password and moreover, they will not be able to do Brute Force attack over it.

I am eager to know if there are other options to solve this problem.

If you simply want to change the “sa” password, you can follow my previous article SQL SERVER – Change Password of SA Login Using Management Studio.

Please note that it is not mandatory to reboot SQL Server or restart SQL Server services after changing the password for “sa” login. If you are interested, go through all the comments and bring forth your opinion about this discussion.

Reference : Pinal Dave (http://blog.SQLAuthority.com)

Posted in Pinal Dave, SQL, SQL Authority, SQL Error Messages, SQL Query, SQL Scripts, SQL Security, SQL Server, SQL Tips and Tricks, SQLServer, T SQL, Technology Tagged: hacking

SQL SERVER – Check if Current Login is Part of Server Role Member

pinaldave — Tue, 14 Apr 2009 01:30:23 +0000

I often work on consulting projects with umpteen clients from across the globe. The nature of the works I usually receive necessitates me to take on the role of a system admin. Now, this role is trailed by come common issues. This article revolves around one such concern.

Most of the time, I get login and DBA from my clients. However, sometimes I face login-related problems, primarily because my clients forget to confer admin rights on me. Anticipating this situation I perform a simple task, which saves my time and saves me from exasperation. Whenever I receive a server login I run the following query to verify if the client has assigned me the role of system admin or not.

SELECT IS_SRVROLEMEMBER('sysadmin');

If I have been assigned system admin role then the result will be 1 else it will be 0.

I have listed below valid roles that can be verified using the above function.

sysadmin
dbcreator
diskadmin
processadmin
serveradmin
setupadmin
securityadmin

If you pass an invalid role to the above function, it will return value NULL.

I hope my article is clear to all my readers. Please send me your feedback. I want my readers to come up with more issues that need to be tackled.

Reference : Pinal Dave (http://blog.sqlauthority.com)

Posted in Pinal Dave, SQL, SQL Add-On, SQL Authority, SQL Query, SQL Scripts, SQL Security, SQL Server, SQL Tips and Tricks, SQLServer, T SQL, Technology

SQL SERVER – Fix : Error : Msg 9803, Level 16. Invalid data for type “numeric” – Data Type Mapping for Oracle Publishers

pinaldave — Thu, 09 Apr 2009 01:30:39 +0000

My present article talks about an error that you will encounter when connecting to Oracle database using OPENQUERY.

The error that eventuates is as follows:

Msg 9803, Level 16, State 1, Line 1
Invalid data for type “numeric”.

Fix/Solution/Workaround:

As far as I can discern, the above error occurs due to numeric precision or numeric definition mismatch. The number field of SQL Server does not appropriately match with the number field of Oracle. In fact, apart from number field there are several other data types that do not match.

I am including the following sample query having NumberCol that is Integer field of SQL Server and it needs to be converted To_Char to match up. NumberCol can be matched to Numeric in Oracle as well.

SELECT CONVERT(INT, NumberCol) AS NumberCol FROM OPENQUERY (YourConnectionMethod, 'SELECT TO_CHAR(NumberCol) AS NumberCol FROM RemoteTbl');

Do read the article of MSDN to have a sound knowledge about Data Type Mapping for Oracle Publishers.

Please drop a line to me and let me have your doubts and questions. Your suggestions are always welcome!

Reference : Pinal Dave (http://blog.sqlauthority.com)

Posted in Pinal Dave, SQL, SQL Authority, SQL Error Messages, SQL Query, SQL Scripts, SQL Security, SQL Server, SQL Tips and Tricks, T SQL, Technology Tagged: Oracle

SQL SERVER – 2008 – Activity Monitor is Empty – Fix Activity Monitor for All Users

pinaldave — Sun, 22 Mar 2009 01:30:17 +0000

This article is outcome of the technical discussion of activity monitor and its behavior with my friend and SQL Expert Tejas Shah. Tejas told me that he does not like to re-write content from MSDN but rather prefer to write real life scenarios, as that prepares him to become better SQL Expert. While discussing about Activity Monitor he informed that activity monitor throws an error when there is permissions issue. He has even blogged about how to give permissions to user to launch activity monitor on his blog . Tejas asked me to write on the same subject for SQL Server 2008. Here is the article covering the discussion I had with Tejas.

I have user called ‘ActivityUser’ when turned on Activity Monitor (while logging in with user ActivityUser’) it does not have show anything in Activity Monitor.

The issue here is permissions issue. If user ActivityUser is given all the necessary permission it will start showing up data in Activity Monitor. Activity Monitor is new tool in SQL Server which displays activity in five sections. 1) Overview, 2) Processes, 3) Resources Waits, 4) Data File I/O, 5) Recent Expensive Queries. It is one of the new and very useful tool introduced by SQL Server.

Activity Monitor captures all the information at server level. For the same reason we need to give “View Server State” permission to user name to view data of Activity Monitor.We can give permission either using T-SQL or using SSMS.

T-SQL to give permission to user to view Activity Monitor:

SSMS to give permission to user to view Activity Monitor:

Once permissions is given to user, it displays the data in Activity Monitor. Click on images to enlarge the images.

Additionally, note that if you are user belonging to sysadmin role, you can always see all the data in Activity Monitor without additional permissions.

Reference : Pinal Dave (http://blog.sqlauthority.com)

Posted in Pinal Dave, Readers Contribution, SQL, SQL Authority, SQL Error Messages, SQL Performance, SQL Query, SQL Scripts, SQL Security, SQL Server, SQL Tips and Tricks, T SQL, Technology Tagged: SQL Activity Monitor

SQL SERVER – Disable Windows Authentication – Remove Windows Authentication Login Account

pinaldave — Tue, 24 Feb 2009 01:30:18 +0000

I just received following email from one of the blog reader.

Question : “How to disable Windows Authentication?”

Answer : It can not be disabled. Windows Authentication is the most secure way to login in system.

Reference : Pinal Dave (http://blog.SQLAuthority.com)

Posted in Pinal Dave, SQL, SQL Authority, SQL Query, SQL Security, SQL Server, SQL Tips and Tricks, T SQL, Technology Tagged: SQL Login

SQL SERVER – Find Current Location of Data and Log File of All the Database

pinaldave — Tue, 17 Feb 2009 01:30:45 +0000

As I am doing lots of experiments on my SQL Server test box, I sometime gets too many files in SQL Server data installation folder – the place where I have all the .mdf and .ldf files are stored. I often go to that folder and clean up all unnecessary files I have left there taking up my hard drive space. I run following query to find out which .mdf and .ldf files are used and delete all other files. If your SQL Server is up and running OS will not let you delete .mdf and .ldf files any way giving you error that file already in use. This list also helps sometime to do documentation of which files are in being used by which database.

SELECT name, physical_name AS current_file_location FROM sys.master_files

Following is the output of files used by my SQL Server instance.

Reference : Pinal Dave (http://blog.SQLAuthority.com)

Posted in Pinal Dave, SQL, SQL Authority, SQL Backup and Restore, SQL Documentation, SQL Query, SQL Scripts, SQL Security, SQL Server, SQL System Table, SQL Tips and Tricks, T SQL, Technology

SQL SERVER – Reasons to Backup Master Database – Why Should Master Database Backedup

pinaldave — Sun, 15 Feb 2009 01:30:06 +0000

The most interesting thing about writing blog at SQLAuthority.com is follow up question. Just a day before I wrote article about SQL SERVER – Restore Master Database – An Easy Solution, right following it, I received email from user requesting reason for importance of backing up master database.

Master database contains all the system level information of server. Information about all the login account, system configurations and information required to access all the other database are stored in master database. If master database is damaged, it will be difficult to use any other database in SQL Server and that makes it most important database of the SQL Server.

Let us understand the important of the master database using an example. We will take example of SQL Server DBA and follow his timeline. Make sure to understand it correctly, as I have small question at the end of the timeline.

9:00 AM – DBA takes backup of the master database.
10:00 AM – DBA creates new Database named AfterMaster.
11:00 AM – DBA restores the master database backup taken at 9:00 AM.
12:00 PM – I have following two questions for the DBA :

Question 1) What will be the state of the database AfterMaster? If AfterMaster database will be in active state after restoring master database?
Question 2) What should be the next step after restoring master database?

Let us understand the answer of question.

Answer 1) Once master database is restored it will have no record of AfterMaster database in its system database and it will not recognize it.
Answer 2) If master database is restored from backup all the operation which are done after last master database backup should be repeated in order to bring SQL Server in the current operational state. In our case, the database files (ldf and mdf) of AfterMaster database will still exists on server. They should be reattached to the server. You can search about how to attach mdf and ldf file at Search@SQLAuthority.com.

It is clear from our example that master database contains user login, files, filegroups and server wide settings.

In summary, it is extremely important to take backup of the master database.

Reference : Pinal Dave (http://blog.SQLAuthority.com)

Posted in Best Practices, Pinal Dave, SQL, SQL Authority, SQL Backup and Restore, SQL Data Storage, SQL Query, SQL Security, SQL Server, SQL Tips and Tricks, SQL Utility, T SQL, Technology