Hi,
I want to make some steps towards securing production database.
1. Give limited rights to Developers, i.e. db reaonly, db writedeny
2. Make strong password for local and Domain
3. Use Windows authentication
4. Enable log for 'Failed Login' attempts.
What steps I need to take in addition to those?
Sould one has a seperated environment for production and test system? How do you do it on a same server? Install two instance? How do you seperate test DBs from the production DBs?
Please advise...Thank you
I developed an asp.net application in visual web developer 2005 express edition and SQL sever 2005 express with Advanced services. The application has been deployed and iam wondering what tools are availabel to for backing up my data. Are there any tools i can use to back-up my database. Iam not talking of third party tools but tools a vailable in sql sever 2005 express with advanced services or visual web developer express.
OR can write a vb.net Sub procedure that i run and have my database backed up. If so where can i start or what other options may i explorer.
I have this script that captures metrics and sizes using T-SQL. When running in development I have no issues. I can run under the context of any database and get results back. When deploying to production servers no results are returning. I'm trying to figure out what permissions are needed for this to return results.
No error message is being returned either. My access is limited for triage against Production? I need to be able to have Production DBA set the right permissions so this job can run correctly.
DECLARE @allocation_table table
(
dbname sysname,
reservedpages bigint,
usedpages bigint,
pages bigint
[Code] ....
Hi,
Is it possible to deploy both SQL2000 and SQL2005 on the same server in the production environment?
Is it recommended? Next year we will be deploying a SQL2005 solution and was wondering if we could get away with installing it on the same server as the SQL2000 server, or whether we should put it on another server.
We have up to a maximum of 50 concurrent users.
Thanks.
I have been looking for some documentation that would support or rejectmy opinion on Production -vs- Development naming conventions. Ibelieve that each environment should be housed on separate servers withidentical names, access, users, stored procs....... If you eitheragree or disagree with this methodology, I would appreciate your input.TIA,Bill
View 5 Replies View Relatedhi all!
This is my problem. My package executes fine when i set the connection string with the same database where i execute the query. If i execute with another database connection stirng if fails bacause while executing the pacakge it trys to access the same connection string at design mode.
when i try to execute through cmd prompt by setting conn <new database connection string> it fails.
Is package configuration is the only solution. how can i change conn string depending on different server?
Any help would be appreciated.
Thanks,
Jas
Microsoft VBScript runtime error '800a01fb'
An exception occurred: 'EOF'
Used the same connection string and DSN (i.e pointing to the same database/server) in both environments. ASP works in Test Environment. Fails in Production Environment.
Test and Production have same versions of software.
Environment Details:
OS: Windows 2003 SP2
MDAC: 2.8
Database: HP Neoview
Any help appreciated.
Thanks,
Venkata.
Our DBA is out for about 6 weeks. One of his regular jobs is to take a Database that is in our Prod environment and copy it to our Training environment.
I have backed up and restored to different servers before, however the Database name in Prod is different than in the Train environment in this case.
In other words I have a PROD database named DATABASE-XX that I want to copy to another SQL server and restore it to DATABASE-XX-TRAIN.
Is there anything special I need to do, other than backup on PROD, copy to TRAIN and restore to the corresponding DB in TRAIN?
We usually wait until a service pack has been released for a product like SQL Server before using it in production. Is this over cautious or the norm?
Thanks
Danny
How do you apply Service Pack 1 to Sql Server Express 2005?
View 1 Replies View RelatedWe will be implementing our first SQL cluster in December. Our current plan calls for a shared development/test database server with one physical server, but two SQL Server instances. Our production environment will be a SQL cluster. Is it necessary to create a clustered test environment for testing patches, hot-fixes, etc...?
Thanks, Dave
I have heard that turning off 'primary key-to-foreign key-relationships' between tables , helps to boost performance in production environments. Is this really true?
View 4 Replies View RelatedSetting up Transaction Replication in test environment. I am willing to bet that most of you take a production backup (if so, how, and using what?), restoring the database to your test environment, then running a snapshot to your subscriber and away you go.
But perhaps you take a backup of your publisher and subscriber, if so, how do you know there are no inconsistences because there were transactions sitting on the distributor?
What do you do if you have additional indexes on the subscriber for reporting, that are not on the publisher?
Here at work we are having issues with getting consistent databases set up with T Rep, missing rows, duplicate keys at subscriber etc. How to avoid these issues.
I have finished a change request from our client. I need to update clients' database with the one in developments.Here is the changes i made to database:Added/Changed some tablesAdded/Changed some stored proceduresAdded data to some dictionary tableThe data in clients' current database MUST be kept. So how can I merge the changed information to clients' database?
View 3 Replies View RelatedHi, I am using ASP.Net 2005 with C# language and SQL SERVER 2005...
I am developing an web based application and have to deploy it on server.
I need to prevent my site from the SQL Injection and have to use some algorithms.
What is the best technique or method (Algorithm) in .Net ?
Give some measures to prevent from Hackers.
We are looking for a way to tightly secure the database of a product
being developed in MSDE 2k & C# so that even the db design
cannot be viewed or data retrieved through any migration tools.
The NetLib database security tool perfectly matches our requirement but
is overpriced. Any suggestions on the next best alternative?
Hi All,
I am currently creating a SQLServer 7 server. This server will be used to host customer databases that I will restore on to the server. However, I want to prevent these customers accessing any other databases on the server, apart from their own. By removing the public database role from each customer database, and granting them very limited rights (basically exec rights on their own Stored Procs)on their own db, I plan to limit them to their own db. However, my problem is this:
As you cannot remove the public role from the master db, a user could easily exec the following in a stored proc to read from the master:
Select * from master..sysusers
How do I prevent the users from accessing the master in this fashion.
Will removing every permission from the public role in master be enough?
Will removing every permission from the public role in master have any other side effects?
Will removing the public role from other user dbs be enough to secure them?
Any suggestions/pointers would be appreciated.
Gary.
Morning Guys,
I'm trying to figure out a way of securing a DTS package and understanding how it works more and more.
I have system administrators that have accesss to sql server.
As dbas here we work with dts packages. We would like our packages secured from the system administrators that want to poke around with our work.
how would we lock our objects down without messing them up from executing.
The packages have been created under the servernameAdministrator.
servernameAdministrator is the owner of the package.
What would be the best way to start to understand all this.
1). Using an owner password a user password
2). Denying access to the sp_add_dtspackage & sp_get_dtspackages...
3). When generating a DTS RUN util to make a job using the dts package
usually the password is embedded in the string even after encrypting the pacakage in clear text....
any suggestions to lead me in the right direction......
jonathan
If you have an owner password with no user password, you cannot execute the package without the owner password. Click OK to continue saving.
Rayd Abdou writes "hi all, i have an SQL server at my home and i think i got hacked from it :( and i really want to know what to do to secure the SQL Server from, disable permissions ?
what commands ?
Thanks for helping me..
Rayd."
Dear All,
I have developed a application using SQL express.
One of my client wats to protect his database so that if some body takes the backup he/she is not able to view data either directly or from the application i am delivering (may be he can buy my software and use his database or simply use demo version of my data)
Previously I used Access database and use database password protection (which every body knows is not good enough).
Now what I should do to protect my database (I am not worried about database structure or other objects but clients data that he will enter into the software like accounts data)
I need a moderate and a hard solution so that depending upon clients ability to affort I can implement at client side. There is no need to deliver protection in distrbution of my software.
Thanks in advance
MANOJ JAIN
can we secure mdf file, if it's copied from one location to anothercould not be used ???*** Sent via Developersdex http://www.developersdex.com ***Don't just participate in USENET...get rewarded for it!
View 1 Replies View RelatedHi all,
I have been given a task of securing an SQL server 2005 that is currently open to SQL injection attacks. I have identified 3 main areas that I need to secure, these being:
1.Different SQL server logins - currently all database work from the site is performed using the sa account (don't ask me why they've left it so open to attack, I've not long started here!)
2.Custom error pages - to reduce feedback to a potential attacker on the database structure
3.Query Validation - any dynamically generated queries will be passed through a validator in order to possibly strip out any commands that we identify as those that an attacker would attempt to pass via the url.
Obviously, point number one is the big one. Based on this, my question is, what are the series of steps I would need to go through in order to;
a) setup a user login that has read access to many of the database tables (and execute access to some of them)
b) setup a user login that has read/write/update/execute access to other tables and stored procedures
I have read a lot about schema's, but I haven't had that many dealings with SQL server 2005 (yet), and haven't been able to find a step-by-step guide to setting up a schema/users and assigning permissions to them.
If someone could point me in the right direction of an "idiots guide to", that would be great, or if theres anyone that could list the steps I need to perform, that would be even better.
Also, if anyone has any other suggestions about how i could secure the server, I am all ears.
Thanks in advance,
Paul
Hi all,
What is the best way to keep the data secure in my SQL Server 2005? and what is the best way to secure the communication between the client application and SQL Server 2005?
Thanks,
Shyam
I have what some might consider a dumb question but I really don't know the answer.
Until recently all our .Net work ahs been hosted on our internal network and the Sql Server (2000) was not open to the outside. However recently our company is looking at hosting other outside SQL Server applications that require users across the country to connect directly to our SQL Server (not through an ASP.Net app).
The concerns we have is that ASP.Net runs on the NETWORK SERVICE account. If a user outside our network were to know the IP and name of onw of our databases could they connect with ASP.Net using a Trusted Connection or do trusted connections only work if the application is hosted on the same network?
One of the applications we are looking at hosting is showing a list of all databases on our server (I did find the article on modifying sp_MSdbuseraccess but that didn't seem to work) so if someone got a hold of this list would they be able to connect?
Thanks
Hi all,
Does anyone know were to find any articles/information on how to Secure Microsoft SQL 6.5 Server? . Apart from SQL online books
Panchal
I have a situation where I have an app that uses a sql server (msde)database. The app will be used in environments where no one should beable to manipulate the data except the developers (app admins) - noteven site database admins. When the application and msde is installed,a default instance of the database gets attached to msde or built byscript. by default, a built in server acct and approle acct exist tosecure the data accordingly with passwords concealed. What can be doneto keep someone from copying the mdf and ldf files to another machinewhere they have admin rights and manipulating data?Thanks.
View 1 Replies View RelatedHi,
I€™m trying to secure my SQL Server 2005 infrastructure, and I€™m seeing that some sites are recommending that certain extended procedures be restricted to sysadmin only.
http://www.sqlsecurity.com/FAQs/SQLSecurityChecklist/tabid/57/Default.aspx
This site recommended securing the following extended procedures:
Extended Procedurs:sp_sdidebug xp_availablemedia xp_cmdshell
xp_deletemail xp_dirtree xp_dropwebtask
xp_dsninfo xp_enumdsn xp_enumerrorlogs
xp_enumgroups xp_enumqueuedtasks xp_eventlog
xp_findnextmsg xp_fixeddrives xp_getfiledetails
xp_getnetname xp_grantlogin xp_logevent
xp_loginconfig xp_logininfo xp_makewebtask
xp_msver xp_perfend xp_perfmonitor
xp_perfsample xp_perfstart xp_readerrorlog
xp_readmail xp_regread xp_revokelogin
xp_runweb
http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=3184075&SiteID=1
This thread recommended (implicitly) securing the following extended procedures:
Extended Procedures:sp_OACreate sp_OADestroy sp_OAGetErrorInfo sp_OAGetProperty
sp_OAMethod sp_OASetProperty sp_OAStop sp_sdidebug
xp_availablemedia xp_cmdshell xp_deletemail xp_dirtree
xp_dropwebtask xp_dsninfo xp_enumdsn xp_enumerrorlogs
xp_enumgroups xp_enumqueuedtasks xp_eventlog xp_findnextmsg
xp_fixeddrives xp_getfiledetails xp_getnetname xp_grantlogin
xp_logevent xp_loginconfig xp_logininfo xp_regread
xp_perfend xp_perfmonitor xp_perfsample xp_perfstart
xp_readerrorlog xp_readmail xp_revokelogin xp_runwebtask
xp_schedulersignal xp_sendmail xp_servicecontrol xp_snmp_getstate
xp_snmp_raisetrap xp_sprintf xp_sqlinventory xp_sqlregister
xp_sqltrace xp_sscanf xp_startmail xp_stopmail
xp_subdirs xp_unc_to_drive xp_dirtree
Looking at these lists, I can see they might have missed other extended procedures like xp_regwrite, xp_regdeletekey, and xp_regdeletevalue.
My questions are: Is there any way I can find an exhaustive list as to what extended procedures should be restricted? Is there a website/Microsoft resource that can help me identify what to restrict?
Any other information you can point me to to secure our infrastructure would be appreciated.
Hye guys,
I am not the perfect database designer nor the programmer. I have designed and developed a simple database application which uses VB as frontedt and SQL as backend. My Program worked fine.. Now I have 2 deploy it in clients computer where DBA is another person by which I am worried abt the data in the table. As X person is a DBA there he can easily change data of my tables in the database.
So I want an easy way by which the X person can't edit the data of the tables of my database only I can change the contents of my tables but i should be able 2 change the data from my program only..
Plz Help..
Hi,
I'm without a clue when it comes to SQL and how to secure it!
I've set up a SQLExpress running on a dedicated server on the web and I'm using TCP/IP remote connection to connect to the DB from a the web server running the ASP .
Would it be better using named pipes?
Also is there some way I can additionally authenticate a connection based on IP numbers?
I would really appreciate some advice thanks.
Hey all,
Trying to add some security to what I'm learning I realized my querystring was vulnerable so I started looking through the threads on how to secure it. I've seen a few things, but in general the folks working on it are too advanced for me and are doing more with their query than my simple query. I'm looking for a little help of course :-)
So, my original querystring was pretty basic of course
Dim querystring1 As String = Request.QueryString("topic_id")SqlDataSource1.SelectCommand = "select * from msg_msgs INNER JOIN users on msg_id_user = users.user_ID where msg_topic_id = " & querystring1
And my first attempt at securing it didn't wind up having the @ sign, so I don't think it secured it. It also brought back every record in the DB
Dim querystring1 As Parameter = New Parameter("mylink", TypeCode.String, Request.QueryString("topic_id"))SqlDataSource1.SelectParameters.Add(querystring1)
And finally, after reading a bit I wound up with this
Dim queryStringId As String = Request.QueryString("topic_id")Dim id As IntegerIf Int32.TryParse(queryStringId, id) = True Then Dim idParam As New SqlParameter("@id", id) Dim objCmd As New SqlCommand("SELECT * FROM msg_msgs where msg_topic_id = @id") objCmd.Parameters.Add(idParam) SqlDataSource1.SelectCommand = (objCmd.ToString)Else Response.Redirect("./threads.aspx")End If
I guess the worst part is that I know I need the @variable piece, though not why nor how to add it, and all my searches on parameterized queries are loosing me because the folks writting are so far beyond where I am at this time. I would really appreciate it if someone could not only help me get the code working, but also understand the parts of it. More often than not I find myself mimicking someone elses code and then knowing how to do it, but not why it works. Thanks
I want to know how I can protect my SQL Server database. SQL Server 2000 does not have Database Encryption feature and using only Authentication is not a fool-proof solution, as far as stand-alone desktop application is concerned.
Does password protection of SQL Server 2000 database really works when you have all types of cracking tools widely available on the net?
Hi,I am writing an application that uses MSDE to store data.Both application & MSDE run on the same computer.I want to regulate the operations done on the DB by the user. Forexample, I don't want to allow "standard" users to delete records,update certain fields, etc...I can regulate these rules within my program, but what if the user runsMSDE query for example on the DB and fetches the list of users &passwords from the DB ?In other words, I need to make sure only the application has access tothe DB. This seems like a common type of problem but I haven't beenable to find any solutions.Any suggestions would be greatly appreciated.Danny
View 1 Replies View Related