sql server tools: security

Showing posts with label security. Show all posts

Thursday, March 22, 2012

April Security Patches and SQL Server

We are running SQL Server 2000/sp3a on a relatively new server sized to meet
our needs for the foreseeable future. The OS is Win2k/sp4. It has been
running very well since installed; the last reboot was over a month ago and
that was scheduled for security updates.
On Monday evening, we installed the April security patches:
Microsoft KB837001 MS04-014:Vulnerability in Microsoft Jet Database Engine
could permit code execution
Microsoft KB828741 MS04-012: Cumulative Update for Microsoft RPC/DCOM
Microsoft KB835732 MS04-011: Security Update for Microsoft Windows
Microsoft KB837009 MS04-013: Cumulative Security Update for Outlook Express
Microsoft KB831167: Wininet retries POST requests with a blank header.
...via SUS. The server has been averaging three unscheduled reboots per day
since. If anyone has any ideas, I would be most grateful. We have had little
luck analyzing the dump file. My guess is that it has something to do with
the RPC/DCOM patch, since it is serving data for several third party web and
windows client applications.
Thanks,
JohnI don't know how to solve your issue, but I would recommend you call
Microsoft Product Support Services (MS PSS).
--
Mark Allison, SQL Server MVP
http://www.markallison.co.uk
"John" <jkraeck@.NOprincetonSPAM.edu> wrote in message
news:esSncLKKEHA.2884@.TK2MSFTNGP12.phx.gbl...
> We are running SQL Server 2000/sp3a on a relatively new server sized to
meet
> our needs for the foreseeable future. The OS is Win2k/sp4. It has been
> running very well since installed; the last reboot was over a month ago
and
> that was scheduled for security updates.
> On Monday evening, we installed the April security patches:
> Microsoft KB837001 MS04-014:Vulnerability in Microsoft Jet Database Engine
> could permit code execution
> Microsoft KB828741 MS04-012: Cumulative Update for Microsoft RPC/DCOM
> Microsoft KB835732 MS04-011: Security Update for Microsoft Windows
> Microsoft KB837009 MS04-013: Cumulative Security Update for Outlook
Express
> Microsoft KB831167: Wininet retries POST requests with a blank header.
> ...via SUS. The server has been averaging three unscheduled reboots per
day
> since. If anyone has any ideas, I would be most grateful. We have had
little
> luck analyzing the dump file. My guess is that it has something to do with
> the RPC/DCOM patch, since it is serving data for several third party web
and
> windows client applications.
> Thanks,
> John
>|||Mark,
Thanks, for the response. I guess it is time to use up one of our MSDN
support calls. This set of patches has significantly reduced the
availability of two servers that had been running with no problems for
months, and of course, since it includes the RPC/DCOM patch, we cannot
remove the patch since this is an exploit that requires no I/O (inadequate
operator) action.
Curious though that neither my original post or your response displayed in
the newsgroup. I only found your response, by searching the forum for the
subject line of my post. Is Microsoft taking editorial license?
Cheers,
John
"Mark Allison" <marka@.no.tinned.meat.mvps.org> wrote in message
news:uigrjjQKEHA.3944@.tk2msftngp13.phx.gbl...
> I don't know how to solve your issue, but I would recommend you call
> Microsoft Product Support Services (MS PSS).
> --
> Mark Allison, SQL Server MVP
> http://www.markallison.co.uk
>
>
> "John" <jkraeck@.NOprincetonSPAM.edu> wrote in message
> news:esSncLKKEHA.2884@.TK2MSFTNGP12.phx.gbl...
> > We are running SQL Server 2000/sp3a on a relatively new server sized to
> meet
> > our needs for the foreseeable future. The OS is Win2k/sp4. It has been
> > running very well since installed; the last reboot was over a month ago
> and
> > that was scheduled for security updates.
> >
> > On Monday evening, we installed the April security patches:
> >
> > Microsoft KB837001 MS04-014:Vulnerability in Microsoft Jet Database
Engine
> > could permit code execution
> > Microsoft KB828741 MS04-012: Cumulative Update for Microsoft RPC/DCOM
> > Microsoft KB835732 MS04-011: Security Update for Microsoft Windows
> > Microsoft KB837009 MS04-013: Cumulative Security Update for Outlook
> Express
> > Microsoft KB831167: Wininet retries POST requests with a blank header.
> >
> > ...via SUS. The server has been averaging three unscheduled reboots per
> day
> > since. If anyone has any ideas, I would be most grateful. We have had
> little
> > luck analyzing the dump file. My guess is that it has something to do
with
> > the RPC/DCOM patch, since it is serving data for several third party web
> and
> > windows client applications.
> >
> > Thanks,
> > John
> >
> >
>|||Nope, Microsoft is not taking editorial license on this or any other post
that isn't spam, pornography, personal attacks, or something else nasty like
that.
I can see both your original post (Message-ID:
<esSncLKKEHA.2884@.TK2MSFTNGP12.phx.gbl>) and Mark's followup (Message-ID:
<uigrjjQKEHA.3944@.tk2msftngp13.phx.gbl>) on msnews.microsoft.com using
Outlook Express. I can also see them using our web newsreader at:
http://www.microsoft.com/sql/community/newsgroups/dgbrowser/en-us/default.mspx?query=April+security+patches&dg=microsoft.public.sqlserver.server&cat=&lang=en&cr=US&pt=&catlist=6C839803-6334-48D8-A2C3-72A1BEF0053D&dglist=&ptlist=
--
Sincerely,
Stephen Dybing
This posting is provided "AS IS" with no warranties, and confers no rights.
"John" <jkraeck@.NOprincetonSPAM.edu> wrote in message
news:Ow6KCQ5KEHA.240@.TK2MSFTNGP10.phx.gbl...
> Mark,
> Thanks, for the response. I guess it is time to use up one of our MSDN
> support calls. This set of patches has significantly reduced the
> availability of two servers that had been running with no problems for
> months, and of course, since it includes the RPC/DCOM patch, we cannot
> remove the patch since this is an exploit that requires no I/O (inadequate
> operator) action.
> Curious though that neither my original post or your response displayed in
> the newsgroup. I only found your response, by searching the forum for the
> subject line of my post. Is Microsoft taking editorial license?
> Cheers,
> John
> "Mark Allison" <marka@.no.tinned.meat.mvps.org> wrote in message
> news:uigrjjQKEHA.3944@.tk2msftngp13.phx.gbl...
> > I don't know how to solve your issue, but I would recommend you call
> > Microsoft Product Support Services (MS PSS).
> >
> > --
> > Mark Allison, SQL Server MVP
> > http://www.markallison.co.uk
> >
> >
> >
> >
> > "John" <jkraeck@.NOprincetonSPAM.edu> wrote in message
> > news:esSncLKKEHA.2884@.TK2MSFTNGP12.phx.gbl...
> > > We are running SQL Server 2000/sp3a on a relatively new server sized
to
> > meet
> > > our needs for the foreseeable future. The OS is Win2k/sp4. It has
been
> > > running very well since installed; the last reboot was over a month
ago
> > and
> > > that was scheduled for security updates.
> > >
> > > On Monday evening, we installed the April security patches:
> > >
> > > Microsoft KB837001 MS04-014:Vulnerability in Microsoft Jet Database
> Engine
> > > could permit code execution
> > > Microsoft KB828741 MS04-012: Cumulative Update for Microsoft RPC/DCOM
> > > Microsoft KB835732 MS04-011: Security Update for Microsoft Windows
> > > Microsoft KB837009 MS04-013: Cumulative Security Update for Outlook
> > Express
> > > Microsoft KB831167: Wininet retries POST requests with a blank header.
> > >
> > > ...via SUS. The server has been averaging three unscheduled reboots
per
> > day
> > > since. If anyone has any ideas, I would be most grateful. We have had
> > little
> > > luck analyzing the dump file. My guess is that it has something to do
> with
> > > the RPC/DCOM patch, since it is serving data for several third party
web
> > and
> > > windows client applications.
> > >
> > > Thanks,
> > > John
> > >
> > >
> >
> >
>|||Stephen,
Well, yesterday, both were not listed in my default reader, Outlook Express,
and searching only brought up the reply. Today, the search found Mark's
response, my followup and your followup. Looking down the list, I do not
find my original post of 4/22. Just reporting what I see.
Are there any known problems with this patch?
We immediately saw unscheduled reboots of our SQL Server (2000sp/3a running
on Win2k Server sp4). Typically these are network related, and I have not
seen anything untoward happening when running perfmon and sql profiler
against the server, but they began almost immediately after the sus push of
these patches to the server.
We also experienced problems with a third party web application trying to
access the database server. This application is running on a Windows
2000/sp4 server running IIS5.0 with SSL. The application reported numerous
connection failures to the database. SQL Profiler did show any failed login
attempts, so I have to assume that it was the applications data tier that
was having the problem; but again, the problem did not exist until the
patches were applied.
Removing the patches resolved the issue, but clearly this is not a situation
I want to maintain for any length of time.
Regards,
John
"Stephen Dybing [MSFT]" <stephd@.online.microsoft.com> wrote in message
news:%23aUwOT7KEHA.3052@.TK2MSFTNGP12.phx.gbl...
> Nope, Microsoft is not taking editorial license on this or any other post
> that isn't spam, pornography, personal attacks, or something else nasty
like
> that.
> I can see both your original post (Message-ID:
> <esSncLKKEHA.2884@.TK2MSFTNGP12.phx.gbl>) and Mark's followup (Message-ID:
> <uigrjjQKEHA.3944@.tk2msftngp13.phx.gbl>) on msnews.microsoft.com using
> Outlook Express. I can also see them using our web newsreader at:
>
http://www.microsoft.com/sql/community/newsgroups/dgbrowser/en-us/default.mspx?query=April+security+patches&dg=microsoft.public.sqlserver.server&cat=&la
ng=en&cr=US&pt=&catlist=6C839803-6334-48D8-A2C3-72A1BEF0053D&dglist=&ptlist=> --
> Sincerely,
> Stephen Dybing
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> "John" <jkraeck@.NOprincetonSPAM.edu> wrote in message
> news:Ow6KCQ5KEHA.240@.TK2MSFTNGP10.phx.gbl...
> > Mark,
> >
> > Thanks, for the response. I guess it is time to use up one of our MSDN
> > support calls. This set of patches has significantly reduced the
> > availability of two servers that had been running with no problems for
> > months, and of course, since it includes the RPC/DCOM patch, we cannot
> > remove the patch since this is an exploit that requires no I/O
(inadequate
> > operator) action.
> >
> > Curious though that neither my original post or your response displayed
in
> > the newsgroup. I only found your response, by searching the forum for
the
> > subject line of my post. Is Microsoft taking editorial license?
> >
> > Cheers,
> > John
> >
> > "Mark Allison" <marka@.no.tinned.meat.mvps.org> wrote in message
> > news:uigrjjQKEHA.3944@.tk2msftngp13.phx.gbl...
> > > I don't know how to solve your issue, but I would recommend you call
> > > Microsoft Product Support Services (MS PSS).
> > >
> > > --
> > > Mark Allison, SQL Server MVP
> > > http://www.markallison.co.uk
> > >
> > >
> > >
> > >
> > > "John" <jkraeck@.NOprincetonSPAM.edu> wrote in message
> > > news:esSncLKKEHA.2884@.TK2MSFTNGP12.phx.gbl...
> > > > We are running SQL Server 2000/sp3a on a relatively new server sized
> to
> > > meet
> > > > our needs for the foreseeable future. The OS is Win2k/sp4. It has
> been
> > > > running very well since installed; the last reboot was over a month
> ago
> > > and
> > > > that was scheduled for security updates.
> > > >
> > > > On Monday evening, we installed the April security patches:
> > > >
> > > > Microsoft KB837001 MS04-014:Vulnerability in Microsoft Jet Database
> > Engine
> > > > could permit code execution
> > > > Microsoft KB828741 MS04-012: Cumulative Update for Microsoft
RPC/DCOM
> > > > Microsoft KB835732 MS04-011: Security Update for Microsoft Windows
> > > > Microsoft KB837009 MS04-013: Cumulative Security Update for Outlook
> > > Express
> > > > Microsoft KB831167: Wininet retries POST requests with a blank
header.
> > > >
> > > > ...via SUS. The server has been averaging three unscheduled reboots
> per
> > > day
> > > > since. If anyone has any ideas, I would be most grateful. We have
had
> > > little
> > > > luck analyzing the dump file. My guess is that it has something to
do
> > with
> > > > the RPC/DCOM patch, since it is serving data for several third party
> web
> > > and
> > > > windows client applications.
> > > >
> > > > Thanks,
> > > > John
> > > >
> > > >
> > >
> > >
> >
> >
>|||I'll just repeat what Mark said and suggest that you open up a case with PSS
to track down your problems with the patch. I'm sorry, but while I work in
PSS, I don't work on the support team and can't help you.
--
Sincerely,
Stephen Dybing
This posting is provided "AS IS" with no warranties, and confers no rights.
"John" <jkraeck@.NOprincetonSPAM.edu> wrote in message
news:ukKS0RGLEHA.808@.tk2msftngp13.phx.gbl...
> Stephen,
> Well, yesterday, both were not listed in my default reader, Outlook
Express,
> and searching only brought up the reply. Today, the search found Mark's
> response, my followup and your followup. Looking down the list, I do not
> find my original post of 4/22. Just reporting what I see.
> Are there any known problems with this patch?
> We immediately saw unscheduled reboots of our SQL Server (2000sp/3a
running
> on Win2k Server sp4). Typically these are network related, and I have not
> seen anything untoward happening when running perfmon and sql profiler
> against the server, but they began almost immediately after the sus push
of
> these patches to the server.
> We also experienced problems with a third party web application trying to
> access the database server. This application is running on a Windows
> 2000/sp4 server running IIS5.0 with SSL. The application reported numerous
> connection failures to the database. SQL Profiler did show any failed
login
> attempts, so I have to assume that it was the applications data tier that
> was having the problem; but again, the problem did not exist until the
> patches were applied.
> Removing the patches resolved the issue, but clearly this is not a
situation
> I want to maintain for any length of time.
> Regards,
> John
>
> "Stephen Dybing [MSFT]" <stephd@.online.microsoft.com> wrote in message
> news:%23aUwOT7KEHA.3052@.TK2MSFTNGP12.phx.gbl...
> > Nope, Microsoft is not taking editorial license on this or any other
post
> > that isn't spam, pornography, personal attacks, or something else nasty
> like
> > that.
> >
> > I can see both your original post (Message-ID:
> > <esSncLKKEHA.2884@.TK2MSFTNGP12.phx.gbl>) and Mark's followup
(Message-ID:
> > <uigrjjQKEHA.3944@.tk2msftngp13.phx.gbl>) on msnews.microsoft.com using
> > Outlook Express. I can also see them using our web newsreader at:
> >
> >
>
http://www.microsoft.com/sql/community/newsgroups/dgbrowser/en-us/default.mspx?query=April+security+patches&dg=microsoft.public.sqlserver.server&cat=&la
>
ng=en&cr=US&pt=&catlist=6C839803-6334-48D8-A2C3-72A1BEF0053D&dglist=&ptlist=> >
> > --
> > Sincerely,
> > Stephen Dybing
> >
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> >
> > "John" <jkraeck@.NOprincetonSPAM.edu> wrote in message
> > news:Ow6KCQ5KEHA.240@.TK2MSFTNGP10.phx.gbl...
> > > Mark,
> > >
> > > Thanks, for the response. I guess it is time to use up one of our MSDN
> > > support calls. This set of patches has significantly reduced the
> > > availability of two servers that had been running with no problems for
> > > months, and of course, since it includes the RPC/DCOM patch, we cannot
> > > remove the patch since this is an exploit that requires no I/O
> (inadequate
> > > operator) action.
> > >
> > > Curious though that neither my original post or your response
displayed
> in
> > > the newsgroup. I only found your response, by searching the forum for
> the
> > > subject line of my post. Is Microsoft taking editorial license?
> > >
> > > Cheers,
> > > John
> > >
> > > "Mark Allison" <marka@.no.tinned.meat.mvps.org> wrote in message
> > > news:uigrjjQKEHA.3944@.tk2msftngp13.phx.gbl...
> > > > I don't know how to solve your issue, but I would recommend you call
> > > > Microsoft Product Support Services (MS PSS).
> > > >
> > > > --
> > > > Mark Allison, SQL Server MVP
> > > > http://www.markallison.co.uk
> > > >
> > > >
> > > >
> > > >
> > > > "John" <jkraeck@.NOprincetonSPAM.edu> wrote in message
> > > > news:esSncLKKEHA.2884@.TK2MSFTNGP12.phx.gbl...
> > > > > We are running SQL Server 2000/sp3a on a relatively new server
sized
> > to
> > > > meet
> > > > > our needs for the foreseeable future. The OS is Win2k/sp4. It has
> > been
> > > > > running very well since installed; the last reboot was over a
month
> > ago
> > > > and
> > > > > that was scheduled for security updates.
> > > > >
> > > > > On Monday evening, we installed the April security patches:
> > > > >
> > > > > Microsoft KB837001 MS04-014:Vulnerability in Microsoft Jet
Database
> > > Engine
> > > > > could permit code execution
> > > > > Microsoft KB828741 MS04-012: Cumulative Update for Microsoft
> RPC/DCOM
> > > > > Microsoft KB835732 MS04-011: Security Update for Microsoft Windows
> > > > > Microsoft KB837009 MS04-013: Cumulative Security Update for
Outlook
> > > > Express
> > > > > Microsoft KB831167: Wininet retries POST requests with a blank
> header.
> > > > >
> > > > > ...via SUS. The server has been averaging three unscheduled
reboots
> > per
> > > > day
> > > > > since. If anyone has any ideas, I would be most grateful. We have
> had
> > > > little
> > > > > luck analyzing the dump file. My guess is that it has something to
> do
> > > with
> > > > > the RPC/DCOM patch, since it is serving data for several third
party
> > web
> > > > and
> > > > > windows client applications.
> > > > >
> > > > > Thanks,
> > > > > John
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>|||We applied MS04-011 835732 and had 2 lockups/blue screens in 24 hours.
Last night we applied MS03-031 Cumulative Patch for Microsoft SQL Server (815495);
So far, it has been up 15 hours without re-booting.
Tim Ssql

Thursday, March 8, 2012

Application/Security Design: Stored Procedures versus SQL queries

Hello everyone,

I don't know what category would be appropriate for this question but security seems to be close enough.

I have this case scenario: I am running an automated application that extracts data from a web site and stores the data into a table on SQL server 2005. This information is not confidential in the extreme of social insurance #'s, bank account #s, but should not be seen by a typical employee (it has no use for them). After the data has been stored, it retrieves the data from the same table, processes it, and updates the same table. This application runs every hour infinitely.

Should all the insert, update, and select queries be stored under a stored procedure? I am not concern with performance. My concern would fall under design and security.

Is it worth to hide the details of inserting/updating/selecting behind a stored procedure? Or should I just allow the program to send select/update/insert SQL queries?

No employee (other then the developer and the DB admin) or customer ever access this table (They do not have permission from SQL). The username and passwords were created with security in mind.

Any thoughts or ideas?

Thanks for your time, Adrian

It sounds as though 'a typical employee' would not have access to the table. As long as the PUBLIC role cannot access the table, and 'a typical employee' does not have permissions, you are covered.

Using Stored Procedures 'may' be excessive in this situation.

|||

Thank your for your response.

I still am left wondering whether it is worth to hide the details of inserting/updating/selecting behind a stored procedure or whther I should just allow the program to send select/update/insert SQL queries.

I consider the stored procedure as the last "line of defense" when it comes to enforcing business rules. Although in theory of a 3-tier system, the business layer takes care of this, I have seen other developers program some sort of application and they forgot one aspect of the business or some sort of formating error. A stored procedure would correct this b/c it doesn't matter which business layer accesses the SQL server, they all will be enforced by the server.

Do you have an understanding of where I am coming from? Where do we draw the line of what the business layer enforces and what the SQL server enforced?

This is where I'd like to get other opinions on it too.

Thank you for your time, Adrian

|||

Adrian,

First, let me state that in 'almost' all situations, I recommend using stored procedures for a several reasons, including: reuseability, abstraction and security. Reuseabilitiy infurs that the same code is called multiple times from the application. Abstraction allows the procedure code (and how/where the data is actually stored) to be 'tuned' without having to redeploy the application. And of course, security protects the tables from inadvertent alteration and maintains a minimum level of data protection -and may even inject some form of audit trailing.

That said, I recommend against putting excessive 'business rules' into stored procedures. I prefer business rules to be in the 'middle tier' -mainly for scalability reasons, as well as my attempts to keep the data server dedicated to protecting the data. Here, however, you will find a great range of opinions, and as hardware becomes more robust and less expensive, and data clusters have become easier to configure and operate -'scalability' becomes less of an issue.

Now in your situation, you posit that the application is automatic -little chance for SQL injection, and users have no reason for direct data access. You have to balance the extra effort for creating and testing the stored procedures against the benefit. Granted, there 'may' be a slight increase in performance due to reusing compiled procedures -but you are doing the same activities over and over again so even the 'ad-hoc' queries would most likely be in the procedure cache (make sure the queries are properly parameterized). But the main question to ask is: "What is the benefit and what is the cost of mandating stored procedure use above direct table access?"

|||

May I know how to give all store procedures exec permission to one user instead one by one. Thanks in advance for your advice.

eg.

GRANT EXECUTE ON [dbo].[SP_xxx] TO [yyy]

one by one procedure how can do it all for one go.

With regards

Bala

|||Create a database role. Add all users to the role. Grant permissions to the role.|||

Hi,

Thanks for the reply, we everyday delete the store procedure and recreate atleast few hundred. Once we delete the permission lost or new store procedures no permission set. If we know what is the command to run for all store procedures, instead of one by one i will run every time after creating the store procedure.

With regards

Bala

|||

I always recommend adding stored procedures to source control. Each stored procedure as a separate file. Databases can be 'refreshed' from source control in order to keep out development 'detritus'.

Each stored procedure file also contains the necessary permissions. Here is an example: (Works in SQL 2000/2005)

IF EXISTS
( SELECT ROUTINE_NAME
FROM INFORMATION_SCHEMA.ROUTINES
WHERE ROUTINE_NAME = 'MyProcedureName'
)
DROP PROCEDURE dbo.MyProcedureName
GO

CREATE PROCEDURE dbo.MyProcedureName
/****************************************************************
* PROCEDURE: MyProcedureName
* DATE:
* AUTHOR:
*-
* DESCRIPTION:
*
*-
* CODE REVIEW: Date/Who/Status
*-
* VSS revision history: (location in source control)
****************************************************************/
( @.Parameter1 datatype,
, @.Parameter2 datatype
)
AS

SET NOCOUNT ON

-- Procedure Code Here

SELECT
@.Err = @.@.ERROR
, @.RowsAffected = @.@.ROWCOUNT

IF ( @.Err != 0 )
RETURN @.Err

IF ( @.RowsAffected = 0 )
RETURN -1

RETURN 0
GO

GRANT EXECUTE ON dbo.MyProcedureName TO MyCustomRole
GO

|||

Hi Arnie,

Thankyou very much i will do that.

With regards

Bala

Application/Security Design: Stored Procedures versus SQL queries

Hello everyone,

I don't know what category would be appropriate for this question but security seems to be close enough.

Should all the insert, update, and select queries be stored under a stored procedure? I am not concern with performance. My concern would fall under design and security.

Is it worth to hide the details of inserting/updating/selecting behind a stored procedure? Or should I just allow the program to send select/update/insert SQL queries?

No employee (other then the developer and the DB admin) or customer ever access this table (They do not have permission from SQL). The username and passwords were created with security in mind.

Any thoughts or ideas?

Thanks for your time, Adrian

It sounds as though 'a typical employee' would not have access to the table. As long as the PUBLIC role cannot access the table, and 'a typical employee' does not have permissions, you are covered.

Using Stored Procedures 'may' be excessive in this situation.

|||

Thank your for your response.

Do you have an understanding of where I am coming from? Where do we draw the line of what the business layer enforces and what the SQL server enforced?

This is where I'd like to get other opinions on it too.

Thank you for your time, Adrian

|||

Adrian,

|||

May I know how to give all store procedures exec permission to one user instead one by one. Thanks in advance for your advice.

eg.

GRANT EXECUTE ON [dbo].[SP_xxx] TO [yyy]

one by one procedure how can do it all for one go.

With regards

Bala

|||Create a database role. Add all users to the role. Grant permissions to the role.|||

Hi,

With regards

Bala

|||

I always recommend adding stored procedures to source control. Each stored procedure as a separate file. Databases can be 'refreshed' from source control in order to keep out development 'detritus'.

Each stored procedure file also contains the necessary permissions. Here is an example: (Works in SQL 2000/2005)

IF EXISTS
( SELECT ROUTINE_NAME
FROM INFORMATION_SCHEMA.ROUTINES
WHERE ROUTINE_NAME = 'MyProcedureName'
)
DROP PROCEDURE dbo.MyProcedureName
GO

SET NOCOUNT ON

-- Procedure Code Here

SELECT
@.Err = @.@.ERROR
, @.RowsAffected = @.@.ROWCOUNT

IF ( @.Err != 0 )
RETURN @.Err

IF ( @.RowsAffected = 0 )
RETURN -1

RETURN 0
GO

GRANT EXECUTE ON dbo.MyProcedureName TO MyCustomRole
GO

|||

Hi Arnie,

Thankyou very much i will do that.

With regards

Bala

application with critical database

Dear all

I am a pretty new in the development world fresh from uni. I am doing development on a system that has a security database. Access to the data in that database is pretty important. So in case the main server where the database is stored for soem reason fails or gets compromised i need to have a second copy with the most recent data in that database and keep the application up and running. The data i have is stored in a SQL 2005 database. What are the recomended aproaches for acheiving this needed reliability?

Would running the SQL Agent every 2 minutes do the trick? And replicate the database to another server and then have asecondary deployment on that server running as a backup? Or are there any other means?

Any advice is apreciated.

Sincerely

See if below links can be useful.

http://msdn2.microsoft.com/en-us/library/ms151247.aspx

http://www.microsoft.com/technet/prodtechnol/sql/2005/dbmirror.mspx

Application sending email

Hi:
I would like to know security implications on two different ways to enable
an application to email alerts.
1. Installing outlook client for application to call.
2. Using CDOSYS to point to SMTP server and send email using AD
username/password.
Thanks for any input.Option 1 -very bad choice. Outlook has too many security issues to safely in
stall on a server.
Option 2. klutzy but will/could work But waitk there are better choices.
Option 3. SQL 2000 download xp_smtpmail from [url]http://www.sqldev.net/xp/xpsmtp.htm[/
url]
Option 3. SQL 2005 -Use the included smtp mail server. Look up sp_send_dbmai
l in Books on Line.
--
Arnie Rowland*
"To be successful, your heart must accompany your knowledge."
"Cindy" <Cindy@.discussions.microsoft.com> wrote in message news:943EC1D1-1E2A-413A-8DF5-A5F9
19125DD9@.microsoft.com...
> Hi:
> I would like to know security implications on two different ways to enable
> an application to email alerts.
>
> 1. Installing outlook client for application to call.
>
> 2. Using CDOSYS to point to SMTP server and send email using AD
> username/password.
>
> Thanks for any input.|||Thanks for the information, but can you point me to some specifics about the
Outlook security issues. I am bringing up new SQL database with accounting
package. Package developers want to install Outlook on SQL server (has to b
e
2000 not compatiable with 2005). Need facts to support my posiition. If i
have no choice but to install outlook how can I secure?
If CDOSYS is klutzy is it more secure than outlook?
Thanks, Cindy
"Arnie Rowland" wrote:
[vbcol=seagreen]
> Option 1 -very bad choice. Outlook has too many security issues to safely
install on a server.
> Option 2. klutzy but will/could work But waitk there are better choices.
> Option 3. SQL 2000 download xp_smtpmail from http://www.sqldev.net/xp/xpsmtp.htm

> Option 3. SQL 2005 -Use the included smtp mail server. Look up sp_send_dbm
ail in Books on Line.
> --
> Arnie Rowland*
> "To be successful, your heart must accompany your knowledge."
>
>
> "Cindy" <Cindy@.discussions.microsoft.com> wrote in message news:943EC1D1-1
E2A-413A-8DF5-A5F919125DD9@.microsoft.com...|||Here is some sources of information about Outlook/MAPI issues.
http://support.microsoft.com/defaul...b;en-us;Q315886
Top Causes of SQL Server Downtime (Item #2)
http://www.sqlmag.com/Article/Artic...rver_40011.html
http://www.karaszi.com/SQLServer/info_no_mapi.asp
Google for "SQL Server" + MAPI + problems
Microsoft has 'dumped' MAPI for SQL Server 2005, instead using a built in
SMTP client.
--> check out xp_smtpmail. It's very easy to set up and very easy to use.
<--
The question to raise, "Is it better to use a mail client that has no
documented problems running or SQL Server, or a mail client that has a long
history of problems, including causing the SQL Server to fail."
What difference to the developers as long as there is a flexible way to send
messages.
And your last question, how can you secure Outlook... possibly never.
Recognize that as the number one mail client, it is the biggest target for
any hackers (new expliots are regularly found), and what do hackers want to
hack? -data servers.
If you can't tell, I have a 'little' bias on this issue... Outlook/MAPI on
SQL Server is a big AND unnecesssary mistake.
Arnie Rowland*
"To be successful, your heart must accompany your knowledge."
"Cindy" <Cindy@.discussions.microsoft.com> wrote in message
news:464BAE44-2A86-4DDA-AF3C-9726B9AFAC03@.microsoft.com...[vbcol=seagreen]
> Thanks for the information, but can you point me to some specifics about
> the
> Outlook security issues. I am bringing up new SQL database with
> accounting
> package. Package developers want to install Outlook on SQL server (has to
> be
> 2000 not compatiable with 2005). Need facts to support my posiition. If
> i
> have no choice but to install outlook how can I secure?
> If CDOSYS is klutzy is it more secure than outlook?
> Thanks, Cindy
> "Arnie Rowland" wrote:
>|||Thanks for the info.
Cindy
"Arnie Rowland" wrote:

> Here is some sources of information about Outlook/MAPI issues.
> http://support.microsoft.com/defaul...b;en-us;Q315886
> Top Causes of SQL Server Downtime (Item #2)
> http://www.sqlmag.com/Article/Artic...rver_40011.html
> http://www.karaszi.com/SQLServer/info_no_mapi.asp
> Google for "SQL Server" + MAPI + problems
> Microsoft has 'dumped' MAPI for SQL Server 2005, instead using a built in
> SMTP client.
> --> check out xp_smtpmail. It's very easy to set up and very easy to use.
> <--
> The question to raise, "Is it better to use a mail client that has no
> documented problems running or SQL Server, or a mail client that has a lon
g
> history of problems, including causing the SQL Server to fail."
> What difference to the developers as long as there is a flexible way to se
nd
> messages.
> And your last question, how can you secure Outlook... possibly never.
> Recognize that as the number one mail client, it is the biggest target for
> any hackers (new expliots are regularly found), and what do hackers want t
o
> hack? -data servers.
> If you can't tell, I have a 'little' bias on this issue... Outlook/MAPI on
> SQL Server is a big AND unnecesssary mistake.
> --
> Arnie Rowland*
> "To be successful, your heart must accompany your knowledge."
>
> "Cindy" <Cindy@.discussions.microsoft.com> wrote in message
> news:464BAE44-2A86-4DDA-AF3C-9726B9AFAC03@.microsoft.com...
>
>|||Understanding that Outlook has security issues, I personally have used SQL
Mail in the past with the Outlook client and had great success. Although it
may be one of the top reasons for 'downtime' (if you call a reboot
downtime), how much downtime is that? If you have 99.9% uptime and SQL Mail
is responsible for .1% downtime, is that acceptible? It was for me.
If you stay on top of your Outlook updates, restrict access to the xp_'s
(xp_sendmail, for example), and do your homework on SQL Mail, there is some
reward to offset the risk. There are factors that may sway you one way or
another depending on your situation.
My server sent an average of around 100 emails per minute - with SQL Mail
and the Outlook client.
"Cindy" <Cindy@.discussions.microsoft.com> wrote in message
news:943EC1D1-1E2A-413A-8DF5-A5F919125DD9@.microsoft.com...
> Hi:
> I would like to know security implications on two different ways to enable
> an application to email alerts.
> 1. Installing outlook client for application to call.
> 2. Using CDOSYS to point to SMTP server and send email using AD
> username/password.
> Thanks for any input.

Application Security

We have a Visual Basic 5 .exe that is used to launch an application process
to import files from our application server to update the database server.
Both servers are Windows 2003 Server Standard Edition. The application laun
ches MS Access 2000 and imp
orts files into an Access database table and then connects to our database s
erver hosting SQL Server 2000 Sp3 to update a master table of users.
The VB app is launched with a local account on the app server and uses a reg
istry value to get the database connection string using SQL Authentication.
We have noticed an authentication error message (Failure Event ID 529) on t
he SQL server for the accou
nt launching the scheduled task that runs the imports. The error only occur
s on the SQL server when a load occurs on the application server. The load
occurs when users run a Web .ASP application and run end of month procedures
. It connects to the same
SQL server with the same SQL Authenticated credentials.
The import VB application does not start to authenticate unless a load is pr
esent on the server. Why would the security context change and go away from
SQL authentication' The work around so far is to use a domain account or
mirrored account on the SQL
server.
Thanks.It sounds like the VB application is using a connection string that is
requesting Windows Authentication. This is why it works if you
use a domain account or duplicate the user account and passwords. Check
the Security tab in Enterprise manager and verify that you are allowing
both SQL and Windows Authentication. Enable auditing for both failed and
successfull logins and test using both standard and Windows authentication
to validate the logging.
Thanks,
Kevin McDonnell
Microsoft Corporation
This posting is provided AS IS with no warranties, and confers no rights.

Wednesday, March 7, 2012

Application Roles with IIS

I wish to use SQL Server 2000 Application Security with an ASP (Classic) app
lication.
When I run the ASP app and look at SQL Server Current Activity Process Info
, the column Application is showing "Internet Information Services". How do
I align SQL Server and IIS so that Application Security can be utilised?
regards
Greg
PS I have already set the Application Name for this site in IIS.If you are using ASP to connect to SQL Server then the application is IIS
so that is what is diplayed. What application would you prefer it to
display?
Rand
This posting is provided "as is" with no warranties and confers no rights.

Application Roles across databases in SQL Server 2000

Hello
I have 2 databases that run application role security
(different role names and passwords), users access these
databases only from within different Visual Basic
applications.
I require to be able to request data from both
databases. I have read in SQL Server help that if you
enable the guest user account and then give it the
relevant permissions the system will only allow the other
database to get to these objects.
I have created a stored procedure on one of the databases
that calls a table in the database with the guest account
enabled. I have not given the guest account access to
this table but I can still get to the data in the table.
Please can someone explain why this is and what I need to
do to prevent this.
Thank you
Caroline> I have created a stored procedure on one of the databases
> that calls a table in the database with the guest account
> enabled. I have not given the guest account access to
> this table but I can still get to the data in the table.
> Please can someone explain why this is and what I need to
> do to prevent this.
This is due to ownership chaining behavior. As long as all objects are
owned by the same login, permissions are not checked on indirectly
referenced objects. Additionally, you need to enable cross database
chaining for ownership chains to apply to cross-database access. This
appears to be the case in your environment.
As long as you access data only via views and procedures, you don't need to
grant any permissions to guest. This allows you to leverage ownership
chains as a security mechanism. See Ownership Chains in the Books Online
for more information.
Hope this helps.
Dan Guzman
SQL Server MVP
"Caroline" <anonymous@.discussions.microsoft.com> wrote in message
news:2512601c46019$5e372e20$a501280a@.phx
.gbl...
> Hello
> I have 2 databases that run application role security
> (different role names and passwords), users access these
> databases only from within different Visual Basic
> applications.
> I require to be able to request data from both
> databases. I have read in SQL Server help that if you
> enable the guest user account and then give it the
> relevant permissions the system will only allow the other
> database to get to these objects.
> I have created a stored procedure on one of the databases
> that calls a table in the database with the guest account
> enabled. I have not given the guest account access to
> this table but I can still get to the data in the table.
> Please can someone explain why this is and what I need to
> do to prevent this.
> Thank you
> Caroline|||> and what I need to do to prevent this.
Only grant execute permissions on the procedure to those users/roles whom
you want to access the underlying data.
Hope this helps.
Dan Guzman
SQL Server MVP
"Dan Guzman" <danguzman@.nospam-earthlink.net> wrote in message
news:%23fcOSPDYEHA.3596@.tk2msftngp13.phx.gbl...
> This is due to ownership chaining behavior. As long as all objects are
> owned by the same login, permissions are not checked on indirectly
> referenced objects. Additionally, you need to enable cross database
> chaining for ownership chains to apply to cross-database access. This
> appears to be the case in your environment.
> As long as you access data only via views and procedures, you don't need
to
> grant any permissions to guest. This allows you to leverage ownership
> chains as a security mechanism. See Ownership Chains in the Books Online
> for more information.
> --
> Hope this helps.
> Dan Guzman
> SQL Server MVP
> "Caroline" <anonymous@.discussions.microsoft.com> wrote in message
> news:2512601c46019$5e372e20$a501280a@.phx
.gbl...
>

Application Role Usage

I am new to the security part of SQL server and I'm having a problem with
using the application role while running a query from Excel. I wrote the sp
I'm using and it works fine but I can't get the application role to work. I
have set it up in EM but I'm not sure how to put it in the code in Microsoft
query. Do I have to put the exec sp_setapprole 'role', 'password' statement
in the sp or before I execute the procedure. I tried putting it before and i
t
did not work, maybe I had the wrong syntax or something. Below is what I
wrote:
Exec sp_setapprole 'role', 'password'
GO
Exec GetDefectReport
GOThis should work I think...do you get an error message?
Did you give the approle execute permission on the SP (maybe underlying
tables?)
Does the sp return data for Excel to display (I take it, that's what it has
to do...)?
Lee-Z
"A.B." <AB@.discussions.microsoft.com> wrote in message
news:4C25B4B8-FEC4-49C4-9276-F5B0AF2A6FD1@.microsoft.com...
>I am new to the security part of SQL server and I'm having a problem with
> using the application role while running a query from Excel. I wrote the
> sp
> I'm using and it works fine but I can't get the application role to work.
> I
> have set it up in EM but I'm not sure how to put it in the code in
> Microsoft
> query. Do I have to put the exec sp_setapprole 'role', 'password'
> statement
> in the sp or before I execute the procedure. I tried putting it before and
> it
> did not work, maybe I had the wrong syntax or something. Below is what I
> wrote:
> Exec sp_setapprole 'role', 'password'
> GO
> Exec GetDefectReport
> GO|||The error message is that the syntax is wrong around GO. I wrote the sp in
the query analyzer and now i am calling it from Excel using Microsoft Query.
"Lee-Z" wrote:

> This should work I think...do you get an error message?
> Did you give the approle execute permission on the SP (maybe underlying
> tables?)
> Does the sp return data for Excel to display (I take it, that's what it ha
s
> to do...)?
> Lee-Z
>
> "A.B." <AB@.discussions.microsoft.com> wrote in message
> news:4C25B4B8-FEC4-49C4-9276-F5B0AF2A6FD1@.microsoft.com...
>
>|||have never tried approle with MS Query, but try to execute the sp_SetAppRole
statement in menu "File"-> "Execute SQL" from MS-Query (leave out the GO
part). Make sure you select your database in the dropdown box.
After that you should be able to get data from your original query (leave
out the "GO" here as well)...
good luck
Lee-Z
"A.B." <AB@.discussions.microsoft.com> wrote in message
news:1FDE810C-6F0F-4E7C-8537-E5987C88D297@.microsoft.com...[vbcol=seagreen]
> The error message is that the syntax is wrong around GO. I wrote the sp in
> the query analyzer and now i am calling it from Excel using Microsoft
> Query.
> "Lee-Z" wrote:
>|||You are not going to be able to use Microsoft Query and get
application roles to perform reliably. Application roles are
connection-specific, and the tools open additonal connections under
the covers in order to speed up connections. This is an issue even if
you code data access in ADO code (which is the usual way to go about
it). The following article, "SQL application role errors with OLE DB
resource pooling" describes the problem and the workaround:
http://support.microsoft.com/defaul...b;en-us;Q229564
--Mary
On Fri, 12 Aug 2005 06:59:20 -0700, "A.B."
<AB@.discussions.microsoft.com> wrote:
[vbcol=seagreen]
>The error message is that the syntax is wrong around GO. I wrote the sp in
>the query analyzer and now i am calling it from Excel using Microsoft Query
.
>"Lee-Z" wrote:
>|||Thanks for the help Lee and Mary
"Mary Chipman [MSFT]" wrote:

> You are not going to be able to use Microsoft Query and get
> application roles to perform reliably. Application roles are
> connection-specific, and the tools open additonal connections under
> the covers in order to speed up connections. This is an issue even if
> you code data access in ADO code (which is the usual way to go about
> it). The following article, "SQL application role errors with OLE DB
> resource pooling" describes the problem and the workaround:
> http://support.microsoft.com/defaul...b;en-us;Q229564
> --Mary
> On Fri, 12 Aug 2005 06:59:20 -0700, "A.B."
> <AB@.discussions.microsoft.com> wrote:
>
>

Saturday, February 25, 2012

Application Login and Integrated Security

Hello,

We're having a bit of a problem getting Integrated Security to work with a .Net 2.0 application and SQL 2005. While we're tweaking permissions on the SQL-side, we came across an account "Application Login" and wondered what its role is. First, our problem:

Currently, the users in the AD group get a connection error. This group is defined as follows at the instance level:

role: public

user mapping: to the database without any default schema

securables: none

status: grant and enabled

At the database security level:

general: none

securables: execute on all (100+) stored procedures

And we gave them "Execute" on the database itself.

A little background: we had detached and copied this database from one server to another. So we suspect that the Application Login may have been modified/corrupted, even though it appears to be identical between the original and the copied databases. So we redefined it on the copied DB to match the original.

Another group, which is defined as dbo on the database, has no problem at all connecting and running the application.

The Application Login has Execute permissions on all stored procedures and Delete, Insert, Select, Update, and View Definition on the ChangeLog table. It also has db_DataReader, db_DataWriter, and db_ddlAdmin roles associated with it.

Is there another SQL login required for initial connection to the database even though Integrated Security=SSPI is used in the connection string?

Does anyone see where we may be missing a security setting for the non-dbo user group to connect to the database?

Thanks very much for any suggestions, ideas ....

Cheers,

Tess

Okay, it looks like granting Execute to the database itself has resolved the connection issue.

Have a good day everyone!

application login , but user security

Hi everybody...please don't flame me for my ignorance.
We are in the process of migrating from mainframe application using
vsam files to MICROFOCUS and SQL server
Here is the senario we are at now :
In mainframe, the application might be able to read and write to the
file, but the write access is controled by the RACF (security software
like active directory). In other words, even though USER A can execute
the application, he cannot write to it, because the security software
doesn't allow USER A to write to the file.
In the new environment, our online application are replaced by a
product called MICROFOCUS -ES_MTO. ES-MTO connects to sqlserver via an
application userid (lets say APPL1). USERA logins in to the ES-MTO
using login id USERA, but then ES-MTO connects to sqlserver using
APPL1. APPL1 has read/write authority on the tables. USERA should be
able to execute the application, so he can read the table, but
shouldn't be able to write to it.
The application is however a read/write application.
I hope I was clear enough on my sceneraio.
What I am hoping to find out is, how can I still use sqlserver to check
permission using the real user login id , when the application uses the
application userid to connect ?
Am I making sense ?
Any help or input is greatly appreciated .
ThanksSQL Server security context is determined by the login used to connect to
SQL Server or an application role enabled after the connection is made. If
ES_MTO uses a single login, you won't be able to implement a SQL Server
security model that allows you to control access based on an individual
user's identity unless your application code can conditionally enable an
application role. I know nothing about ES_MTO so I can't comment on whether
or not that approach is feasible. You can read about application roles in
the SQL Server Books Online
Hope this helps.
Dan Guzman
SQL Server MVP
"sql rookie" <anytasks@.gmail.com> wrote in message
news:1114703232.008696.232480@.g14g2000cwa.googlegroups.com...
> Hi everybody...please don't flame me for my ignorance.
> We are in the process of migrating from mainframe application using
> vsam files to MICROFOCUS and SQL server
> Here is the senario we are at now :
> In mainframe, the application might be able to read and write to the
> file, but the write access is controled by the RACF (security software
> like active directory). In other words, even though USER A can execute
> the application, he cannot write to it, because the security software
> doesn't allow USER A to write to the file.
> In the new environment, our online application are replaced by a
> product called MICROFOCUS -ES_MTO. ES-MTO connects to sqlserver via an
> application userid (lets say APPL1). USERA logins in to the ES-MTO
> using login id USERA, but then ES-MTO connects to sqlserver using
> APPL1. APPL1 has read/write authority on the tables. USERA should be
> able to execute the application, so he can read the table, but
> shouldn't be able to write to it.
> The application is however a read/write application.
> I hope I was clear enough on my sceneraio.
> What I am hoping to find out is, how can I still use sqlserver to check
> permission using the real user login id , when the application uses the
> application userid to connect ?
> Am I making sense ?
> Any help or input is greatly appreciated .
> Thanks
>|||sql rookie wrote:
What I am hoping to find out is, how can I still use sqlserver to check
permission using the real user login id , when the application uses the
application userid to connect ?
Am I making sense ?
My response:
I am unsure what you mean by using 'sqlserver to check permission using the
real user login id'?
If you setup the security on the MicroFocus environment using SQLServer
security (uid and password). This userid can be granted R/W access to the
tables while the real user id will not be granted them. You can then contro
l
access to writing/updating the tables via the application. If you want/need
to have the user be able to read the information outside of the application
(Access linked tables, Excel Queries, etc) you can grant the 'real user id'
read access to the tables/views.
Does this cover your question'
Mike
--
Mike Mattix
CP Kelco, Inc
Okmulgee, OK
"sql rookie" wrote:

> Hi everybody...please don't flame me for my ignorance.
> We are in the process of migrating from mainframe application using
> vsam files to MICROFOCUS and SQL server
> Here is the senario we are at now :
> In mainframe, the application might be able to read and write to the
> file, but the write access is controled by the RACF (security software
> like active directory). In other words, even though USER A can execute
> the application, he cannot write to it, because the security software
> doesn't allow USER A to write to the file.
> In the new environment, our online application are replaced by a
> product called MICROFOCUS -ES_MTO. ES-MTO connects to sqlserver via an
> application userid (lets say APPL1). USERA logins in to the ES-MTO
> using login id USERA, but then ES-MTO connects to sqlserver using
> APPL1. APPL1 has read/write authority on the tables. USERA should be
> able to execute the application, so he can read the table, but
> shouldn't be able to write to it.
> The application is however a read/write application.
> I hope I was clear enough on my sceneraio.
> What I am hoping to find out is, how can I still use sqlserver to check
> permission using the real user login id , when the application uses the
> application userid to connect ?
> Am I making sense ?
> Any help or input is greatly appreciated .
> Thanks
>

Monday, February 13, 2012

Apparent Security violations recorded in Event Viewer

I am receiving the following event in the event viewer. I
believe that it is from hackers trying to execute Sql
Statements against my Sql Server to gain access to my
website. I only have port 80 open via my firewall, so I'm
confused as to how they are getting in. Does anyone have
any suggestions?
Any help, ideas, suggestions would be greatly appreciated.
Pat Rogers
Event Type: Information
Event Source: ODBC Error (388221)
Event Category: None
Event ID: 0
Date: 7/21/2004
Time: 8:44:23 AM
User: N/A
Computer: P6-CR2-SVR
Description:
The description for Event ID ( 0 ) in Source ( ODBC Error
(388221) )
cannot be found. The local computer may not have the
necessary registry
information or message DLL files to display messages from
a remote
computer. The following information is part of the event:
Message Text:
=============
SQL Selected Record is invalid: - 00000.Pat,
I would at least make sure that you record all failed access attempts. This
can be done by properties - Security tab - Audit level and check Failure.
This way you can see who is trying to get access.
Chris Wood
Alberta Department of Energy
CANADA
"Pat Rogers" <progers@.kc.rr.com> wrote in message
news:2ea301c470e0$6a535d50$a401280a@.phx.gbl...
> I am receiving the following event in the event viewer. I
> believe that it is from hackers trying to execute Sql
> Statements against my Sql Server to gain access to my
> website. I only have port 80 open via my firewall, so I'm
> confused as to how they are getting in. Does anyone have
> any suggestions?
> Any help, ideas, suggestions would be greatly appreciated.
> Pat Rogers
> Event Type: Information
> Event Source: ODBC Error (388221)
> Event Category: None
> Event ID: 0
> Date: 7/21/2004
> Time: 8:44:23 AM
> User: N/A
> Computer: P6-CR2-SVR
> Description:
> The description for Event ID ( 0 ) in Source ( ODBC Error
> (388221) )
> cannot be found. The local computer may not have the
> necessary registry
> information or message DLL files to display messages from
> a remote
> computer. The following information is part of the event:
> Message Text:
> =============
> SQL Selected Record is invalid: - 00000.
>
>

Sunday, February 12, 2012

API for Roles

Hi,

Do we have an API for creating Roles? I want to build a UI instead for filling in the roles I will set for my cell security depending on who accesses the cube.

cherriesh

You can use the AMO library for creating roles from .Net or you could build the raw XMLA commands and send them using something like the ascmd sample.

Thursday, March 22, 2012

April Security Patches and SQL Server

April Security Patches and SQL Server

April Security Patches and SQL Server

Thursday, March 8, 2012

Application/Security Design: Stored Procedures versus SQL queries

Application/Security Design: Stored Procedures versus SQL queries

application with critical database

Application sending email

Application Security

Wednesday, March 7, 2012

Application Roles with IIS

Application Roles across databases in SQL Server 2000

Application Role Usage

Saturday, February 25, 2012

Application Login and Integrated Security

application login , but user security

Monday, February 13, 2012

Apparent Security violations recorded in Event Viewer

Sunday, February 12, 2012

API for Roles

sql server tools

Blog Archive

About Me