My Snowflake account has been disconnected from duo and I have now lost all access to my snowflake environment. I'm trying to get hold of support but I the automated service wont validate my account and I don't have a Sales person I can talk to.
How can I get back access to my account??
Related
Is there a way to detect and monitor that a service principal is only being used from a specific set of IP addresses? I do not want to IP restrict my entire directory. I have premium AAD and I think it has features that I might be able to utilized but I cannot do much testing. I’m currently struggling on how to detect if a SP has been jeopardized and how to prevent it.
If you want to use IP as conditions for the user to sign-in, you could use Conditional Access to make it. But the Conditional Access is used for the entire tenant.
And the features of Azure Active Directory Premium includes:
Company branding
Group-based application access
Self-service password reset
Self-service group management
Advanced security reports and alerts
Multi-Factor Authentication
Forefront Identity Manager (FIM)
Enterprise SLA of 99.9%
For the details, please read here.
We have MS SQL Server 2012 in production use and MS AD.
Let me explain in short what our concept of assigning user permissions is like.
For certain user group that has some access to a certain application we create AD group and assign AD users to it. Since this application needs to access data in other DB, we add that group to that DB as well and set access/execute rights to needed objects (either specific object or schemas).
Since certain people use other applications and DBs, they are added to other AD groups as well. Those groups, by no surprise, need to access some objects to second database too.
So we have situation when certain users are in few different AD groups with different accesses to the same objects in a DB. That causes lots of "strange" behaviors when, all of a sudden, some user gets denied access to objects in DB.
My questions are:
Is there any way to find out with which privileges (through which AD group) some user got access/denial for certain sql query that was triggered from application?
Can someone explain how sql server handles privileges in such environment?
I'm open for any suggestions on how to handle/set accesses differently altogether but not involving reprogramming applications (only DBA site).
Thank you.
Assuming that you're an admin, you can look at sys.login_token, sys.user_token, and sys.fn_my_permissions() while impersonating the user in question to get some idea. Something like:
execute as login='yourDom\User1';
select * from sys.login_token;
select * from sys.user_token;
select * from sys.fn_my_permission('dbo.someObject', 'OBJECT');
revert;
My objective is to prevent direct user access to the database server. One way is to create a WCF service or web service in the middle between the front end application and the database server.
First of all, the users will be authenticated to the application. Subsequently the application will connect through the WCF service to perform business logic operations. The WCF service will perform the database related operations by using one windows account. This will prevent other users to directly access the database server, since the permission will only be granted to specific one windows account.
Here are my questions : Even though the database access is only granted to one windows account and the WCF will use this windows account to perform database related operations, is it possible to mark all database related operations with the credential of the logged in user ?
Update
Thanks for the replies. Seems like the above scenario is not achievable. I am currently exploring the SQL 2008 Application Role feature. One of the example is here. But after further exploration, apparently there is an issue with the connection pooling.
Update
There is a stack overflow thread here regarding SQL Server Application Role
You'd have to have every user set up in sys.server_principals to enable context switching like EXECUTE AS which would mean that they have direct db access anyway.
If you enabled kerberos/delegation, the same applies. Links One and Two
You'd have to pass in the user name as a parameter on each SQL call, or use CONTEXT_INFO perhaps.
Note: every MS Office user has MSQRY32.EXE which acts as a query tool. If you want no direct DB access, then you need to ensure there are no permissions set or granted
Depends.
If your database and WCF service are on the same box and you do a lot of jiggery pokery to impersonate then it is possible. As soon as you move your DB to another box then it stops working.
This is a known limitation and the reason is impersonation will create a token which will get you to a box but this is not passable to another box. I tried to find the Q&A where MS guy had answered but still havent been able to. Whenever I find it, will update.
We have a system using two machines to do some processing. Let's call the machine that does the processing PROCESSOR, and the machine giving it items to process SERVER. Both are running Windows Server 2008. We have one Windows Service running on SERVER which needs to use MSMQ to send messages to a public queue PROCESSOR.
On PROCESSOR, we have another Windows Service which pulls items from the queue for processing.
The two machines are in the same domain, and all works fine if we run both services under accounts with domain admin privileges. However, we need the accounts to have the minimum privileges possible (particularly for the service on SERVER).
Before elevating the rights of the account we're using for the service on PROCESSOR, I tried giving it full rights to MSMQ. However, this didn't seem to be enough, and as soon as the service tried to do anything with MSMQ (first thing it does on starting is to check if relevant queues exist), I got an exception saying "Access to Message Queuing is denied".
Does anybody know what permissions need to be granted to an AD account in order for it to be able to use MSMQ?
Thanks,
Andrew
Run your service under a defined system account, like (I believe Network), then set the permissions on the MSMQ to full control for that.
When I've used this in the past I just cheated and allowed access to "Everyone". But in a domain setting the best way is to create a domain user and set that for the service and permissions on the MQ.
You need to set permissions on the objects in Active Directory.
So you'll need Get Properties permission if you are querying objects, for example.
This should be on the MSMQ object under the computer object and the queue object(s) under the MSMQ object.
Also, the defaults are going to be restricted to allowing everyone to send but not receive so you will need to add that access for the domain account you are using to be able to read messages.
I have a database which users should not be able to alter data in unless they use the specific app. I know best practice is to use windows authentication however that would mean that users could then connect to the database using any other data enabled app and change values which would then not be audited.
Unfortunately SQL 2008 with its inbuilt auditing is not available.
Any ideas how to ensure that users cannot change anything unless its through the controlling app?
Use whatever means for users to log in. Windwos authentication encouraged.
make sure the user has no rights to change any data ;)
The application then, on the existing connection, post-authorized using application roles.
More info on that is on http://msdn.microsoft.com/en-us/library/bb669062.aspx
Basically the application can get a separate sets of rights by using an application password (that sadly has to be coded into the application - use sensible means to protect it), replacing the limited rights the user has with more rights for itself.
I would ask you to consider using an application server, but if you have a classical client/server architecture that is as good as it gets.