I understand that the reason mixed mode allows login with Windows authentication is for security purposes. My boss asked me to create a setup.exe that installs:
our medical software
SQL Server 2008 R2
SQL Server Management Studio
The install is fully automated with limited user input. SQL Server and the SSMS are implemented with a config file. sa and serviceRXuser (strong passwords) are SQL Server authentication logins.
I don't want my clients to have access to our database, because editing drug data could be potentially life threatening. And yes, we have had clients alter things in our database... causing application errors that required re-installation.
Is there any way to, at least, limit access to keep end-users from editing the data? Preferably a T-SQL command so I can keep automation. If not, is there any way to hide the database?
first of all, don't share SA password (on any strong user password) with your clients :)
Your app is running on client machines and coonnect to SQL via ODBC?
hmmm.... it is hard, because the users can use Your ODBC connection from ACCESS and EXCEL too. Can you change Your app to don't use ODBC?
If You grant ONLY exec rights on stored procedures to serviceRXuser (don't need DB_DATAREADER or any other rights), then clients can't do anything, only what You can handle in SP-s. You can send an encoded parameter to every SP, and decode is wrong, raise any random error SQL ;) Users can't create this encoding from excel/access ;)
Related
I have two databases on the same SQL server. One for an ERP database that I am able to read tables and one I created in MS Access. A store procedure on the MSAccess database is updating some tables from the ERP DB. The MS Access DB from here on is independently running.
When I installed on other computers, the Access Database is giving me a connection error when I am logged in as another user than myself.
- Are permissions from the ERP database affecting me in my Access Database? Should I worry about them?
- Is Windows Authentication enough to make the connection happen?
- Do I need to Map the users over from the ERP database?? if so, how do I do it?
- Can I grant every user on the Server permission to access my tables using Windows Authentication? do I need to go down this road? How do I do it?
I am just not too sure what to do from here on. Here is some more information about the issue.
-In my database I have a ODBC stringconnection that looks like this:
Driver={SQL Server Native Client 11.0};Server=SERVER;Database=DATABASENAME;Trusted_Connection=yes;
-I am packaging an exe file using SSESETUP which is awesome.
-I am installing on the new computer and able to launch when I am logged on as myself however, I am getting a connection error when I am logged in as another user on the same computer. (Note: I am not able to debug from here on and see the vba because I am running under Access runtime 2013 only.)
I would appreciate if someone can assist me in narrowing my search for a solution.
Bottom line, it sounds like you need to set up database permissions on your SQL Server for each Windows account that will be using your Access db.
Here are specific answers to your questions:
Are permissions from the ERP database affecting me in my Access
Database
Yes, of course they are. Regardless of how you connect to the database the permissions will always be in effect.
Should I worry about them?
Yes, of course you should. Otherwise you won't be able to work with the data.
Is Windows Authentication enough to make the connection happen?
To make the connection, yes. SQL Server supports Windows authentication in both security modes (Windows only and mixed mode). But, this is just the connection. You also need to take the database permissions into consideration. Your Windows login needs to be granted the appropriate permissions within the specific database in order to do anything.
Do I need to Map the users over from the ERP database?
Map to what? Access? Based on the connection string in your question you're using Windows authentication to connect Access to SQL Server, so Access will connect to SQL Server under the security context of whoever is running Access. So the SQL Server permissions will need to be configured for each user who will be running your Access db.
Can I grant every user on the Server permission to access my tables
using Windows Authentication?
Access to the SQL Server tables? Sure, you could. But you should limit it to only the necessary permissions. Granting access for everyone is likely overkill and not best practice.
I am trying to set-up/test SQL Server row-level security for my database. I want to use row-level security for SSRS reports and Power BI. The database is set up on my test PC using SQL Server Express with SSMS.
On my test PC I have set up a separate account -- separate from the user under which I established the SQL Server and database. I believe I have set-up the SQL Server level permissions and database level permissions appropriately(?) for the separate user.
I go into the separate user account and continually get the
Server principal **** is not able to access under current permissions
message in SSMS and cannot access the data in the SSRS localhost website.
Is the separate user, established on the same PC, not considered to be in the same domain as the PC user who established the database? Is that what is causing the problem? If so, how can that be overcome? If not, any ideas what my problem might be? Is there some constraint in SQL Server Express that I need to establish the database using a SQL Server Developer edition?
I prefer not to wait until the database is established on the system test server to determine how this will work. Many thanks for any thoughts or suggestions.
I have a server (2008R2) that has little Access (2010) databases relevant to departments and their needs. I have a new EHR server (2008R2) running SQL (2008R2) servers and am able to establish an ODBC connection between the two. I created the ODBC using the SA / SA password to the SQL Server.
As an administrator, I can log in to the Access database and run queries and reports based off of tables linked back to the SQL DB. No one else can. I did save the password when I created the External table link in Access. My Sys Admin - also Administrator, cannot run queries or reports logged into the Access database server for this DB.
On this particular SQL Server, I am not an admin under my login. I have to use the SA account to login to the backend or through the Management Console.
I need to have the EHR managers run their own reports. Does anyone have any experience with why the ODBC would not be allowing a connection for anyone but me when the connection is server based?
What Gord Thompson said is important. Access is not a database server and its engine runs on the client machine which will need copies of whatever DSNs are used.
But the problem of getting Access to 'remember' credentials is something I recall struggling with in Access 2000. My solution was to create a dummy pass-through query (anything that will run quickly) that stores the credentials. When a new client session starts, first call the dummy query and for the duration of their connection, they'll have access to the DSN in question.
The Oracle Wallet Manager allows admins to store and manage database login credentials securely by wrapping the them in a password-protected container. I have used this in the past to run VBScripts that update tables in an Oracle database, without prompting the user for a password or storing the password in cleartext in the script itself.
Now, I have written some Powershell scripts that update a SQL Server database, but I have had to store the passwords in cleartext in the scripts.
I was wondering if there was an equivalent to the Oracle Wallet feature in SQL Server? Or would I have to store passwords in a text file and encrypt it using Powershell's ConvertFrom-SecureString? I'm looking for a secure and flexible solution.
The easy way for one-off scripts, accessing specific databases, is to use scheduled tasks. You set them to run as a specific account which has the appropriate permissions, then you don't have to worry about SQL Logins or passwords.
If you want something similar to Oracle's Wallet manager, then you should look at Credentials, and Proxies in MS SQL server.
See: Security Questions: Logins Credentials and Proxies
The Credential allows you to store and manage Login information.
A proxy is used by SQL Server Agent to map credentials to SQL Server Agent subsystems (i.e. PowerShell or SSIS).
Here is a link to a detailed guide on creating Credentials and Proxies and: Run Operating System Commands in SQL Agent using PowerShell
This is rather embarrassing, but I accidentally deleted my Windows account from the list of SQL Server 2008 users and I cannot for the life of me figure out how to re-add myself now that I don't have login privileges.
The server is running on my machine and the only other Windows users with access are IUSR, NETWORK SERVICE and SYSTEM. Is there anything I can do short of re-installing?
I also recently deleted my windows account from my local development 2008 server. I was able to use SQL server's Single User Mode to recreate my login and add it to the sysadmin role. It took just a few minutes, and I didn't have to admit my terrible error to anyone.
From MSDN:
Starting SQL Server in single-user mode enables any member of the
computer's local Administrators group to connect to the instance of SQL
Server as a member of the sysadmin fixed server role.
Here's how I reinstated myself:
Exit out of SSMS
Stop any SQL related services. I had to stop Reporting Services. Other SQL services such as SQL Agent will also use up your one, valuable connection.
Stop the SQL service
Start the SQL service with the extra parameter -m. This will put the SQL into Single User Mode. This means that SQL will only accept one connection.
Use sqlcmd to connect to your server with the -E trusted connection option. SQL will accept you into the sysadmin role if you're a local administrator.
In the interactive session, create your login and add to the sysadmins role.
USE master
GO
CREATE LOGIN [domain\username] FROM WINDOWS WITH DEFAULT_DATABASE=[Master]
GO
EXEC sp_addsrvrolemember #loginame=N'domain\username', #rolename=N'sysadmin'
GO
Stop the SQL service, remove the -m parameter and restart the service. You should now be able to go back into SSMS and continue using the server normally.
If you get the message:
Login failed for user 'domain\username'. Reason: Server is in single user
mode. Only one administrator can connect at this time.
Then there is something using your single connection. You'll need to find that service or connection and stop it before you can log in. Check SQL Agent, SQL Reporting Services, SQL Analysis Services etc.
Luckily, this wasn't too hard to fix (not that it should have been hard...)!
This blog post explains the steps for starting SQL Server in Single User Mode, which (for some reason) allowed me to login as my Windows administrator account, add the account to the user list (with CREATE LOGIN), enable the SA user and set its password to something I actually knew, and finally login as SA and give the Windows account sysadmin privileges.
Edit 07/05/13: Try this link instead.
Often SQL Server is installed so that any any local administrator is a SQL Server sysadmin.
If this is your case you can run Management Studio as administrator and then add any other windows user as a login in the Security section.
This solution worked for me.