A simple way to check vulnerability status of your SQL SERVER database

Posted on by indiandotnet

As a product owner, you always worried about the different security aspect of your application and SQL Server Database is one of the main important parts for which you might worry.

And you always think there should be some kind of checklist which you or your team have to check whether your database is secure or not and find all the vulnerabilities.

And obviously you might have purchased different tools to this assessment as well who will provide you security loopholes but when we talk about Database the option is limited and some options are very costly.

With SQL SERVER 2017 latest  SQL Management Studio your one of the problem will be resolved cross-check your database vulnerability.

You heard it right. Although, this feature is already available in SQL Azure but now you can do this assessment of your database using SQL Server 2017’s  management studio.

This vulnerability assessment report can be generated on the database with few simple clicks and you will get different High, Medium , Low risks of your database.

The vulnerability assessment report not only provide risks details but also help you to identify which category  of it and this will not stop here you will get a recommendation as well to fix those problems. Sometimes , you will get direct scripts which you can run to fix those issues and sometimes you will get the links on how to implement those.

Let’s understand this by step by step action.

Before starting to make sure you have SQL Server 2017  Management  Studio’s latest version.

Step 1: Once you opened the SQL Server management studio right click on the database which you want to cross check.  in this example, I am using the AdventureWorks database. As shown in the below figure.

Indiandotnet_Vulnerability_Assessment_1

Here you have 2 options either Scan for Vulnerabilities or Open Existing Scan

Step 2: Now, as we are doing it the first time so click on Scan for Vulnerabilities option. and you will get the following screen where you can provide the location of scan file.

Indiandotnet_Vulnerability_Assessment_2

Step 3:-   Just click on OK button to proceed further and wow you will get all the loop holes of your database.

You can easily check what are different points on which your Database is failed with risk Assessment.

Indiandotnet_Vulnerability_Assessment_3

As shown in the above figure , we have 6 check points on which our database failed  in which 1 is on high risk , 3 medium risk  and 2 Low risk.

And if you see carefully there are different categories as well like data protection, Authentication and Authorization, Surface Area Reduction etc.

Here as the name suggest Data Protection is mostly related to encryption of your sensitive data like SSN, DOB etc or TDE.

Authentication and Authorization  is more relation to login access of the database.

Surface Area reduction  is more related to what extra option you have opened .

Step 4:- Now, move a step further and click on any row in the grid. You will find the details of the row just below the grid. As you can see in below image when we click on data protection it suggesting the column names which come under extra care and to on which we might think to apply encryption.

Indiandotnet_Vulnerability_Assessment_4

Step 5:-  The story does not end here, for some of the problems this assessment report provides script as well and if the script is not possible then provide a reference link to resolve that issue.

As you can see in below screen we are getting recommendation scripts to apply.

Indiandotnet_Vulnerability_Assessment_5

Isn’t it cool and simple to assess your database’s vulnerability in a few clicks and secure your database?

Share your thoughts.

Happy learning !

How to create your first SQL SERVER WINDOWS VM with in Alibaba Cloud computing–Step by Step

Posted on by indiandotnet

In the last post, we reviewed the ECS (Elastic Computing Service) Of Alibaba Cloud. Now, In this post, we will try to create our first SQL SERVER windows server within a few basic steps.

Here the best part is you can go with either PAY-AS-YOU-GO or monthly subscription and choose any operating system, configuration depends upon your need and budget.

Prerequisites:- You should have Alibaba Cloud account.

Once you sign in with your username and password then follow below steps.

Step 1: After login click on the console option as shown in below figure

ECS_Indiandotnet_0

Step 2:- You will get the Dashboard screen. Here You have to click on Products and select Elastic compute Service as shown in below screen.

ECS_Indiandotnet_1

Step 3:-  You will get below screen where you will find your existing resources in the specific region in the middle.

ECS_indiandotnet_2

We can also view all existing instances from Instances menu option on the left-hand side. so just click it.

Step 4:  Here as you can see below on the screen. You will get the list of all the instances as a tabular list in the middle. You can change the region from the upper left option of the region.

ECS_Indiandotnet_3

As we have to create a new instance of Windows server with SQL SERVER configuration so just click on Create instance as shown in the above figure.

Step 5:- As you click the button you will find the below screen where you can define your own configuration & operating system from the available list.

So, let’s start from the top where you need to select the Billing method which could be Subscription basis or Pay AS You Go basis depends upon your need you can avail this.

ECS_Indiandotnet_4

In the next step, you have to select the region. Which is again depends on your product need. For example, I am in India and creating a product for Indian Market so, I have selected Mumbai region (Asia).

After selecting the region you have the option to select the CPU and RAM. Just to let you know here if you go for Subscription basis then there might be some extra option for CPU or RAM. here in our example, we are going with PAY AS YOU GO option so we have some less option for CPU but it is more than enough.

Step 6: Once the CPU & RAM is finalized in the next step we have to choose the operating system. Here we have a public image, custom image, shared image & Marketplace image option.

As most of the time Marketplace have an image which we required so we can use as is if required else we can create a public image or use other option which is available.

ECS_Indiandotnet_7

Here in this example, we are using marketplace image

ECS_Indiandotnet_08

So, just click on Select from Image market. when you click this option you will get a pop window with various pre-built image option where some of them are free and some of them are not free.

For the current demo, I am using a free image as shown in below screen.

ECS_Indiandotnet_09

Step 7:- After selecting the image the next step is to choose the Hard Disk. Where we have 2 options ULTRA CLOUD & SSD CLOUD disk

ECS_Indiandotnet_10

Now, It again depends upon the cost and performance matrix which one would you like to have on your machine. I am selecting ULTRA cloud disk 40 GB for the demo.

Step 8:- Now once this is done in the next step you have to check the Network billing method. Here you have to define network bandwidth depends upon your need.

windowserver3

Apart from this as you can see for security reason you can open or close the port as per your need. some common port configuration can be done here like 80,443 etc.

Step 9:-  You are almost done. On the next screen, you will see the existing configuration and here you have 2 great features

ECS_Indiandotnet_11

1) You can save the current configuration template which you can launch later if required.

2) You can configure the release of the resource as well for example the current configuration which I am doing will be autorelease at the specific time.

Step 10:-  Once you have done with this step and accept the term and condition you are good to go and you will be redirected to Instances page.

ECS_Indiandotnet_12

Here you can see your recently, created instance is available. Once it is started. In the next step you can access the machine, by clicking more option, apart from this you can reset the password and release the resource at any time.

Step 11:- Just click on connect and provide proper username & Password which you set for VM.

windowserver5

I hope you enjoyed the setup of the machine in 10 easy steps.

In the next blog, we will see something more interesting in Alibaba Cloud.

A big issue when try to Alter user define table type structure TIP #108

Posted on by indiandotnet

 

I hope all of you aware of  User define table type (a table value parameter) which we discussed earlier in TIP #57.

Now recently one interesting incident happened. We are using a user define table type in few stored procedure and due to some business requirement change we need to change /update data type of a particular column from TINYINT to SMALLINT.

Now this change was seems very simple you just need to change a column’s data type  but when you are going to do this, you will find this is not pretty straight forward (if the User define table type is referred in different tables).

If you go through standard steps you need to follow below steps (for  a column data type change)

1) Create a new User define table  type

2) Replaced old User define table  type with new user define table type in each stored procedures

3) Remove old User define table type.

And , I would like to say a big thanks  Mr.Norlado  who post an alternative on stackoverflow

below is the alternative steps

1) Rename the existing table type with following command

EXEC sys.sp_rename ‘dbo.StudentTableType’, ‘zStudentTableType’;

2) Create Table type with your  changes which you want


CREATE TYPE dbo.StudentTableType AS TABLE(
    StudentId INT NOT NULL,
    Name VARCHAR(255) NOT NULL,
    ClassId SMALLINT — changed from tinyInt to smallint
);
3. Update the reference in sql entities

DECLARE @Name NVARCHAR(776);

DECLARE REF_CURSOR CURSOR FOR
SELECT referencing_schema_name + ‘.’ + referencing_entity_name
FROM sys.dm_sql_referencing_entities(‘dbo.StudentTableType’, ‘TYPE’);

OPEN REF_CURSOR;

FETCH NEXT FROM REF_CURSOR INTO @Name;
WHILE (@@FETCH_STATUS = 0)
BEGIN
    EXEC sys.sp_refreshsqlmodule @name = @Name;
    FETCH NEXT FROM REF_CURSOR INTO @Name;
END;

CLOSE REF_CURSOR;
DEALLOCATE REF_CURSOR;

4. Now drop the renamed table type

DROP TYPE dbo.zStudentTableType;

This 4 steps helped me a lot.

I hope this may help you as well.

Enjoy!!!

RJ!!!

An interesting way of aliasing TIP#107

Posted on by indiandotnet

I recently gone through something and found a unique way of aliasing. I thought it must be share so other techies also aware of it (or might be you already aware of it).

See below example

SELECT *
FROM (VALUES (‘Rajat’,30),
             (‘Sandeep’,40),
             (‘Sunil’,35),
             (‘Shreya’,50),
             (‘Virendra’,45)) AS T(Name,Runs)

aliasing

Now when you it  you will get following result

Aliasing_result

I hope you may like this tips.

Enjoy!!!

RJ!!!

Kill–use this weapon carefully in SQL SERVER . TIP #90

Posted on by indiandotnet

When we heard “Kill” then first impression of this word is very bad. We always scare with this word.

In real world we never want this action  from anyone but in SQL Server case it is very helpful and help us many times.

This feature we can use but very carefully. It is something like we have to kill a cruel giant not the common innocent person.

Lets understand this by an example.

Suppose we wrote a stored procedure or function and by mistake we wrote a condition which is never ending. We didn’t realize this and when we run the stored procedure/function the SQL Server hangs , system is slow and many other issues occur and our stored procedure which we run still running and laughing on us.

In such situation we have to kill that particular stored procedure execution statement which is cruel giant and eating the resources.

See below statement

WHILE 1=1
BEGIN
  SELECT ‘Infinite Loop’
END

It is never ending loop. and it is running on our SQL SERVER and will never stop.

Now first step is to Identify the process id for this statement for this we can use either sp_Who or sp_who2 which we discussed in TIP #82.

Now when we run it you will find on Database “IndiandotnetDB” we have a SPID 53 which is last statement on below image. This SPID 53 is reference of above while loop which we have to stop any ways.

sp_who2_Inadiandotnet

Now we know SPID so we can stop or KILL  as shown below the syntax is very simple of KILL

KILL SPID

Kill_Process_Indiandtnet

Now we are good to go.

Note: Please use this KILL statement very carefully.

I hope this tip will help you some where to KILL or stop SQL SERVER enemies.

Enjoy !!!

RJ!!!

PWDCOMPARE–a hidden function of SQL SERVER TIP #88

Posted on by indiandotnet

 

I the last tip TIP#88 we saw how to encrypt a password. Now in this tip I would like to share how to check encrypted password ?

Means once you stored your encrypted password in database now next step is to compare that particular password with your input password and return results accordingly.

The Syntax of the PWDCOMPARE   is very simple

PWDCOMPARE(‘Password plain text’, ‘Password encrypted form’)

This function return 1 if plain text and hash value  are matched else return o.

For example

Lets suppose we have created a table with 3 columns like userId, username and password

as shown below

DECLARE @tblLogin AS TABLE (UserId INT IDENTITY,
                            Username  VARCHAR(100),
                            EncryptedPassword NVARCHAR(MAX))

Now suppose we have inserted 2 rows in to it wit encrypted password

INSERT INTO @tblLogin VALUES (‘Indiandotnet’,PWDENCRYPT(N’MyPassword’))
INSERT INTO @tblLogin VALUES (‘SQLRaaga’, PWDENCRYPT(N’Test’))

Now, Suppose we have want to write a query which return rows from @tbllogin whose password is Test then it should return SQL Raaga for this

I have to write following query

SELECT * FROM @tblLogin WHERE PWDCOMPARE(N’Test’,EncryptedPassword) = 1

For detail  take a look of below snap

PWDCompare_Indiandotnet

 

I hope you understand with above provided  example.

 

Enjoy !!!

RJ!!

How to Encrypt password in SQL Server ? TIP #87

Posted on by indiandotnet

Security is always a concern for every database developer. How to secure valuable information is one of the major and important aspect.

The first approach toward security to have a strong username & password and the next step is to have password in encrypted form.

Now this article will help you to encrypt your password in hash. Isn’t it interesting ?

So SQL Server provided a function by using that particular simple function we can encrypt a password from plain text to hash.

The valuable function is PWDENCRYPT.  By the name it is clear that it will crease the password.

The syntax is very simple PWDENCRYPT(N’String which you want to encrypt’)

see below snap for more detail.

PWDEncrypted_Indiandotnet

I hope this tip help you to secure your password.

Enjoy !!

Thanks

RJ

How easy to determine table dependencies ? TIP # 86

Posted on by indiandotnet

 

Determine the table dependencies is challenging sometime but we can easily resolve this by using a simple stored procedure which  SQL Server provides.

By using this stored procedure we can easily determine all the dependencies of particular table.

The stored procedure is sp_msdependencies

We can use this stored procedure as shown below

Execute sp_msdependencies ‘tableName’

For example I am using Adventureworks2012 and I want to know the dependencies of product table then I have to write following command

Use AdventureWorks2012
Go
EXEC sp_msdependencies ‘[Production].[Product]’
GO

When I run this command I get result as shown in below figure

sp_msdependecies_Indiandotnet

I hope this tip may help you somewhere.

Thanks for reading.

Enjoy !!!

Rj !!!

“sp_helptext“ – Useful command to view detail TIP #85

Posted on by indiandotnet

 

It might be already known to you but I thought for sharing because I frequently use this command and it is very useful command.

When someone wants to determine detail of a function or stored procedure he/she can use this useful command.

The syntax is very simple. Just write

sp_helptext Storedprocedure/ functionname

For example If I want to determine detail of a stored procedure “proc_FindStudentUsingCorrect” then I have to write following command

sp_helptext proc_FindStudentUsingCorrect

see below snap for detail

sp_helptext

 

You can now copy the result text and check what exactly written in the stored procedure or function.

I hope you will use it in your day to day practice.

Enjoy!!!

RJ

How to determine free space on each fixed drive of server machine using SQL SERVER ? TIP #75

Posted on by indiandotnet

 

When you do  SQL Server maintenance one of important aspect is available space on server drive because your SQL SERVER data is dependent on space Smile.

Now what you need to do to get free space from each drive ?

Just create a simple job which run on daily basis which send you space report on daily basis.

This available space report help you to prepare yourself for next step.

The job will content a simple SQL statement which is

EXEC MASTER..xp_fixeddrives

When you run this command in your SQL Management Studio you will get a tabular result which have 2 columns which is drive & Free space in MB.

As shown in below figure

fixed_drive_space_by_Sql_server_indiandotnet

I hope this might help you somewhere.

Thanks & Enjoy!!!

RJ!!