I noticed that SQL Server Profiler includes an event when I use a deprecated feature:
Occurs when you use a feature that will be removed from future version of SQL Server, but will not be removed from the next major release of SQL Server. For greatest longevity of your applications, you should avoid using features that cause the Deprecation Announcement event class or hte Deprecation Final Support event class.
I turned it on and just before any Login event is recorded, I get:
Deprecated encryption algorithm rc4 will be removed in a future version of SQL Server. Avoid using this feature in new development work, and plan to modify applications that currently use it. Use stronger algorithms instead.
But I'm not using RC4! I'm not even using AES. I'm using nothing. I'm just connecting to SQL Server.
Or am i?
Bonus Chatter
SQL Server, Deprecated Features Object
Deprecated encryption algorithm
Deprecated encryption algorithm rc4 will be removed in the next version of SQL Server. Avoid using this feature in new development work, and plan to modify applications that currently use it. The RC4 algorithm is weak and is only supported for backward compatibility. New material can only be encrypted using RC4 or RC4_128 when the database is in compatibility level 90 or 100. (Not recommended.) Use a newer algorithm such as one of the AES algorithms instead. In SQL Server 2012 material encrypted using RC4 or RC4_128 can be unencrypted in any compatibility level.
Am I even doing anything wrong?
I'm simply opening a connect to SQL Server:
String connectionString =
"Provider=SQLOLEDB;Network Library=DBMSSOCN;Data Source=helium;
User ID=Contoso;Password=correctbatteryhorsestaple"
var conn = new ADOConnection();
conn.ConnectionString = connectionString;
conn.Open()
Even though the description of the event says:
occurs when you use a feature that...
Is it possible it is generated when I'm not using a feature? Is it possible this warning:
occurs when anyone logs in regardless of they are using RC4
and is actually just an announcement? Another application, an ASP.net MVC ADO-EF (a completely different connection technology) gets the same error.
The documentation of other deprecation warnings give when you would see them:
Occurs once per compilation.
Occurs once per query.
Occurs once per use in a DDL statement.
Event occurs once per database start and once per collation use.
Occurs once per use.
Whereas the documentation for this warning doesn't mention when you would see it.
Avoid using this feature in new development work, and plan to modify applications that currently use it.
How do I avoid RC4 in future work, when I can't figure out where I'm using it now?
Profile your 2008 R2 server. Do you get it?
☒ Yes
☐ No
Are SQL Server authentication passwords stored using RC4?
No. SQL Server passwords are not stored using reversible encryption. The passwords are salted and hashed using SHA-1:
hashBytes = 0x0100 + fourByteSalt + SHA1(utf16EncodedPassword+fourByteSalt)
In SQL Server 2012, they switched to SHA2 over SHA-1.
This happens on all my 2008 R2 Servers as well, it seems to happen any time that a connection is made using a SQL login, I can't seem to find any documentation on why this would be the case, I can only presume that internally SQL Server is using RC4 somewhere in the login process, so it's nothing that you are doing in your code.
There aren't any options that I know of to change this behaviour and it doesn't seem to cause any issues so I wouldn't worry about it.
I haven't seen this behavior, however.... when I call a procedure named: verifyPassword 'secret' (for example) the string secret gets commented out by the profiler. Because the string 'Password' triggers some 'pssstttt don't reveal this one' algorithm.
My fair guess that this is also the case when warning for deprecated functions.
Related
I had added the Extended event to track sql calls which is slowing down my system leading to Timeout exceptions and other
CREATE EVENT SESSION [longrunning_statements] ON SERVER
ADD EVENT sqlserver.sql_statement_completed(
WHERE ([duration]>(2000000) AND [database_id]=(9)))
ADD TARGET package0.event_file(SET filename=N'c:\capture\xe_longrunning_statement.xel',metadatafile=N'c:\capture\xe_longrunning_statement.xem')
WITH (MAX_MEMORY=4096 KB,EVENT_RETENTION_MODE=ALLOW_SINGLE_EVENT_LOSS,MAX_DISPATCH_LATENCY=30 SECONDS,MAX_EVENT_SIZE=0 KB,MEMORY_PARTITION_MODE=NONE,TRACK_CAUSALITY=OFF,STARTUP_STATE=OFF)
GO
But i noticed it does not register sql server updates/read queries/procedures calls from Entity Framework but only logged my sql queries run using SSMS.
Any ideas are appreciated
UPDATE:
I use EF6.1 which used i think batches to save data.
Instead of trying to capture sqlserver.sql_statement_completed I would capture sqlserver.sql_batch_completed and sqlserver.rpc_completed for application/API issued queries/stored procedures.
If that does not work then removing the filters(or at least the duration filter (as Andrey is suggesting in the comments) would probably give us more insight on why the queries are not being captured.
Updating an older report system which was developed using VS 2008 and Crystal Reports. After updates, some reports started prompting for database login, while others work perfectly (with updates). Reports were changed to include new table and fields. All table and report document connections are established via common routine, similar to: SetDBLogon(myConnectionInfo, Me.CrystalReportViewer1.ReportSource)
Public Sub SetDBLogon(ByVal myConnectionInfo As ConnectionInfo, ByVal myReportDocument As ReportDocument)
Dim myTables As Tables = myReportDocument.Database.Tables
For Each myTable As CrystalDecisions.CrystalReports.Engine.Table In myTables
Dim myTableLogonInfo As TableLogOnInfo = myTable.LogOnInfo
myTableLogonInfo.ConnectionInfo = myConnectionInfo
Try
myTable.ApplyLogOnInfo(myTableLogonInfo)
Catch ex As Exception
MsgBox(ex.Message)
End Try
Next End Sub
It scans through each table sets the connection. Also scans sub-reports. Not sure what causes crystal reports to request login when it's already set specifically. When correct credentials are provided, it still fails to connect.
I've tried removing the report object and inserting the latest version.
Here's the issue and the solution to this problem (in my case).
Crystal Reports data sources can include, ADO .NET, OLE DB, ODBC, etc... with various drivers. The reports were created with a specific connection and driver, that no longer applied. I used a new database connection. Since the application scans each report and sets the correct connection parameters eventually, this would normally work, and it has worked in the past. But the problem was that the target system didn't have the right drivers for the connection provider I used. What made this harder to troubleshoot was that the connectivity piece in Crystal Reports is not very intuitive and duplicate connection names can be created with different providers -- same names different providers.
The solution was to open the report, go to :
Database Expert > Set Datasource location
and this is the key part:
Select the connection with the correct provider.
In my case, this was SQLOLEDB
You can right-click the connection and choose "Properties" and check the provider.
Another way to resolve it would be to install the correct drivers and versions. In this case, since the SQLOLEDB provider was installed and already worked, I decided to keep all the reports exclusively use that provider instead.
You may need to check providers installed to verify, a direct way is to check registry, for example, SQL Native client SQLNCLI10 can be found:
HLKM\SOFTWARE\Microsoft\SQLNCLI10
We have an Firebird database for a (very crappy) application, and the app's front end, but nothing in between (i.e. no source code).
There is a field in the database that is stored as -2086008209 but in the front-end represents as 63997.
Examples:
Database Front-End
758038959 44093
1532056691 61409
28401112 65866
-712038758 40712
936488434 43872
-688079579 48567
1796491935 39437
1178382500 30006
1419373703 66069
1996421588 48454
890825339 46313
-820234748 45206
What kind of storage is this? The aim for us here is to access the application's back-end data and bypass the front-end GUI alltogether, so I need to know how to decode this field in order to get appropriate values from it. It is stored as a int in FireBird (I don't know if FireBird has signed/unsigned ints, but this is showing as signed when we select it).
This is the definition of the field:
It is not, as far as I can tell, de-normalised. The generator GEN_CONTACTS_ID has 66241 against it, which at a glance looks accurate.
I work on with an application that stores bitmaps in integers (just don't ask), if you express them in that form do you something useful or consistant
My impression is that the problem is in the front end. If what is stored in the DB is -2086008209, then what is stored in the DB is -2086008209. To understand better how the application is manipulating the data, try storing other numbers in the DB and see how they are displayed.
Did you come to this realization through logging SQL? If you havent, you may serve yourself well by using the Firebird Trace API to get that SQL: http://www.firebirdfaq.org/faq95/. An easier tool to parse the Trace API is this commercial product: http://www.upscene.com/products.fbtm.index.php.
I've used these tools and other techniques (triggers etc,.) to find what an application is using/changing in the Database.
Of course, if the SQL statement is select * from table, then these tools would not help much.
<asp:CheckBox ID="chkIsHidden" runat="server" Enabled="false"
Checked='<%# Convert.IsDBNull(Eval("Is_Hidden")) ? false : Convert.ToBoolean(Eval("Is_Hidden")) %>'
/>
Above code, Security program scan and alert that "Blind SQL Injection", I'm so confuse
Why it has SQL injection?
How to fix to avoid sql injection?
As you can see, even if your Web application does not return error messages, it may still be susceptible to blind SQL injection attacks. However, you can protect your organization's applications against attacks with the following best practices:
Create a policy that enforces secure coding practices to ensure vulnerability detection and assessments are performed during any application development or deployment.
Have your developers identify where data enters or exits the application and ensure that validation occurs for every part of the HTTP request before letting it anywhere near scripts, data access routines and SQL queries. This will prevent user-supplied data from being able to modify the syntax of SQL statements.
Completely isolate your Web applications from SQL using stored procedures, which the application should execute using a safe interface, such as JDBC's CallableStatement or ADO's Command Object. If SQL statements must be generated on the fly, use PreparedStatements, as both PreparedStatements and stored procedures compile the SQL statement before the user input is added, making it impossible for user input to modify the actual SQL statement.
Consider using a vulnerability assessment tool to automate the discovery of SQL injection and other security vulnerabilities.
Develop an incident response plan. Having a detailed and well-rehearsed plan will help you handle any attack that occurs in an orderly and effective manner, and minimize the impact to your organization.
I'm building a system that has a Java Swing front end accessed a postgres database. Prior to discovering Jasypt this week, I had originally planned to use Postgres' own encryption mechanism. It worked fine, but I also now wanted the passwords over the network to be encrypted, hence why I turned to Jasypt.
Problem is, I need a fixed password to be entered into my Postgres stored function. I.e. If the input password is 'aaa' then any other inputed password into the Postgres stored function (other than 'aaa') will not match.
Is there a way to get these two encryption mechanisms to work in tandem together or do I have to dump Postgres'?
My user table:
CREATE TABLE "user"
(
id serial NOT NULL,
cryptpwd text NOT NULL,
md5pwd text NOT NULL,
...
)
Encrypting password:
cryptedPassword = crypt(passwordIn, gen_salt('md5'));
md5Password = md5(passwordIn);
INSERT INTO "user"(username, cryptpwd, md5pwd, ...)
VALUES (usernameIn, cryptedPassword, md5Password, ...);
Decrypting password:
select ..... from "user" .... where username = usernameIn and cryptpwd = crypt(passwordIn, cryptpwd);
If I cannot get the two of them to work together then I would have to dump Postgres' mechanism as I need to have encryption over the network.
Also, with regards to the database connection string and database username and password (not using any framework ... plain old jdbc connection hopefully with SSL - yet to implement), I don't think I'll be able to use Jasypt because I'd need to decrypt it at database level. Would SSL alone be sufficient for this case?
Thanks.
I think SSL alone, on every piece of the path, would be sufficient. In LedgerSMB (although we are Perl-based) we do something different and rely on SSL protected links between servers and between servers and clients. There are a few things to think about with your approach though.
We actually pass the db username and password to the middleware from the client in re-usable format (plain text) over an SSL connection, and then use another SSL connection to log into PostgreSQL to authenticate this way. This works fine, but the problem areas we face are somewhat similar to the problem areas you will. These include:
Logging. Is it possible passwords will get accidently logged? This is a concern with LedgerSMB and we take what steps we can but a badly configured server or a tampered-with program could log usernames and passwords. In our case this comes primarily on the middleware level, but in your case, query logging could do this too, right?
Is it possible credentials can be re-used unintentionally? We prevent this in a couple of ways, but it is worth considering.
On the whole, we trust SSL. There isn't much to be gained from adding additional encryption beyond that, and key management adds a lot of complexity that is not worth the marginal gains IMO.