May 2024
M	T	W	T	F	S	S
	1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31

May 2024
M	T	W	T	F	S	S
	1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31

Posts Tagged ‘SQL’

Checklist for SQL Server Database Audit & Security Hardening

Posted by Sudarshan Narasimhan on June 8, 2016

I’ve been involved in a lot of IT security audits, many times due to legislative requirements. A few good examples of these are PCI, SOX, HIPAA, GLBA audits. Each of these US legislative acts have a set of defined security standards & configurations that organizations have to adhere to. Audits for these systems happen both internally and externally to ensure the company is compliant to these standards and any remediation’s are acted upon.

Being a DBA, you’re usually involved in these IT audits. The scope for these audits should be very well defined per your internal IT security policies. As a database administrator, you are responsible for the secure management of the company’s data, vis-à-vis compliance data. The systems in scope for these databases are usually ones (but not limited to) that contain the following data:

Payment Card Data or database systems used for Payment processing (Online payment web systems, retail POS etc)
Financial Data (like Bank, Insurance, Stocks etc)
Health Information (like medical, patient records etc)
Personally Identifiable Information (PII) data (like client/member data including DOB, Tax Number, SSN etc)

While each of these compliance regulations are very-well documented (especially PCI DSS), you must follow certain best practices or standards for any DBMS system, irrespective of the requirements. In today’s world, data leaks are becoming increasing prevalent and within the DB world, it is very essential to adhere to strict & enforceable data security practices.

All that said, coming to SQL Server security good practices, I’ve listed what I feel are the bare-minimum security checks that need to be performed. You can add stuff to this, but in my view these are essential and non-negotiable settings that you must check as a DBA. I’ll probably share some scripts & code to monitor these setting centrally in an automated way, in another post. This post is to list down and share these settings so that you are aware of the various things to consider when looking at SQL Server Security Hardening & Audits.

CHECKLIST: Security Audit of a SQL Server Database Instance

Instance Level:-
1. Server Role Membership
2. Server Permissions e.g. CONTROL SERVER, ALTER ANY DATABASE
3. Public Role Permissions (harden this as much as possible on user database, leaving aside system databases)
4. BUILTIN Admins present as a login?
5. Default Port changed?
6. Orphaned AD Users & Groups must be removed
7. [NT AUTHORITY\ANONYMOUS LOGON] must be removed.

Database Level:-
1. Database Role Membership (Elevated)
2. Database Role Membership (Standard)
3. Database Permissions e.g. DELETE, ALTER, SCHEMA
4. Guest User Disabled?
5. DBO User ownership (you can read my previous post on DBO ownership HERE (point #2) to understand why this is important)
6. No Orphaned Users should exist

Windows OS Level:-
1. Local Administrators Group Members
2. Local Security Policy Privileges (following this MSDN doc to grant only those privileges required to run SQL Services to the SQL service accounts)
3. Guest User enabled?
4. Windows Firewall configured to allow connections via a specific Port Only (I hate systems setup to allow all incoming connections to sqlservr.exe. Duh!)
5. SQL Browser Service Disabled?

Configuration:-
1. XP_CMDSHELL Disabled?
2. Password Complexity & Lockout for SQL Logins (SQL logins inherit the account & password policies of the server on which the instance is running. Work with your IT admins to implement a stronger policy using GPO if required. Otherwise make sure CHECK_POLICY setting is turned ON for all SQL logins [including SA])
3. SA password rotated frequently (if you can disable the SA account, even better)
4. Cross database ownership chaining Disabled?

Patch Management
1. Are all the security bulletin patches for known vulnerabilities applied on your SQL Server instance. (Refer to https://technet.microsoft.com/en-us/security/bulletins.aspx and filter on your specific version & patch level to get the list of known security patches available).
2. Are all known Windows security patches applied (Depending on your company, this might be handled by another team, but it’s still a DB Server, so better be prepared if someone else isn’t doing their job properly 😉 )

Compliance:-
1. Access Control mechanisms in place for Sensitive/PII Data?
2. Access Control mechanisms in place for Regulatory Data?
3. SQL Server Audit enabled to track permissions/role/users changes to compliance data?

Penetration Tests
1. SA Login checks. Is anyone trying to login by brute-force using the SA account?
2. Main App login. Is anyone trying to login by brute-force using the application login (especially if it’s a SQL login)

I was almost about to add managed service accounts (MSA/GMSA) to this list, but considering SQL 2016 just released a week ago and most of you are probably running SQL 2012/2014 with either Clustering/AlwaysON, I’m not going to make it a must-do yet. (Damn you Microsoft, you promised GMSA support for SQL 2014 but didn’t follow through 😦 )

That’s all for now. I’ll continue this in another post with some sample code to help you through all these items.

Until then, stay safe and may the force be with you.

-TheSQLDude (Sudarshan)

Posted in Auditing, General Thoughts, Security | Tagged: Audit, Auditing, compliance, data security, hardening, PCI, SQL | Leave a Comment »

Quick SQL Server Info – Script

Posted by Sudarshan Narasimhan on April 19, 2016

Here is a handy script that I used to quickly get high-level information about any SQL Server Instance. It provides basic information like machine name, number of CPU’s, memory, patch level, HA configuration and the user databases hosted on this instance.

/*SCRIPT START*/
DECLARE @cpu int, @memory decimal(2), @dbcount int, @dbs varchar(2000)
SELECT @cpu=cpu_count FROM sys.dm_os_sys_info
SELECT @memory= CONVERT(decimal(2),ROUND([total_physical_memory_kb]/1024.0/1024.0,1)) FROM [sys].[dm_os_sys_memory]
SELECT @dbcount=COUNT(*) FROM sys.databases where database_id>4
SELECT @dbs = (SELECT STUFF(
    (
    SELECT ', ' + DB.name
    FROM sys.databases AS DB
    WHERE DB.database_id>4
    FOR XML PATH('')), 1, 2, '') AS Databases)
SELECT 
@@SERVERNAME as [SQLServerName]
,SERVERPROPERTY('ComputerNamePhysicalNetBIOS') as [MachineName]
,[CPU] = @cpu
,[Memory (GB)] = @memory
,[Num.Databases] = @dbcount
,[Version] = 
    CASE WHEN CONVERT(varchar(50), SERVERPROPERTY('ProductVersion')) LIKE '9%' THEN 'SQL 2005'
        WHEN CONVERT(varchar(50), SERVERPROPERTY('ProductVersion')) LIKE '10.0%' THEN 'SQL 2008'
        WHEN CONVERT(varchar(50), SERVERPROPERTY('ProductVersion')) LIKE '10.5%' THEN 'SQL 2008R2'
        WHEN CONVERT(varchar(50), SERVERPROPERTY('ProductVersion')) LIKE '11%' THEN 'SQL 2012'
        WHEN CONVERT(varchar(50), SERVERPROPERTY('ProductVersion')) LIKE '12%' THEN 'SQL 2014'
        WHEN CONVERT(varchar(50), SERVERPROPERTY('ProductVersion')) LIKE '14%' THEN 'SQL 2016'
        WHEN CONVERT(varchar(50), SERVERPROPERTY('ProductVersion')) LIKE '15%' THEN 'SQL vNext'
    ELSE 'UNKNOWN' END
,SERVERPROPERTY('ProductLevel') as [ServicePackLevel]
,ISNULL(SERVERPROPERTY('ProductUpdateLevel'),'N/A') as [UpdateLevel]
,ISNULL(SERVERPROPERTY('ProductUpdateReference'),'N/A') as [UpdateKBNumber]
,SERVERPROPERTY('Edition') as [Edition]
,SERVERPROPERTY('IsClustered') as [Clustered]
,SERVERPROPERTY('IsHadrEnabled') as [isAlwaysON]
,[UserDatabasesHosted] = @dbs
GO
/*SCRIPT END*/

Posted in T-SQL | Tagged: configuration, Instance info, SQL | Leave a Comment »

IO Cost in an execution plan–What it actually means?

Posted by Sudarshan Narasimhan on May 11, 2012

I/O is probably one the slowest of the resources. The information below gives a quick meaning of what these operators mean when you look at them in an execution plan. This specific concentrates on the “Estimated I/O Cost” value in an execution plan. I’ll post some other day in detail on how to decipher a SQL Server query execution plan.

Thanks to Niraj Mehta for putting together this content.

Table Scan

The total number of data pages in the table

Clustered Index Scan

The number of levels in the index plus the number of data pages to scan (data pages = #rows / #rows per page)

Non-Clustered Index Seek on a Heap (Bookmark Lookup)

The number of levels in the index plus the number of leaf pages to read for qualifying rows plus the number of qualifying rows (1 I/O for each row on the heap)

Non-Clustered Index (I1) Seek on a Clustered index (I2) (Bookmark Lookup)

The number of levels in the I1 index plus the number of leaf pages to read for qualifying rows plus the number of qualifying rows times the cost of searching for a clustered index (I2) key

Covering Non-Clustered index

The number of levels in the index plus the number of leaf index pages to read for qualifying rows (#qualifying rows / # rows per leaf page).

Posted in Performance | Tagged: cost, covering index, disk, execution plan, indexes, IO, performance, scan vs seek, slow, SQL, SQL Server | Leave a Comment »

SQL Server 2012 – Released and available for public download

Posted by Sudarshan Narasimhan on April 3, 2012

SQL Server 2012 codenamed “Denali” is now ready for download and available for public consumption. Please check out the following blog post that talks about the general release.

http://blogs.technet.com/b/dataplatforminsider/archive/2012/04/02/sql-server-2012-is-generally-available.aspx

SQL 2012 is specifically targeted at Big Data and High Availability, including a powerful set of feature-rich BI tools like PowerView. Some of the new engine features are :-

SQL Server AlwaysON
Contained Databases
Column Store Indexes
User-Defined Server Roles
Big Data (Hadoop)

Again, Books Online is your best resource to read up on the new release and to understand the new set of features.

You can download the evaluation/trial version of SQL 2012 here,

http://www.microsoft.com/sqlserver/en/us/get-sql-server/try-it.aspx

http://www.microsoft.com/download/en/details.aspx?id=29066

Posted in SQL News | Tagged: Denali, download, new features, released, SQL, SQL Server, SQL Server 2012, top features | Leave a Comment »

The curious case of public users having control server access to SQL Server

Posted by Sudarshan Narasimhan on March 28, 2012

I thought I had seen it all in SQL Server. But life finds a way of throwing a few surprises and WTF moments in your way. I happened to be working with a customer who had some Windows users and these users had complete access over SQL Server. They were able to login, access all databases & tables, create new databases, drop databases (yes!) etc. Now, these Windows logins weren’t a part of the SQL logins in sys.syslogins at all. How did they gain access? Where are they getting the complete equivalent of sysadmin permissions from?

Thus begins the story of the curious case of public logins and how Dr.Sherlock went about solving the mystery. Conan Doyle on…..

Basics

1. Check if this Windows login is part of sys.syslogins
2. Check if this Windows login is part of any Groups, that are part of the logins.
3. If so, check what permissions this group has on the instance/database and what roles these Groups belong to.

Okay, what this told me was that there were 2 Windows Groups added as logins to SQL Server, but this login was a part of only 1 group and this group AD\GroupXYZ did not have sysadmin [EXEC sys.sp_helpsrvrolemember ‘sysadmin’] or database access. ??@!#*@!#!@#!

Since my initial testing had revealed that with this login create/drop/backup etc. were possible, this login is obviously having some higher level privilege in SQL Server akin to what the SA would have. I had already checked sysadmin role and this login/group wasn’t a part of the role. There are 3 scenarios in SQL Server where logins have implied access to a database. By “implied” I mean that a login need not be mapped to any database, but this login can still have complete access to the database.

1. Part of the sysadmin server role.

2. Database OWNER aka DBO inside the database

3. CONTROL SERVER permission is granted at server level. (SQL 2005 & above only)

Not many people know or pay attention to the 3rd point about Control Server permissions. CONTROL SERVER is a new permission available starting with SQL Server 2005 and it grants the same access level as being a member of the sysadmin fixed server role. But still, I didn’t have an answer to how this login was able to access the database ProdDB. I opened a new query window with this login and started a profiler trace from my SA account adding all the “Security Audit” events to the trace, and filtering it on the SPID number from my query window connection.

Here is what I observed when I ran a “select * from dbo.employees” table.

1. The login name was “sudarn2\testuser”, which is my windows login.

2. The login was accessing my database “test” as a public user. Aha!

As you can see above, the select succeeded and I was able to read all the data as a public user! You can see each column definition for the event Audit Schema Object Access Event Class here.

This is starting to make sense now as to how the user is able to access all the databases, which being mapped to none. This user was accessing the database under the context of public user. But out-of-the-box, SQL Server definitely does not have any such permission granted to public user. This must be some customized public user then.

I use the following query to find out what Server Level permissions the public user had been granted using the DMV sys.server_permissions.

SELECT SPr.name as [UserName],SP.permission_name,SP.class_desc,'Server' AS 'Securable',SP.state_desc, SPr.type_desc as [Grantee_Type]
FROM sys.server_permissions SP
INNER JOIN sys.server_principals SPr
 ON SP.grantee_principal_id = SPr.principal_id
WHERE class = 100
AND SPr.name = 'Public'
UNION 
SELECT SPr.name,SP.permission_name,SP.class_desc,SPr2.name AS 'Securable',SP.state_desc, SPr.type_desc as [Grantee_Type]
FROM sys.server_permissions SP
INNER JOIN sys.server_principals SPr
 ON SP.grantee_principal_id = SPr.principal_id
INNER JOIN sys.server_principals SPr2
ON SP.major_id = SPr2.principal_id
WHERE class = 101 
AND SPr.name = 'Public'
UNION 
SELECT SPr.name,SP.permission_name,SP.class_desc,ep.protocol_desc COLLATE SQL_Latin1_General_CP1_CI_AS AS 'Securable',SP.state_desc, SPr.type_desc as [Grantee_Type]
FROM sys.server_permissions SP 
INNER JOIN sys.endpoints ep
 ON SP.major_id = ep.endpoint_id
INNER JOIN sys.server_principals SPr
ON SP.grantee_principal_id = SPr.principal_id
WHERE SP.class = 105
AND SPr.name = 'Public'

Table 1. Public Server Permissions on this problematic instance

name	permission_name	class_desc	state_desc
public	CONNECT	ENDPOINT	GRANT
public	CONNECT	ENDPOINT	GRANT
public	CONNECT	ENDPOINT	GRANT
public	CONNECT	ENDPOINT	GRANT
public	CONTROL SERVER	SERVER	GRANT
public	VIEW ANY DATABASE	SERVER	GRANT
public	ADMINISTER BULK OPERATIONS	SERVER	GRANT
public	ALTER ANY CONNECTION	SERVER	GRANT
public	ALTER ANY CREDENTIAL	SERVER	GRANT
public	ALTER ANY DATABASE	SERVER	GRANT
public	ALTER ANY ENDPOINT	SERVER	GRANT
public	ALTER ANY EVENT NOTIFICATION	SERVER	GRANT
public	ALTER ANY LINKED SERVER	SERVER	GRANT
public	ALTER ANY LOGIN	SERVER	GRANT
public	ALTER ANY SERVER AUDIT	SERVER	GRANT
public	ALTER RESOURCES	SERVER	GRANT
public	ALTER SERVER STATE	SERVER	GRANT
public	ALTER SETTINGS	SERVER	GRANT
public	ALTER TRACE	SERVER	GRANT
public	AUTHENTICATE SERVER	SERVER	GRANT
public	CONNECT SQL	SERVER	GRANT
public	CONTROL SERVER	SERVER	GRANT
public	CREATE ANY DATABASE	SERVER	GRANT
public	EXTERNAL ACCESS ASSEMBLY	SERVER	GRANT
public	SHUTDOWN	SERVER	GRANT
public	UNSAFE ASSEMBLY	SERVER	GRANT
public	VIEW ANY DEFINITION	SERVER	GRANT

Table 2. Default Public Server Permissions out of the box with SQL Server

name	permission_name	class_desc	Securable	state_desc
public	CONNECT	ENDPOINT	NAMED_PIPES	GRANT
public	CONNECT	ENDPOINT	SHARED_MEMORY	GRANT
public	CONNECT	ENDPOINT	TCP	GRANT
public	CONNECT	ENDPOINT	VIA	GRANT
public	VIEW ANY DATABASE	SERVER	Server	GRANT

As you see in the Table 2 above, the public role has been granted a bunch of Server Level permissions which are un-necessary and pose a security risk. The most important of them all is the CONTROL SERVER permission, as this alone is enough to gain sufficient permissions equivalent to a sysadmin. The control server granted to public implies other permissions like ALTER ANY DATABASE, SHUTDOWN, ALTER ANY LOGIN etc. The full list of permissions implied by Control Server is given here.

So we finally have an answer to who (public) and how (control server granted to public). This was how an un-mapped user was able to access a user database like ProdDB and read/edit data etc., all because someone threw the security best practise book into the trash and decided to grant pretty much every server permission to the public role.

What to do to fix this gaping security hole?

Since we have identified the permission which grants public this unwanted access, we need to either REVOKE it or DENY it. Here is the T-SQL to do this,

REVOKE CONTROL SERVER FROM public;
(or)
DENY CONTROL SERVER TO public;

After the above command was executed by SA, the windows user is now unable to access any database he isn’t mapped to, which is what we wanted. But as a further test, we created a new SQL login called testuser and mapped it to 1 specific user database. When we tried to login using testuser, the login failed with this error.

When I checked the SQL error log, I saw the following 18456 error getting logged.

2012-03-28 23:33:33.570 Logon Error: 18456, Severity: 14, State: 11.

2012-03-28 23:33:33.570 Logon Login failed for user ‘SUDARN2\testuser’. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors. [CLIENT: <local machine>]

State:11 means the login is valid, but lacks server permissions. I used the same query above or this one below to see what permissions public role now had at the Server level.

SELECT
State_Desc, Permission_Name, class_desc,
COALESCE(OBJECT_NAME(major_id),DB_NAME(major_id)) SecurableName, SCHEMA_NAME(O.schema_id) [Schema],
Grantees.Name GranteeName, Grantees.Type_Desc GranteeType
FROM sys.server_permissions Perms
INNER JOIN sys.server_principals Grantees ON Perms.Grantee_Principal_Id = Grantees.Principal_Id
LEFT OUTER JOIN sys.all_objects O ON Perms.major_id = O.object_id
where Grantees.Name = 'public'
ORDER BY GranteeName

I saw the after revoking the CONTROL SERVER permissions, the other implied permissions were gone and now only the “VIEW ANY DATABASE” permissions was granted. Going back to Table 2. above we know that by default SQL Server has granted 5 Server permissions to public and out of this 4 of them are on ENDPOINTS. One of each protocol type: TCP, Named Pipes, Shared Memory and VIA. These were missing.

I granted these back so as to reset public back to the original out-of-box configuration.

grant CONNECT ON ENDPOINT::[TSQL Named Pipes] to public;
grant CONNECT ON ENDPOINT::[TSQL Local Machine] to public;
grant CONNECT ON ENDPOINT::[TSQL Default TCP] to public;
grant CONNECT ON ENDPOINT::[TSQL Default VIA] to public;

Once I did this, the test login testuser was able to successfully make a connection to SQL Server.

Notes:

1. For those of you DBA’s out there, who don’t want any user/login accessing the SQL Server instance, the 4 endpoint permissions above would be an ideal candidate to revoke from public. Once this is done, no one except sysadmins can connect to SQL Server.

2. You can revoke these 4 endpoint permissions using the below T-SQL commands,

Revoke CONNECT ON ENDPOINT::[TSQL Named Pipes] From public;
Revoke CONNECT ON ENDPOINT::[TSQL Local Machine] From public;
Revoke CONNECT ON ENDPOINT::[TSQL Default TCP] From public;
Revoke CONNECT ON ENDPOINT::[TSQL Default VIA] From public;

3. Just running the above is not enough, since you need to take care of granting connect permissions to your actual application logins, e.g. db_appadmin. If you revoke as given in step #2 and stop there, then you will get into deep trouble and none of your application users will be able to connect to SQL Server. The login will fail with Msg: 18456, State:11. You will need to specifically grant connect on endpoint permissions to each of those logins (for all the 4 protocols) which needs to connect to the SQL instance.

GRANT CONNECT ON ENDPOINT::[TSQL Default TCP] to [loginname]
e.g. GRANT CONNECT ON ENDPOINT::[TSQL Default TCP] to [db_appadmin]

Well, thus ends the strange but interestingly curious story of public role access and how to control it. I have some more T-SQL code and samples covering public & Guest users. Read through this blog post of mine for more details on how to go about curbing public rights and its pros & cons.

It’s all elementary my dear Watson Smile .

Posted in Security | Tagged: guest, login failed, logins, permissions, prevent public access, public, security, SQL, unauthorized access | 2 Comments »

T-SQL Auditing Script to find logins inheriting permission via AD Groups and verify DBO/Database owner login in a single execution

Posted by Sudarshan Narasimhan on March 5, 2012

I had authored a post on this a couple of weeks back to detect mismatch between DBO User & database owner. I had also included how to find the various groups a windows login belongs to using the login’s token in sys.login_token. I continued working on this script and finished it last week. One of the problem’s was the login token view is only useful when you have logged in via the User itself. If you are an admin you will get results from the Admin login token, which isn’t useful in detecting permissions.

So, this new script I wrote will give you the following information, which is very very useful when doing security audits, security permission validation and especially useful if you manage a lot of databases and your SQL Server has a lot of AD Group logins etc. Here is what my script does:-

DBO Owner Login to Database Owner Mapping.
Logins which are part of AD Groups and has DBO rights in each database
Members of DB_OWNER role in each database excluding the DBO user itself (including permissions via AD Groups).
Summary: Identify those users who are DBO mapped logins, but they do NOT have explicit login NOR are they are part of DB_OWNER role.

You can think of this as a complete security auditing script for AD Logins, groups, Database Owner/DBO validity.

T-SQL SCRIPT for Security Auditing of DBO Access & AD Groups

set nocount on
go
Create table #TmpTableSec1 (database_name varchar(100), Owner varchar(100))
Create table #TmpTableSec2 (database_name varchar(100), principal varchar(50), DBO_Owner_Login varchar(100))
Create table #TmpResult (database_name varchar(100), principal varchar(50), DBO_Owner_Login varchar(100))
DECLARE DBCURSOR CURSOR FOR
select name 
from sys.databases where state=0 and name not in ('tempdb','model','master','msdb')
Declare @name varchar(50)
Declare @cmd  varchar(200)
Declare @dbowner varchar(100)
OPEN DBCURSOR
FETCH NEXT FROM DBCURSOR INTO @name
WHILE @@FETCH_STATUS = 0
BEGIN
      --print 'Database --> ['+@name+']'
      set @cmd = 'select name,  suser_sname(owner_sid) from master.sys.databases where name = '''+@name+''''
      --select @cmd
      insert #TmpTableSec1 exec (@cmd)
      --select @dbowner = (select suser_sname(owner_sid) from master.sys.databases where name = @name)
      set @cmd = 'use '+ @name +'
      select db_name(), name, suser_sname(sid)
      from sys.database_principals where name = ''dbo'''
      --select ''@DBO'' = (select suser_sname(sid) from sys.database_principals where name = ''dbo'') '
      INSERT #TmpTableSec2 exec (@cmd) 
FETCH NEXT FROM DBCURSOR INTO @name
END
CLOSE DBCURSOR
DEALLOCATE DBCURSOR
--select * from #TmpTableSec1
--select * from #TmpTableSec2
insert into #TmpResult
select a.database_name, a.Owner, b.DBO_Owner_Login from #TmpTableSec1 a
join #TmpTableSec2 b
on a.database_name = b.database_name
--select * from #TmpResult

Create table #GroupMemberTable (account_name varchar(200), type varchar(50), privilege varchar(100), login_name varchar(200), group_name varchar(500))

DECLARE DBCURSOR2 CURSOR FOR
select distinct(DBO_Owner_Login)
from #TmpResult where DBO_Owner_Login like '%\%' and DBO_Owner_Login <> 'NT AUTHORITY\SYSTEM'
Declare @DBO varchar (200)
Declare @DBNAME varchar (200)
OPEN DBCURSOR2
FETCH NEXT FROM DBCURSOR2 INTO @DBO
WHILE @@FETCH_STATUS = 0
BEGIN
      set @cmd = 'EXEC xp_logininfo '''+@DBO+ ''', ''all'' '
      insert into #GroupMemberTable EXEC (@cmd)
      --update #GroupMemberTable set database_name = @DBNAME where id=@@IDENTITY 
      --print @cmd
FETCH NEXT FROM DBCURSOR2 INTO @DBO
END
CLOSE DBCURSOR2
DEALLOCATE DBCURSOR2
--select * from #TmpResult
--select * from #GroupMemberTable where group_name <> 'NULL' --and privilege = 'admin'

Create table #Tmp_DB_ownerRoleResults (database_name varchar(100), DBOwnerRole_Member_UserName varchar(200), User_type varchar(100))
DECLARE DBCURSOR3 CURSOR FOR
select database_name
from #TmpResult where DBO_Owner_Login <> 'NT AUTHORITY\SYSTEM'
Declare @database_name3 varchar (200)
Declare @cmd3  varchar(500)
OPEN DBCURSOR3
FETCH NEXT FROM DBCURSOR3 INTO @database_name3
WHILE @@FETCH_STATUS = 0
BEGIN
      set @cmd3 = 'use '+ @database_name3 +'
      select db_name(), user_name(member_principal_id), type_desc from sys.database_role_members a
      inner join sys.database_principals b
      on a.member_principal_id = b.principal_id where a.role_principal_id=16384'
      --print @cmd3
      --exec (@cmd3)
      insert into #Tmp_DB_ownerRoleResults exec (@cmd3)
FETCH NEXT FROM DBCURSOR3 INTO @database_name3
END
CLOSE DBCURSOR3
DEALLOCATE DBCURSOR3

print '###########################################################'
print '###### Database Owner and DBO Owner Logging Mapping #######'
print '###########################################################'
select * from #TmpResult


print '###########################################################################'
print '###### AD Group Member Logins which have DBO Access in the database #######'
print '###########################################################################'
create table #TmpTableSec3 (database_name varchar(100), Database_Owner varchar(200), DBO_Owner_Login varchar(200), type varchar (100), privilege varchar(100), group_name varchar(500))
insert into #TmpTableSec3
select a.database_name, a.principal, a.DBO_Owner_Login, b.type, b.privilege, b.group_name
from #TmpResult a
left join #GroupMemberTable b
on a.DBO_Owner_Login = b.login_name
where b.group_name is not null --and b.privilege = 'admin'
order by a.database_name
select database_name, DBO_Owner_Login, privilege, group_name  from #TmpTableSec3 
where privilege = 'admin' order by database_name asc

print '####################################################################################'
print '###### Members of DB_OWNER ROLE For Each Database (Excluding DBO Owner Login)#######'
print '####################################################################################'
Create table #TmpTableSec4 (database_name varchar(100), DBOwnerRole_Member_UserName varchar(200), User_type varchar(100))
insert into #TmpTableSec4
select a.database_name as [Database_Name], b.DBOwnerRole_Member_UserName, b.User_type 
from #TmpResult a
inner join #Tmp_DB_ownerRoleResults b
on a.database_name = b.database_name
where b.DBOwnerRole_Member_UserName <> 'dbo'

Create table #TmpTableSec5 (database_name varchar(100), DBOwnerRole_Member_UserName varchar(200), User_type varchar(100))
insert into #TmpTableSec5
select a.name as [Database_Name], b.DBOwnerRole_Member_UserName, b.User_type 
from sys.databases a
left outer join #TmpTableSec4 b
on a.name = b.database_name

select * from #TmpTableSec5
where DBOwnerRole_Member_UserName is not null
order by database_name

print''
print '#########################################################################################################################'
print '###### Final Result: Users who are not part of DB_OWNER Role nor having explicit login access but have DBO rights #######'
print '#########################################################################################################################'
print ''
create table #TmpFinalResult (group_name varchar(500), database_name varchar(100), DBO_Owner_Login varchar(200), Database_Owner varchar(200), privilege varchar(100))
insert into #TmpFinalResult
select distinct (a.group_name), a.database_name, a.DBO_Owner_Login, a.Database_Owner, a.privilege
from #TmpTableSec3 a
where a.database_name in (select database_name from #TmpResult where principal <> DBO_Owner_Login)
and a.group_name not in (select name from sys.syslogins where sysadmin = 1 and isntgroup = 1)
and a.DBO_Owner_Login not in (select name from sys.syslogins where sysadmin = 1 and isntuser = 1)
and a.DBO_Owner_Login not in (select DBO_Owner_Login from #TmpTableSec3 where privilege = 'admin')
--and a.group_name not in ('Any Domain Groups to be filtered goes here e.g. [DOMAIN\All Users]')
order by a.database_name asc
select a.database_name, a.DBO_Owner_Login, a.Database_Owner, a.group_name, a.privilege from #TmpFinalResult a
order by a.database_name asc

drop table #TmpTableSec1
drop table #TmpTableSec2
drop table #TmpTableSec3
drop table #TmpTableSec4
drop table #TmpTableSec5
drop table #TmpResult
drop table #GroupMemberTable
drop table #Tmp_DB_ownerRoleResults
drop table #TmpFinalResult
go
set nocount off
go

Explanation of the Script Output

###########################################################

###### Database Owner and DBO Owner Logging Mapping #######

###########################################################

This section gives you the mapping between the database owner in sys.databases and the login which owns the DBO User in each database. If you move databases between servers, its possible that the old DBO Login doesn’t exist on the new instance and this could cause unauthorized access by the old DBO id he/she has login access to the server, then he/she retains DBO access in the newly moved database.

###########################################################################

###### AD Group Member Logins which have DBO Access in the database #######

###########################################################################

This section presents to you the different Active Directory Groups that have DBO/DB_Owner access in each database. Sometimes, if you have too many AD Groups in different OU’s, for a DBA it gets confusing to manage the authorized access. You can certainly manually look up the AD Users and figure this out. But, being a SQL person I’m sure its a lot more comfortable seeing this within SQL Server itself. This script does just that and shows the diff groups per each database.

####################################################################################

###### Members of DB_OWNER ROLE For Each Database (Excluding DBO Owner Login)#######

####################################################################################

Since we are anyways getting DBO Owner login we might as well detect the different users who are part of DB_OWNER fixed database role. Each member of DB_OWNER role has Full Control on the database. Hence the need to track this information.

#########################################################################################################################

###### Final Result: Users who are not part of DB_OWNER Role nor having explicit login access but have DBO rights #######

#########################################################################################################################

This is the one that does the magic! It gives a final report of each user who has DBO Access, but who isn’t a part of DB_OWNER role nor does this person has sysadmin through any of the AD Groups. It also reports all the AD Group, through which this windows user can get a login access to SQL Server thereby gaining DBO Access when switching context to the database reported against the user’s name. If you see any results here, then its very much a security hole, that needs to be plugged after careful review of this user’s individual object rights.

The commented line on a.group_name in the final section, is for you to add any AD Groups which each user in the organisation is a part of, thereby removing any unnecessary rows from the output.

Have fun Auditing. Please post back your comments on the security script…

Posted in Security | Tagged: Active Directory, AD Groups, Auditing, database owner, DBO Access, login token, security, SQL | 3 Comments »

How To: SQL Server Bulk Insert with Constrained Delegation (Access is Denied)

Posted by Sudarshan Narasimhan on December 30, 2011

Well folks, I’ve not been able to blog for sometime as I was caught up with work. But fear not, these past 2 months have given me enough subject material for multiple blog posts. Let me start off with one regarding setting up SQL Server for bulk inserts from a network file share when constrained delegation is setup in Active Directory.

For SQL Server folks out there, I don’t expect you to know about Delegation let alone Constrained vs. Unconstrained.

Q&A

Q: What is Delegation?
A: A client connected to an instance of SQL Server can connect to another instance of SQL Server or another machine by forwarding the credentials of an authenticated Windows user.

E.g. Domain\User1 on Client1 connects to –> SQL Server SQL1 and accesses a remote file on –> Server2, using his own credentials i.e. Domain\User1

It is the role of the SQL Server machine SQL1 to impersonate/delegate that user when communicating with Server2. For this to happen, the SQL Server has to be configured to allow delegation (in Active Directory).

Q: What is Constrained Delegation?
A: This feature allows administrators to specify exactly which services a server or a domain account can access when using an impersonated user’s security context. More on this later. If there is no such restriction configured, then it is called as unconstrained delegation, where every service for that user can perform impersonation aka delegation. It is a security best practice to perform constrained delegation as it reduces the surface area of any attacks.

Environment

Here is a brief layout of the environment that I am going to use in this post as a reference.

This is a basic 3 machine architecture that is very common. Here are the various parties involved:-

Client Computer – Windows PC/Workstation/Application Server: machine name TRINITY1, Client account Domain\appadmin
SQL Server – Windows Server 2003+ running SQL Server 2005/2008/2008 R2 standalone instance: machine name NEOSQL, SQLSvc account Domain\sqladmin
File Share on another Windows Server (basically a shared folder): machine name MORPHEUS1, where user Domain\appadmin has Full Control on the shared folder.

Scenario/Requirement

In an ideal scenario, here is how I want things to work. When a client application runs the SQL BULK INSERT command logged in as Domain\appadmin account to SQL Server, I want the same appadmin account to access the remote file share and read the data.

1. If a user uses a SQL Server login to connect to SQL, then the SQL Service account credentials are used to access the remote file share.

2. If a user uses a Windows account, then his own account is used to access the file share and for this to work successfully, delegation has to be configured.

BULK INSERT appdb.dbo.bulktbl

FROM ‘\\morpheus1\share\data.txt’

If not configured correctly then you will get this error when running the above bulk insert command.

Msg 4861, Level 16, State 1, Line 3

Cannot bulk load because the file "\\morpheus1\share\data.txt " could not be opened. Operating system error code 5(Access is denied.).

Configuring Unconstrained Delegation

1. Configuring permissions on the shared folder on Morpheus1. As you can see the appadmin windows account has Full Control and the sqladmin account has Read/Write permission (if any sql login is going to be used, this is not mandatory).

2. I am assuming that the SQL Server is running under the service account Domain\sqladmin. Login to the Domain Controller with Domain Admin rights and open up Active Directory Users and Computers MMC snap-in.

a. Make sure that the following is NOT checked.

b. The SQL Service account needs SPN’s (Service Principal Names) to be created before it can be configured for delegation. You can use the SetSPN.exe tool that is available with Windows SDK or sysinternals toolkit to create the SPN’s. This tool is also available bundled along with Windows Server 2008.

We need to create 4 SPN’s for the account running SQL Server service as shown below. (2 with netbios names and 2 with FQDN). Note: The command below is for a standalone default instance of SQL Server running on default port 1433. Please modify as applicable to your environment.

Setspn -A MSSQLSvc/neosql thematrix\sqladmin
Setspn -A MSSQLSvc/neosql:1433 thematrix\sqladmin
Setspn -A MSSQLSvc/neosql.thematrix.sudarn.com thematrix\sqladmin
Setspn -A MSSQLSvc/neosql.thematrix.sudarn.com:1433 thematrix\sqladmin

Once done you can query the SPN’s using setspn.exe and it should list you these 4 SPN’s.

c. Switch to the Delegation Tab and select the radio button by Trust this computer for delegation to any service (Kerberos only). We are setting up unconstrained delegation if this option is chosen. If you do not see the Delegation tab available, then there was some issue with creating the SPN’s in step (b) listed above.

d. Next find the actual machine account in Active Directory for the SQL Server machine NEOSQL and set the computer account to be trusted for delegation, as we did above.

e. Next, we need to check the file server where the file we want to import is located, i.e. MORPHEUS1. We need to verify that this machine has the normal 2 HOST SPN’s registered.

This is required to use Kerberos for authentication. Delegation will not work without this, and you will receive an error otherwise. By default each machine should have 2 HOST SPN’s created for it.

3. On the SQL Server machine NEOSQL, open up the Local Security Policy by going to secpol.msc –> Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment, and add the sql account Domain\sqladmin to the following policies:

Act as part of the operating system

Impersonate a client after authentication

So far the configuration given above is for unconstrained delegation. We need to make sure that this setup works before we can configure constrained delegation. Once you are done till there, reboot the SQL Server machine (NEOSQL) and the file share machine (Morpheus1), so that all the changes we made in Active Directory are reflected when the machine starts up.

Testing

Make a test connection from the client machine (TRINITY1) using sqlcmd or SSMS. Open up another connection from SSMS and run the following query to find out if the connection from the client machine is using Kerberos authentication.

select b.spid, b.hostname, b.program_name, a.auth_scheme

from sys.dm_exec_connections a

inner join sys.sysprocesses b

on a.session_id = b.spid

The connection from the client machine should return KERBEROS. This is required for delegation to work. If it did, then you are good to run the bulk insert statement and it should work.

Configuring Constrained Delegation

So far so good. Now comes the part that is the crux of this blog post. If you were successful in getting things to work, then read on….

1. Open up Active Directory Users and Computers MMC snap-in with a Domain Admin account as before. Open up the Domain\sqladmin account and switch to the Delegation Tab.

2. Choose the option “Trust this computer for delegation to specified services only”, select “Use any authentication protocol” and click on the “Add…” button.

In the dialog to select the sqladmin account (or your account which runs the SQL service).

This should list the 2 SPN’s we have previously created for this account. Select both of them and click OK.

Click on the “Add…” button again and enter the SQL Server machine name (NEOSQL) and choose the HOST service.

Click on the “Add…” button again and enter the File Share machine name (MORPHEUS1) and choose the HOST Service. We are actually interested only in the CIFS and Protected Storage service. Choosing HOST will automatically choose these 2 services.

After adding all of these, this is how your final configuration for the sqladmin account will look like.

We need the SQLSvc account (Domain\sqladmin)and file share server to have CIFS service enabled for delegation because we are accessing a remote file share and it is the role of the CIFS Service (Common Internet File Share) to perform this. If we do not have CIFS (which comes when we added the HOST Service), then your account (Domain\appadmin) from the client machine (TRINITY1) will reach the file share server (MORPHEUS1) as NT AUTHORITY\ANONYMOUS LOGON and this will not have access and fail with 0x5 (Access is Denied).

I tested this by enabling auditing on the shared folder and saw this. This is a easy test to perform to check if delegation is working or not

When the bulk insert fails with access denied we will see this in the security event log of the file server (MORPHEUS1),

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          12/20/2011 11:17:33 PM
Event ID:      4624
Task Category: Logon
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      MORPHEUS1.THEMATRIX.sudarn.com
Description:
An account was successfully logged on.

Subject:
    Security ID:        NULL SID
    Account Name:        –
    Account Domain:        –
    Logon ID:        0x0

Logon Type:            3

New Logon:
    Security ID:        ANONYMOUS LOGON
    Account Name:        ANONYMOUS LOGON
    Account Domain:        NT AUTHORITY

That’s all folks! Keep in mind that this configuration requires a good bit of handling with Active Directory and/or policies. Please work with your Domain Administrator while making these changes. As always, stay tuned for more… Cheers and a happy new 2012 to y’all!

Posted in Security | Tagged: access denied, bulk insert, cifs, constrained, delegation, file share, impersonation, Msg 4861, SQL, SQL Server | 34 Comments »

The Dabbling Developer Series: Part1-Windows Service Management

Posted by Sudarshan Narasimhan on September 30, 2011

Now and then when I get some time I like to spend it writing code and I usually like to relate this to some work/activity that helps in my main work i.e. SQL Server. I have many small single-purpose applications/utilities written over time and I realized that having them saved on my PC is of no use. Don’t be surprised if you find C/C++ code samples posted on TheSQLDude. For the time being let me be the TheCDude and Long Live Dennis Ritchie & Ken Thompson!

Service Control Manager Test

I wrote some code to test if I can open the Windows Service Control Manager (SCM) for the local machine or remote machine with the current logged-in account. This helps me validate permissions or spot other errors when performing service related activities. For those of you who don’t know what SCM is read this article.

SCM is a system component that takes care of service management, service start-up and other service related activities.

You might ask, How did I come to care about SCM all of a sudden? What the hell does this have to do with SQL Server?

Let me explain. I came about SCM when a customer of mine came up with a SQL Server Setup issue. Smile When SQL Server setup goes about installing the various SQL Server components, one of the things it has to do is to create the SQL Server services like SQL Engine, RS, AS, Browser service, SQL Writer service etc. Obviously if setup is not able to do this, it will fail. For someone to create/delete/modify a Windows service, they need to talk to the Service Control Manager (SCM). How do you isolate whether the problem is with SQL Setup or some other component? This is how I ended writing this code to test SCManager.

If you want to perform windows service related activities, it works like this:-

1. You need to open the SCManager, which will let you access its database which has the list of registered services

2. If this succeeds, then depending on the operation you can either Open an existing service and modify/query its properties or create a new service and register it with SCM.

The code below is simple C code written on Visual Studio 2010. This has no copyright so feel free to re-distribute.

// scmantest.cpp : Defines the entry point for the console application.

#include "stdafx.h"

#include <windows.h>

#include <tchar.h>

#include <strsafe.h>

#include <stdio.h>

#include <conio.h>

#pragma comment(lib, "advapi32.lib")

#pragma comment(lib, "Kernel32.lib")

int _tmain(int argc, _TCHAR* argv[])

{

if (argc < 2)

{

_tprintf(_T("Usage : %s name_of_machine_to_test"), argv[0]);

return 1;

}

//CHAR lpMachine ;

BOOL bReturn = FALSE;

SC_HANDLE hScm;

// Check that we can open the SCManager on the machine

hScm = OpenSCManager(argv[1], NULL, SC_MANAGER_ALL_ACCESS);

if (hScm)

{

bReturn = TRUE;

printf("OpenSCManager completed successfully\n");

CloseServiceHandle(hScm);

}

else

{

_tprintf(_T("Could not OpenSCManager on %s. GLE = 0x%08x\n"),argv[1],GetLastError());

return 1;

}

_getch();

return 0;

}

The above code tries to Open the SCM and if that fails then it reports the Win32 error. You can Bing! this error to find out what action to take. The application scmantest takes 1 parameter which is the Machine Name. So if you PC is called WorkPC.domain.company.com, then you would run this from the command prompt like this

Here is an output for a non-existent machine and you can see that the Win32 Error reported is 0x000006ba (The RPC server is unavailable).

This can help isolate permission issues when trying to open SCM database as you need to have Administrator rights. Sometimes certain permissions to create might be missing which you will have to grant.

If you are a Windows Admin reading this then here are some command-line instructions to operate on Windows Services

1. Query the state of an existing Windows Service – sc query ServiceName

e.g. Checking state of default instance of SQL Server.
sc query MSSQLSERVER

SERVICE_NAME: MSSQLSERVER
        TYPE               : 10 WIN32_OWN_PROCESS
        STATE              : 4 RUNNING
                                (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0 (0x0)
        SERVICE_EXIT_CODE : 0 (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

If you specified an invalid service name, you will get this error,
[SC] EnumQueryServicesStatus:OpenService Failed 1060:The specified service does not exist as an installed server.

2. Create a new Windows Service – sc create …

Let me take an example of creating a SQL Server service

e.g. Creating a Default instance of SQL Server

sc create MSSQLSERVER type= own start= demand error= normal binPath= D:\MSSQL\MSSQL.1\MSSQL\Binn\sqlservr.exe obj= LocalSystem DisplayName= "SQL Server (MSSQLSERVER)"

type –> Type of service you want to create. Leave it at OWN.
start –> Start type for the service. You can have it at automatic, disabled. We choose demand which means manual start-up.
binpath –> Complete path to the sqlservr.exe
obj –> Startup account for the service.
DisplayName –> can be anything, this is what services.msc will show us.

Note:-
a) There must be a space between ‘=’ and the value.
b) Double-quotes are mandatory is there is a space in the path.

For those of you who didn’t know this, the windows service entries are present in registry in HKLM\SYSTEM\CurrentControlSet\Services\. This is the same location from where services.msc reads and displays the list of services.

3. Using SUBINACL to check permissions for Windows Services:

SubInACL is a command-line tool that is available for download here and shows you security information about files, registry keys, and services.

e.g. Query permissions on the service for default SQL Server instance

subinacl /verbose /service MSSQLSERVER /display

/owner             =system
/primary group     =system
/audit ace count   =1
/aace =everyone         SYSTEM_AUDIT_ACE_TYPE-0x2
        FAILED_ACCESS_ACE_FLAG-0x80    FAILED_ACCESS_ACE_FLAG-0x0x80
        SERVICE_ALL_ACCESS
/perm. ace count   =6
/pace =system   ACCESS_ALLOWED_ACE_TYPE-0x0
        SERVICE_QUERY_CONFIG-0x1           SERVICE_QUERY_STATUS-0x4           SERVICE_ENUMERATE_DEPEND-0x8
        SERVICE_START-0x10                 SERVICE_STOP-0x20                  SERVICE_PAUSE_CONTINUE-0x40        SERVICE_INTERROGATE-0x80
        READ_CONTROL-0x20000               SERVICE_USER_DEFINED_CONTROL-0x0100
/pace =builtin\administrators   ACCESS_ALLOWED_ACE_TYPE-0x0
        SERVICE_ALL_ACCESS

4. Granting permissions using SUBINACL

e.g. Grant Full Control to TestUser1 on the default SQL Server instance’s service.

subinacl /service MSSQLSERVER /Grant=Domain\TestUser1=F
MSSQLSERVER : new ace for anselm\administrator
MSSQLSERVER : 1 change(s)

Other useful Resources

Using SC.EXE to Develop Windows NT Services
http://msdn.microsoft.com/en-us/library/ms810435.aspx

How to create a Windows service by using Sc.exe
http://support.microsoft.com//kb/251192

I hope this post was useful for both Developers as well as Administrators. Would appreciate any feedback on this post since I am thinking of posting other useful code samples in the future. As always stay tuned for more geeky info….

Posted in Code Samples | Tagged: access denied, C++, code, samples, SCM, services.msc, setup, SQL, subinacl, Windows Services | Leave a Comment »

PRB: Unable to remove secondary filegroup due to system service broker queues

Posted by Sudarshan Narasimhan on August 10, 2011

Delving a little into SQL Storage engine and Service Broker today. I had faced this problem sometime back and it presented me with an opportunity to see how the SSB queues/tables are represented internally by SQL Server.

Scenario
My customer wanted to remove the secondary File Group “FG2_fg" from a database. But was unable to remove the filegroup since these service broker tables were present in filegroup FG2_fg.

queue_messages_223180947
queue_messages_225181061
queue_messages_327181175

All of the above objects are internal system tables which are placeholders for the default queues that are present for every database starting with SQL Server 2005.

QueryNotificationErrorsQueue
EventNotificationErrorsQueue
ServiceBrokerQueue

Whenever we tried to remove the file/filegroup we got this error,

Alter database test3 remove file fil2

Msg 5031, Level 16, State 1, Line 1

Cannot remove the file ‘fil2’ because it is the only file in the DEFAULT filegroup.

We used the following queries to identify the objects present in the secondary filegroup:-

1) Find out the objects present in the secondary filegroup

select name, type, type_desc, is_ms_shipped from sys.objects where object_id in (select object_id from sys.indexes where data_space_id in (2))

— Here data_spaceid=2 represents the filegroup ID 2

SELECT o.[name], o.[type], i.[name], i.[index_id], f.[name]

FROM sys.indexes i

INNER JOIN sys.filegroups f

ON i.data_space_id = f.data_space_id

INNER JOIN sys.all_objects o

ON i.[object_id] = o.[object_id]

WHERE i.data_space_id = 2 — Filegroup ID

Background Info
1. SQL Server uses a proportional fill strategy as it writes to each file within the filegroup and NOT across filegroups. Read more about this in here.
2. The only exception to this could have been IF someone had changed the default filgroup to the secondary filegroup. If so, then any new objects created afterwards would have gone to the secondary instead of the primary.

Repro on SQL 2005
As any good engineer does, so did I – TESTING. To test my little theory I did the following repro on SQL 2005 :-

1) Created a new database with secondary filegroup and 1 file in that.
2) Made secondary FG as default FG for database "test".

*Note: This needs to be done as part of create database and not added later on.

3) What I found was that you DON’T NEED service broker to be enabled for the queue_messages tables to get created.
4) I found that on my test database I had 3 Internal queue_message tables which where for the following parent object

QueryNotificationErrorsQueue
EventNotificationErrorsQueue
ServiceBrokerQueue

4) All of the 3 were were of type SERVICE_QUEUE. You can find this out from sys.objects view
5) Even a new database has the same object numbers and looking at my customer’s object numbers, they are higher, which means they must have had Service Broker implemented at some point.

queue_messages_254180947
queue_messages_286181061
queue_messages_318181175

6) I tested this by creating a service queue when my secondary filegroup was the default filegroup.

use test

CREATE QUEUE TestQueue

WITH

STATUS = OFF,

RETENTION = ON

7) This created the table queue_messages_2105058535 on FG 2 of type "QUEUE_MESSAGES" indicating its a SSB queue.

8) To remove the internal table I did a DROP QUEUE.

drop queue TestQueue

9) This removed the associated internal table and the indexes. You can use the following query to identify internal tables which are for service broker queues.

select a.name as [ChildName], a.object_id as [ChildObjectID], a.type_desc as [ChildType], a.internal_type_desc as [ChildTypeDesc],

a.parent_id as [Parent_ObjectID], b.name as [Parent Name], b.type_desc as [Parent_Type]

from sys.internal_tables a

inner join sys.objects b

on a.parent_id = b.object_id

So the issue still does NOT reproduce on SQL 2005 (same for SQL 2008). I then did the following repro on a SQL Server 2000 instance.

Repro on SQL 2000
1. Created a database on SQL 2000
2. Added File-group (FG2) and made it as default.
3. Took a backup of the database in SQL 2000.
4. Restored this to SQL 2005/2008.
5. System Services/Queues got created on FG2.
*Note: We cannot modify them because they are system objects.

6) The remove File command gives us this error,

Alter database test remove file fil2

Msg 5031, Level 16, State 1, Line 1

Cannot remove the file ‘fil2’ because it is the only file in the DEFAULT filegroup.

7) Next up, I ran these commands.

dbcc shrinkfile(3, EMPTYFILE)

alter database test remove file fil2

This worked so far and in sys.database_files I see the status of file2 as OFFLINE. But unfortunately I still cannot remove the filegroup. It still says that it is not empty. Even though the emptyfile commands worked, the objects (SSB queues) still exist on FG2.

I followed same steps for a database created on SQL 2008 and took a backup and restored it again on SQL 2008 and issue did not reproduce. i.e. objects were created on Primary and none of them went to the Secondary FG. I did the same test on SQL 2005 Database backed up and restored to SQL 2008. This also did NOT reproduce the issue.

So, what did I learn out of all my testing (and precious time). Read on…

My Theory
This database had to have been restored from SQL 2000 to a higher version or been upgraded in-place from SQL 2000 to higher version? Tracking down the source of the original database would help us figure this out.

If yes, we now know the answer and that this behaviour is ByDesign and understood, i.e. how the system tables went to the secondary filegroup. This is because the non-primary filegroup FG2_fg was set as DEFAULT prior to backup from SQL 2000 or in-place upgrade. Once the upgrade was done, since SSB was newly introduced starting with SQL 2005, during the upgrade the upgrade scripts created these objects on the secondary filegroup since it was set as the default filegroup.

Verifying My Theory
To confirm if an in-place upgrade was done, we can look in sys.database_files DMV and look at the column file_GUID. The file_guid column will be NULL if the database was upgraded from an earlier version of Microsoft SQL Server. (Upgraded only, not for a Restore).

I have to thank the SQL Storage Engine folks for thinking about this kind of a scenario and capturing such detailed info in the catalog views. Thanks Folks!

I went back to my customer’s database and looked at the sys.databases output and I noticed this,

file_id	file_guid	type	type_desc	data_space_id	name	physical_name
1	08C43589-1462-4492-8778-D4BCA128ED66	0	ROWS	1	test_Data	C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\test_Data.mdf
2	A7ADDAF4-0425-4BB8-988C-FE260A41331C	1	LOG	0	test_Log	C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\test_Log.ldf
5	3542AAD9-4AC4-499A-90B8-D342D0CBFFE6	0	ROWS	1	test_Data2	C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\test_Data2.ndf
6	NULL	0	ROWS	2	fil2	C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\fil2.ndf
7	12D108E4-DEEE-4302-A61A-AD6FE21B5EF3	0	ROWS	1	test_Data3	C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\test_Data3.ndf

Notice that for data_space_id=2 which is for the secondary filegroup FG2_fg, the file_guid column has a value of NULL !!!
EUREKA!!!

This confirms that this instance/database was indeed upgraded from an earlier version of SQL 2000/7.0 to SQL (2005/2008). This behaviour is by design and we now understand how the system SSB objects were created on secondary filegroup.

Conclusion

Q: Why cannot we remove the file and filegroup?
Ans: Because of the above mentioned queue_messages objects which are present in the secondary filegroup. If there were user-created service broker queues/services then they can be Dropped or Altered to move them to the primary filegroup. Since these came as part of the database during DB Creation, they cannot be modified/dropped/moved. Hence, we cannot remove the filegroup.

Q: How did these "system" objects get to the secondary file group?
Ans: These system objects became part of the database starting with SQL Server 2005 onwards. So, If you had a database in SQL 2000 and you upgraded that to SQL 2005/2008 these system objects will get created. But, in SQL 2000 if the secondary file-group FG2_fg was set as the DEFAULT file-group, then any new objects created without an explicit MOVE TO will go the default filegroup. So when you upgrade the database to SQL 2008 these automatically got created on the secondary file-group.

Q: What data do I have to prove that the theory above is true in your case?
Ans: We store the information about each database file in sys.database_files DMV. There is a column called file_guid which when NULL indicates that the database/file was upgraded from an earlier version on SQL Server. So when I looked at sys.database_files in the database test, I saw the value for the secondary file as NULL.

Reference – http://technet.microsoft.com/en-us/library/ms174397(SQL.100).aspx

I spent some serious time to arrive at this conclusion and I am sharing this with the SQL community, so that it saves you some time. As always, stay tuned to theSQLDude for more…

Posted in Storage Engine | Tagged: default, empty, filegroup, queue_messages, remove, service broker, SQL | Leave a Comment »

The SQL Dude!

On-Disk & In-Memory Pages that teach you the SQL way of life!

The SQL DUDE

Blog Stats

Posts by Category

Archaic Posts

Partitioned By Date()

Recent Posts

Posts by Date()

NetworkedBlogs

Feed theSQLDude

Vistor’s Location (Eye of Sauron)

FREE Email Subscription

Other SQL Blogs

Facebook me

TroubleshootingSql

SQLServerFAQ

SQL Server CSS Engineers

Vistor’s Location (Gollum’s New Eye)

Posts Tagged ‘SQL’

Checklist for SQL Server Database Audit & Security Hardening

CHECKLIST: Security Audit of a SQL Server Database Instance

Quick SQL Server Info – Script

IO Cost in an execution plan–What it actually means?

SQL Server 2012 – Released and available for public download

The Dabbling Developer Series: Part1-Windows Service Management

PRB: Unable to remove secondary filegroup due to system service broker queues

On-Disk & In-Memory Pages that teach you the SQL way of life!

The SQL DUDE

Blog Stats

Posts by Category

Archaic Posts

Partitioned By Date()

Recent Posts

Posts by Date()

NetworkedBlogs

Hash Tags

Feed theSQLDude

Vistor’s Location (Eye of Sauron)

FREE Email Subscription

Other SQL Blogs

Vistor’s Location (Gollum’s New Eye)

Posts Tagged ‘SQL’

CHECKLIST: Security Audit of a SQL Server Database Instance