SQL Server 2000 SP 3: What's New in Security

,

SQL Server 2000 SP 3: What's New in Security

Service Pack 3 for SQL Server 2000 is huge. There are significant changes in

it and they apply to all three products: the core SQL Server, MSDE, and Analysis

Services. In the core SQL Server service pack are a whole host of new security

options from cross-database ownership chaining to changes to multi-server

administration (Windows authentication is now possible) to stored procedure changes like

with sp_changedbowner. In addition to the security changes, improvements have

been made to debugging, distributed queries, and replication. Because there are

so many changes, this article will only focus on the security changes with the

exception of those related to replication, because I'll cover all the

replication changes in a forthcoming article. I'll also be following up this

article with another one on some of the functionality changes in the core SQL

Server not related to replication (improved debugging and linked server

functionality).

The Install

When I first started up the SP3 install, I knew I was in a different world.

This service pack prompts you to set some things that are brand new. It even

checks to see if your SA password is blank! The install begins with the standard prompts

(the licensing agreement, which instance to upgrade, what account do you want to use to connect to SQL Server, etc.)

that come with all the SQL Server service packs but then follows with a few that require

your immediate action.

Left the SA Password Blank?

The Readme.htm

file indicates that if you have a SQL Server with a blank SA password, you'll be

prompted to set it, even if you have the SQL Server set to Windows

authentication only. The reason for this is simple: if an attacker can access

and modify the registry, it's a simple matter to toggle the server to Mixed

Mode, at which point the SA account is now insecure. So just to see what would

happen, I installed SP3 on a test instance with a blank SA password. Sure

enough, I was greeted by the dialog box shown in Figure 1.

Figure 1: Prompted to set SA password

This is a good thing. The first two SQL Server worms that came out and

hounded us worked by connecting via port 1433 (the default) and then trying to

logon using the SA account with a blank password. If you get this prompt, set

the password! That goes even if you are using Windows Authentication. If you

don't see this warning, it means you have a password set on your SA account.

Cross-Database Ownership Chains (No Full Text)

The next dialog box is for cross-database ownership chains. (Figure 2).

Figure 2: Enable Cross-Database Ownership Chains

If you haven't heard about cross-database ownership chains, I'll talk about

that shortly. If you know what they are and plan on using them on the particular

SQL Server across all databases, check the box. There are some

important security considerations that have to be made when enabling

cross-database ownership chains, so if you aren't sure or have no plans to use

cross-database ownership chains or don't plan on using them on all databases, leave the check box blank. If at some later

point you want to enable them, you'll be able to do so.

Cross-Database Ownership Chains (with Full Text)

The only reason I differentiate between having and not having Full Text

installed for SQL Server is because the dialog boxes change. As Figure 3 shows,

not only does the setup program prompt whether or not you want to use

cross-database ownership chains, but it also has a checkbox for upgrading the

Full-Text Service. If you don't check the box beside Upgrade Microsoft Search

and apply SQL Server 2000 SP3 (required) the Continue button will be grayed

out. 

Figure 3: Cross-Database Ownership Chains and a Full-Text

upgrade

Service Pack 3 requires that you upgrade your Full Text Service. If you don't

want to, you can't apply Service Pack 3. Because Service Pack 3 upgrades the

Full Text Service, all full-text catalogs are rebuilt during the install

process. This is a full rebuild and will involve all the resource usage

you'd normally expect from such a process. So if you have full-text catalogs,

expect the rebuild to hammer your server until this process completes.

One thing the Readme points out is that users may get back no results or

impartial ones from Full-Text until the rebuild completes. Microsoft has some

suggested workarounds in the following Knowledge Base article (327217):

INF:

Installing SQL Server 2000 Service Pack 3 Rebuilds All Full-Text Catalogs

 The article also covers some of the errors you might see in the

Application Event Log due to the upgrade and rebuild of the full-text catalogs.

Basically, these errors indicate that Microsoft Search has started, it's

detected corruption in the indexes (because they were created by an earlier

version of Microsoft Search), and that it has completed the rebuild of the

catalogs. If you rely heavily on Full-Text in your environment, be sure to

review the article. 

Error Reporting Feature

The next dialog box (Figure 4) you'll see is one where you can send error

reports back to Microsoft. If you want Microsoft to receive such a report, check

the box. Now I'll readily admit that I'm on the paranoid side so I leave the box

unchecked. I understand its purpose, to allow Microsoft to collect what's

causing errors and what's running at the time, but basically I don't want any of

my systems communicating with others unless I've authorized it. Your mileage may

vary. But since we're talking about talking to a downstream system that's not

under your direct control, I've included it in with security. Like I said, I'm

paranoid when it comes to that particular subject.

Figure 4: Send Reports on Fatal Errors to Microsoft

One nice thing that I saw in the dialog box, though, is a link to information

on how to setup my own Corporate Error Reporting server (http://oca.microsoft.com/cerintro.asp).

Basically, you can redirect the error reports to a file share and then choose

later what reports you want to send off. If you decide not to go with Error

reporting, keep in mind you can always turn it on. The same is true if you want

to turn it off. 

Security Changes

There are quite a few significant security changes in Service Pack 3, some of

them changing functionality quite a bit. I'll go down the list in the same order

as they are presented in the Readme.

System Stored Procedure: sp_change_users_login

The system stored procedure sp_change_users_login is used to try and

reconcile orphaned users in a database. One of the options is to run the stored

procedure with @Action = 'Auto_Fix' though this is generally not recommended.

With this option, if SQL Server can't find the login to match the user, it'll

create it. Previously, these logins were created without a password. You'd have

to go in manually and set the passwords. Now you can define a password and any

login added by this stored procedure will automatically be set to that password.

This ensures you don't create new accounts without passwords. The syntax is:

[EXEC] sp_change_users_login

    @Action,

    @UserNamePattern,

    @LoginName,

    @Password

OPENDATASOURCE and OPENROWSET Disabled By Default

Microsoft calls this "Ad hoc access to OLE DB Providers" and what

these two commands allow for is a user to create a temporary linked server

connection (for the query only) using OLE DB. An administrator doesn't have to

defined a linked server connection prior to the query being executed. The way

SQL Server knows whether or not to allow these ad hoc connections is by querying

for the DisallowAdHocAccess value under the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\Providers\MSDASQL

or for a named instance:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\<Instance Name>\Providers\MSDASQL

Previously, if the key didn't exist or if it was set to 0, the behavior was

to allow the ad hoc connection. However, with Service Pack 3 this has been

tightened down. Now if SQL Server doesn't find the registry key, it assumes ad

hoc access has been disallowed. For more information on how to use

DisallowAdHocAccess, see the following Microsoft Knowledge Base article

(327489):

HOW

TO:  Use the DisallowAdHocAccess Setting to Control Access to Linked

Servers

Cross-Database Ownership Chaining

This one is a big security concern and Microsoft even makes such warnings in

the updated Books Online. Here's why. Prior to SP 3, ownership chains worked on

the user accounts within a database. There was no way to cross from one database

to another and maintain the ownership chain. Cross-database ownership chains

still check to see if the owner is the same from object to object, but instead

of relying on the user mapping which is at the database level, it uses the login

of the owner, which is at the server level. I said before you can turn

cross-database ownership chains off and on and you can, at two levels. The first

is server-wide. To do this, go to the Security tab of the Server Properties in

Enterprise Manager (Figure 5).

Figure 5: Ownership Chaining at the Server Level

Alternately, you can use the sp_configure command to set cross-database

ownership chains. For instance:

EXEC sp_configure 'Cross DB Ownership Chaining', 1

RECONFIGURE

If you don't have cross-database ownership chaining turned on server-wide,

you can turn it on for individual databases. You can set it under the Options

tab of the Database Properties dialog box (Figure 6) through Enterprise Manager.

Figure 6: Ownership Chaining at the Database Level

Using T-SQL, you can use sp_dboption to set whether or not a database allows

cross-database ownership chaining. Here's an example where I set the pubs

database to use cross-database ownership chaining:

EXEC sp_dboption 'pubs', 'db chaining', 'true'

You can turn cross-database ownership chaining on for every

database but master and model. You cannot turn it off (and it's set

automatically) on msdb. These are rules built into the sp_dboption stored

procedure now. Part of the reason master and model is blocked is because of

security concerns. Since cross-database ownership chaining means SQL Server

doesn't perform a permissions check when crossing database lines if the owner is

the same on all objects (or more accurately they have the same login as the

owner), this means someone could use cross-database ownership chaining to get at

information they wouldn't normally be able to access.

Let me give an example. I have a user database, MyDatabase,

which allows cross-database ownership chaining. I have another database,

Private, which also allows cross-database ownership chaining. Let's say the

objects in Private are owned by dbo (which maps to the SA login). I have a user

who is a db_owner of MyDatabase but who is mapped to a user in Private, but is

severely restricted in what he can see or do. There is a particular table,

Secrets, this user wants to look into. All the user has to do is create a view

(I'll call it ViewSecrets) that does a

SELECT * FROM Private.dbo.Secrets

and make that view owned by dbo. Since both objects map back to

SA as the owner and both databases are set to use cross-database ownership

chaining, SQL Server won't check the permissions when this user queries against

ViewSecrets and it crosses over to the Private database. The user has access to

a table he shouldn't have! This is why Microsoft recommends you only use

cross-database ownership chaining on a server where all databases require its

use.

There is one saving grace with cross-database ownership

chaining, and that is the login executing the query requiring cross-database

ownership chaining must have a mapped user in all referred databases, even if it

defaults to the guest user. So if the user mentioned in my example didn't have a

mapped user in the Private database and I didn't have the guest user enabled,

SQL Server will return an error code on the view creation (Figure 7):

Figure 7: Not a Valid User

So if a particular user doesn't have a mapped user into the

database, cross-database ownership chaining won't work.

System Stored Procedure: sp_changedbowner

Prior to SP3, both a member of the sysadmin fixed server role and the current

database owner could execute the sp_changedbowner statement. However, as of SP 3

this stored procedure has been tightened down to where only a member of the

sysadmin role can execute the query. If the current database owner tries to do

so, SQL Server won't permit it. In Figure 8 I've queried against sysdatabases to

show that MyUser is the owner of MyDatabase but even with this, SQL Server still

says MyUser doesn't have sufficient permissions to change the object ownership.

Figure 8: Can't Change DB Ownership

If you have personnel assigned to the db_creator server role creating

databases for users then reassigning the database ownership, you'll have to

change your procedures. Only sysadmins can reassign ownership.

Multi-Server Administration

Prior to Service Pack 3 if you wanted to use multi-server administration, you

had to setup your SQL Servers in Mixed Mode. This is because the connecting

piece was all based on a SQL Server login. With Service Pack 3, the connecting

login can be a Windows authenticated login. This means that if you have SQL

Servers in your environment that are set for Windows authentication only, you

can now use multi-server administration to manage SQL Agent jobs on those

servers.

With the addition of Windows authentication to multi-server administration

comes a new extended stored procedure: xp_sqlagent_msx_account. The syntax of

xp_sqlagent_msx_account is:

[EXEC] xp_sqlagent_msx_account

    { N'SET' | N'GET' | N'DEL',

    N'<domain>',

    N'<user>',

    N'<password>'

The <domain> parameter is reserved for future use. If you want

multi-server administration to run under the context of the SQL Server Agent

service account, leave all of the parameters after N'SET' blank. For instance:

-- For Windows Authentication

EXEC xp_sqlagent_msx_account

    N'SET',

    N'',

    N'',

    N''

To use a SQL Server account, specify the user and password. For instance:

-- For SQL Server Authentication

EXEC xp_sqlagent_msx_account

    N'SET',

    N'',

    N'MyMSXAccount',

    N'MyPassword'

When you change the MSX account, you'll need to stop and restart SQL Server

Agent. That's all there is to it. Otherwise, Multi-Server Administration works

as it always has with one key exception: Multi-Server Administration is not

backward compatible with target servers running a version of SQL Server prior to

SQL Server 2000 SP 3 (this include SQL Server 7 target servers).

Because of this, Microsoft recommends upgrading all of the target servers

first and then prepping the master server by ensuring the account you'll be

using for multi-server administration has the appropriate rights to function in

such a manner. For Windows authentication:

EXEC sp_grantlogin 'MyDomain\MyUser'

GO

USE msdb

GO

EXEC sp_adduser 'MyDomain\MyUser', MyDomain\MyUser', 'TargetServersRole'

GO

 and for SQL Server authentication:

EXEC sp_addlogin 'MyLogin', 'MyPassword', 'msdb'

GO

USE msdb

GO

EXEC sp_adduser 'MyLogin', 'MyLogin', 'TargetServersRole'

GO

If you follow the procedure outlined in the Readme (make sure the account is

added properly on the Master server and upgrading all of the target servers

before upgrading the Master server), you should be okay. Keep in mind that

backward compatibility break, though. Either all of your target servers will

have to be upgradable to SQL Server 2000 SP 3 or you'll have to leave the master

server in a version prior to SP 3. If it's the latter, you'll still be unable to

use Windows authentication for the MSX account.

Job Owner Verification for Writing Log Files

In Service Pack 3, SQL Server Agent now verifies whether or not the job owner

for a particular SQL Server Agent job has the proper permissions to write a log

file. If it does not, the job still succeeds, but no log file is written. If the

job owner does have rights and a log file is called for, the log file will be

written. In either case, all errors should make it to the SQL Server Agent Error

Log. There are three scenarios SQL Server Agent looks at:

  • If the job owner is a member of the sysadmin role, then the job output can

    automatically be written and it will be.

  • If the job owner is a Windows user, SQL Server tests to see if the user

    has rights to append or overwrite the log file in the location specified. If

    it can, the log file will be written.

  • If the job owner is a SQL Server user, SQL Server checks to see if the SQL

    Server Agent proxy account has rights. If it doesn't or there is no proxy

    account set, no log file is written.

The log file will still be written using the SQL Server Agent credentials,

but the security check occurs so that SQL Server Agent will write the log files

only when the job owner has the right to do so.

DTS Packages Cannot Be Saved to Meta Data Services by Default

Prior to SP 3, you could write a DTS package to SQL Server, to a structured

storage file, to a Visual Basic file, and to Meta Data Services. However, with

SP 3 the save to Meta Data Services is disabled by default, though you can turn

it on. If you want to activate it, right-click on Data Transformation

Services and choose Properties from the pop-up menu. In the Package

Properties (I think it's misnamed), you can turn on saving to Meta Data

Services (Figure 9).

Figure 9: Enabling Save to Meta Data Services

The reason SP 3 disables the save is because a save to Meta Data Services

isn't considered secure. In fact, if you decide to turn on the option to save to

this location, SQL Server will prompt you to make sure you are aware that Meta

Data Services isn't considered secure (Figure 10).

Figure 10: Security Warning for Meta Data Services

I don't typically save to Meta Data Services, but if you have a need to, be

aware that you'll need to activate the ability to save to that location once you

apply Service Pack 3.

Error Reporting

I mentioned that if you need to adjust your error reporting you could do so

after the service pack installation. In Enterprise Manager you can toggle error

reporting by viewing the Server Properties. The General tab has a checkbox for

Error Reporting (Figure 11).

Figure 11: Enable Error Reporting

The value for Error Reporting is stored in the Registry in the

EnableErrorReporting value for the default instance at:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\SETUP

and for named instances:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\<Named

Instance>\SETUP

Summary

Service Pack 3 has a lot of security changes built in; it's truly a

phenomenal list. Some of the new security features, such as cross-database

ownership chains and the ability to use Windows authentication for Multi-Server

Administration come with some "gotchas" that you really need to

understand fully before implementing in your environment. Hopefully I've covered

all of them in enough detail to give you a good fundamental understanding of

what's going on with this new service pack. With that said, nothing beats

getting it in a development environment and testing each option out fully. I

know I spent several hours testing cross-database ownership chains when the

first beta build came out. I repeated my testing when the public version of

Service Pack 3 came out just to be sure nothing had changed. Get your hands on

it and play. That's the best advice anyone can give.

Downloads:

Rate

Share

Share

Rate