Server Access
What tools and commands are available to a malicious insider to access resources (data/software) on a windows server, be it win2k, 2003, 2008 etc. Say for example a naughty employee (domain user) finds that the server (domain member server) that houses
the payroll database has a weak local adminisrator password, what tool / command could they use to then get access to the server itself. Be it software with a GUI or command line prompts. Is there any best practice to limit what tools users have available
to them so even if a weak password exists they have a limited arsenal of default windows tools to get access onto the server. A full list of tools/software/commands that could be used would be great so I can quantify the risk.
If I was aware of any I wouldn't post them on a public forum I'm afraid. As already stated your best line of defence is to harden your servers against attack regardless of the form it comes in. When securing your home do you try to stop
everyone in the neigbourhood having access to crowbars and hammers or do you fit locks and alarms to your house?
Maybe start by looking at the Microsoft Security Compliance Manager toolkit here -
http://www.microsoft.com/downloads/details.aspx?familyid=5534BEE1-3CAD-4BF0-B92B-A8E545573A3E&displaylang=en
If you have any specific questions about applying and enforcing security settings just post again and I'm sure we'll be able to help you more.
Best regards
Joe Dunn
MBCS, MCITP:EA, MCSE, CCNA
Similar Messages
-
I have a web application developed through VS 2012 which has a button on a form that when operated starts a SQL Server agent job on the server that runs an SSIS package. The website and the instance of SQL Server with the agent and SSIS package are
on the same windows 2008 r2 server. When the button is operated no exceptions are raised but the SSIS package did not execute.
When I look in the logfileviewer at the job history of the sql server agent job I see that the job failed with message...
The job failed. Unable to determine if the owner (DOMAINNAME\userid) of job runWebDevSmall has server access (reason: Could not obtain information about Windows NT group/user 'DOMAINNAME\userid'<c/> error code 0x6e. [SQLSTATE 42000] (Error 15404)).,00:00:00,0,0,,,,0
...even though DOMAINNAME\userid is in the logins for the sql server and has admin authorities.
Could someone show me what I need to do to get this to run? Thanks tonnes in advance for any help, RoscoeThis can happen when the network is too slow to allow a timely completion of the verification. Or the account running has no such right.
I suggest you try using the SA account for the job as it does not require to poll the AD.
Arthur My Blog -
I have a SQL 2008 R2 system (10.50.4000) where I'm having problems connecting any user that is not a SysAdmin. Example: I setup a new SQL Login to use Windows Authentication and grant that user db_datareader on the target database. The user attempts
to connect using Excel client or Access or SQL Management Studio and receives Error 18456. The SQL Server Logs shows Error 18456 Severity 14 State 11 Login Failed for user _ Reason Token-based server access validation failed with an infrastructure error.
The strange part is that if I temporarily grant the user the sysadmin server role then the user can connect successfully and retrieve data. But, if I take away that sysadmin server role then the user can no longer connect but again receives the Error
18456 Severity 14 State 11 Login Failed for user _ Reason Token-based server access validation failed with an infrastructure error.
We've turned off UAC on the client machine to see if that was the problem, but no change.
I have dropped and re-added the user's SQL Login (and the related database user login info). No success.
The Ring Buffers output shows:
The Calling API Name: LookupAccountSidInternal
API Name: LookupAccountSid
Error Code: 0x534
Thanks for any help.
-WaltYes, you understand correctly. The user is logging onto a workstation (not the server) with a Windows Authenticated id. The user is using either Excel or Access or SSMS and connecting to the server using a Windows Authenticated SQL Login account.
If the account has sysadmin role (which is only for testing) then the connection is successful. If I take away sysadmin role from the account then the connection is unsuccessful and the SQL Server Log shows Error
18456 Severity 14 State 11 Login Failed for user _ Reason Token-based server access validation failed with an infrastructure error.
(SQL Authentication is not an option here. I must use Windows Authentication).
Any other troubleshooting assistance you can offer would be appreciated. Thanks.
-Walt -
RE: Database (SQL-SERVER) access problem
Have you used NT Control Panel/ ODBC to set up the ODBC data source name?
You have to define the data source (database) SecTrade as well as the
driver to be used (SQL Server). This can be done by selecting the Add
button on the Data Sources screen in Control Panel/ ODBC.
Hope this helps.
Sanjay Murthi
Indus Consultancy Services, Inc.
From: Administrator
Sent: Wednesday, August 13, 1997 6:49 PM
To: "'[email protected]'"
Cc: murthis; thyagarajm; thyagarm; vasasm; chandraa
Subject: Database (SQL-SERVER) access problems
MCI Mail date/time: Mon Aug 11, 1997 10:28 pm EST
Source date/time: Mon, 11 Aug 1997 19:25:34 +0530
Hi Forte-Users,
We have a setup a Sql-Server database on a NT server. In the Forte
EConsole,
we have
setup a ODBC-type Resource for this server, named SERVER2_ODBC. This NT
server
is configured as a Client Node in the active Forte environment. Note
that
Server2 is not
the Forte server, but has Forte installed. There is another NT server
which
acts as the
Forte server. NODEMGR and Sql-Server are running on SERVER2.
In our application, we have a DBSession SO with the database source
as SERVER2_ODBC, Userid=ForteInstructor. When running the application,
Forte
throws an exception, the gist of it being as follows:
USER ERROR: (This error was converted)
Failed to connect to database: SecTrade, username: ForteInstructor.
[Microsoft][ODBC Driver Manager] Data source name not found and no
default
driver specified
We have tried
1) Installing ODBC drivers on the NT server (Server2)
2) Accessing local databases from Forte clients which works fine
3) Accessing the Sql-Server database through Isqlw (Sql-Server Client
s/w) -
It works.
Could someone suggest what we should try to get rid of this problem?
Thanks for any help,
Kishore PuvvadaRajsarawat wrote:
Dear sir/mam,
I have installed sql server 2005 (server) and on another computer installed client. It installed successfully but on client side it does not seen, from where should i start it. so please send me procedure to install sql server 2005 on both side(client and server).You have to turn on network (external to your computer) access.
Under programs->sql server look for "surface" -
Shared Services and Essbase Server Access Question
Hi,
It seems that we have to assign Essbase Server access at the individual username level and that groups don't work when it comes to Essbase Server Access. Is this correct or are we doing something wrong and groups do work with Essbase Server access? We are on 11.1.1.3 Essbase/Planning/Shared Services.
ThanksYou can provision Essbase Server Access via groups but it must be the very first thing provisioned and pushed to Essbase. Then after that, provision your groups with other accesses such as Planning, Reports etc....
-
Token-based server access validation failed with an infrastructure error
Hi
We have a new Win 2008 Enterprise x64 server running SQL 2008
When we try to connect to the server using Windows Authentication, from a user account which is a domain administrator, we get the following message:
"Token-based server access validation failed with an infrastructure error"
What needs to be configured here for this to work ?
Thanks
BruceHi,
I am encountering the same error message but it is more around the login, this problem happens only on one server but it is fine on another three, my investigation show it is a ghost SID associated with AD user account
Background
1- An Active Directory (AD) account was created for a user [Domain\UserA]
2- A SQL login was created for the account above and then granted access to a number of databases
3- The AD account was renamed/modified to [Domain\UserB]
At this stage the user would encounter an error when connecting to the server
The sql log show this error message
Error: 18456, Severity: 14, State: 11.
Message
Login failed for user 'domain\user'. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors. [CLIENT: xxx]
Action on Server 1 SQL (the one with the problem)
1- Dropped the user from the databases
2- Re-Created the login from the windows account [Domain\UserB]
3- Created the user in the respective databases
But the user still unable to connect to the server
Investigation
On server 1, the SID of the user in SYSUSERS was Matching SYSLOGINS and matches with result of SUSER_SID(Domain\UserA)
But it does not match the SID in the AD
The rest of the servers all have the correct SIDs
When I use SUSER_SNAME(Incorrect-Sid) and SUSER_SNAME(Correct-Sid) on this server they both return [Domain\UserB]
The problematic server is always returning the incorrect SID when recreating the user login and when using SUSER_SID(Domain\UserA) as if it is cached somewhere.
I can't specify the SID when creating the SQL login because it is using the Windows account
Your ideas on how to fix this problem are much appreciated
Regards,
DGL -
How to determine is it SMB - Remote SAM server access , false positive?
How to determine is it SMB - Remote SAM server access , false positive?
5583-0 right?
I would say that there are different types of false positives. Do you mean, how do I determine if what what was seen actually represents an attempt to access the SAM database? I would start by looking at MySDN (or whatever Cisco is calling it these days...intellishield?). It's often not very up to date and missing information, but it's an easy thing to check. Here's the link for this sig:
https://intellishield.cisco.com/security/alertmanager/ipsSignature?signatureId=5583&signatureSubId=0
If you look at the benign triggers, you'll see that it suggests that this only matters if the source is external. It's up to you whether to research any further. If you really want to inspect the signature further, you'll have to add one of the "log packets" actions. This will save a network trace when it fires again and then you can open it up in Wireshark, which understands SMB and will probably decode it enough for you to verify whether it actually was an attempt to access the "Remote SAM server". -
Essbase server access role - delete DB allowed?
Good morning everyone.
We have provisioned a group in Planning with the Essbase server access role which grants read level access to Essbase databases.
We have checked that a user assigned to this group can actually access Essbase DBs to execute calcscripts and report scripts and that it does not have permission to open the DB outline --but it apparently still has permission to delete a database (as seen in the following image: https://c69ee7db-a-62cb3a1a-s-sites.googlegroups.com/site/ktratsites/Home/delete_Essb_DB.png )
As you can guess, we have not tried whether this user could actually delete an Essbase database.
Can anyone confirm whether a user given the Essbase Server Access role could really delete an Essbase DB?
IMHO, this should not be possible.
Thanks a lot.
Best regards,
G.S.FeliuIt will show the option to delete but if you select it then it should display "Insufficient privilege for this operation"
Cheers
John
http://john-goodwin.blogspot.com/ -
Monitors: SQL Server: Access Methods: Full Scans/sec
Hello,
I created a Monitor:
Monitors: SQL Server: Access Methods:
Full Scans/sec
It appears in Heath explorer on the servers
but is not available in the Performance Data for the Views...
What did I miss? I need to create a rule but which type ? linked to the monitor?
Should I use a Rule or a Monitor or a combination?
Thanks,
Dom
System Center
Operations Manager 2007 / System Center
Configuration Manager 2007 R2 /
Forefront Client Security
/ Forefront Identity ManagerHello,
I got on the servers the
1200:New Management Pack(s) requested. Management group "SCOM-MED", configuration id:"68 D8 86 93 7A 48 27 13 C0 6F B2 76 3C A4 07 87 DA 53 22 7F ".
1201:New Management Pack with id:"xxxx.SQL.Servers", version:"1.0.0.1" received.
1207... Rule/Monitor "Microsoft.Windows.SystemCenterDPM.DPMServerDiscovery" running for remote instance "MSQLCL1SQLBU.ad.medctr.ucla.edu" with id:"{A3100D57-1657-A51E-CD3E-6ACF2679A501}" will be disabled as it is not remotable.
Management group "SCOM-MED".
1210 New configuration became active. Management group "SCOM-MED", configuration id:"68 D8 86 93 7A 48 27 13 C0 6F B2 76 3C A4 07 87 DA 53 22 7F ".
still waiting ...
1204: Management Pack with id:"xxxx.SQL.Servers", version:"1.0.0.1" is no longer used by HealthService and will be deleted from cache.
Is this 1204 okay !!!!!
Thanks,
Dom
System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager -
How to disable SSLv3 and RC4 on Lync Server Access Edge?
We use Lync Server 2013.
How to disable SSLv3 and RC4 on Lync Server Access Edge?
This solution https://technet.microsoft.com/en-us/library/security/3009008.aspx doesn't workHi dizen,
To completely disable RC4, you can create the following registry key:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000
For more details, please check out this KB.
http://support.microsoft.com/kb/2868725
Best regards,
Eric -
Adding Essbase Server access to Planning Application group
Hi All,
How we can add Essbase server access to Planning Application group in Shared services ? Pls. adviceYou can't provision access against any application group.
However, you can create and use native user groups or use external user groups and provision those groups to have acccess to Essbase and Planning.
See this post for an example of how I like to set up groups in Shared Services for Planning:
http://camerons-blog-for-essbase-hackers.blogspot.com/2009/08/planning-security-wrong-way-and-right.html
The top level group I refer to in the post is where I typically grant Essbase Server Access.
Regards,
Cameron Lackpour -
Failed Logins - Token Based Server Access Validation Failed
Hi All-
I am trying to track down, well for lack of a better word (an annoyance). I have a VM running a proprietary utility (VMware update manager) that connects to a remote SQL VM. This connection is via a service account that from the surface has the
appropriate permissions. The setup and utility has been in and is working as it should. However in our logs we are constantly seeing.
SQL Event Viewer - Login failed for DOMAIN/REMOTESERVERNAME$ Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors [CLIENT: REMOTEIP OF REMOTESERVERNAME]
Then in the SQL Logs I am seeing the same error and also - ERROR 18546, Severity 14, State 11
I have read dozens of threads - pointing to UAC. I have elevated SSMS via UAC and allowed it to run as administrator. Also ran as admin, and reapplied the permissions to that service account, db_owner
What I have read is about AD/user account. However in this case I am seeing the remote server name, not service account. Got me thinking a service is running as network or local system, and phoning home to SQL. However everything I see
is using the service account for that utility. Also in the event viewer in the security portion for that same time, I see the login and log off as successful. Could anyone try to point me in the right direction, without flat out adding the servername
to the local SQL VM administrators group.
Thank you in advance for any assistance.Rather than adding the machine account to the admin group, you could do:
GRANT CONNECT TO [Domain\Remoteservername$]
And then you could set up a logon trigger that captures information about the login. That would include app_name() as well as the Windows process id. This could help you track exactly which process that is knocking on the door.
Erland Sommarskog, SQL Server MVP, [email protected] -
Hi all,
where would i get temporary BI server access to practice config (sand box env)?
ThanksHi,
You have to Pay you can get it from LearnSAP.com.You have to pay for there membership.Need any help
mail me [email protected] I am a member I can get you for less.
Regards,
Andy -
I am receiving "LabVIEW: VI Server access denied." from TestStand 2010. This is using LabVIEW 2011 on Windows 7 but only started happening after I had transitioned to using the Run-Time engine for a while.
I ran into this when trying to convert back to the development system for the configuration adapter due to needing to update some 130 steps worth of prototypes which takes a long time to do while running the run-time engine version.
ThanksThanks for the response Alexandra,
1) The project and VI both run perfectly fine on the same system from the development environment.
2) The LabVIEW module is a conglomeration of various instrument calls to accumulate some amount of data which is returned to Test Stand for Pass/Fail status and logging.
3) I can run the sequence with TestStand LabVIEW Adapter configured for the RunTime, setting the LabVIEW adapter to Development System is when the VI Server access denied appears.
4) System has always been a development system, I just switched the adapter over to RunTime engine to speed up operation of the test, now I am in integration with hardware and made a few changes that need to be updated in the sequence. I brute forced the update with runtime, but it took several hours to do for a 140+ step test.
5) The only additional toolkit for LabVIEW is the FPGA one I believe, everything else is standard LabVIEW Professional.
Thanks,
James -
BizTalk Published Web Service unable to consume, Token-Based Server access validation error
Hi, We have developed a BizTalk application and we have published as web service, but when we are trying to consume the application we are getting the an error and its logged
in event log.
While deploying we have allowed Anonymous user access for the web services as well.
Following are the errror details -
"Login failed for user 'IIS APPPOOL\ASP.NET v4.0 Classic'. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors. [CLIENT: <local machine>]"
I tried to change it other App pool as well. It seems an issue with permissions related to BizTalk user's/Group,
Please suggest which app pool should we select or should we give permissions to App Pools.The User of App Pool should be part of "BizTalk Isolated Host Users Group".
In your case user is "IIS APPPOOL\ASP.NET v4.0 Classic", so either you add this user to BizTalk Isolated Host Users
Group or create a new App Pool with new user. I would suggest to go for new user specific to BizTalk.
This permission is required because IIS(App Pool(w3wp.exe)) will be publishing new messages to BizTalk Databases. So they should have required permissions to do that and in BizTalk we have a default group for the same, as suggested by Shankycheil.
BizTalk Isolated Host Users
The default name of the first Isolated BizTalk Host Group created by Configuration Manager. Isolated BizTalk hosts not running on BizTalk Server, such as HTTP and SOAP.
Use one BizTalk Isolated Host Group for each Isolated Host in your environment.
Contains service accounts for the BizTalk Isolated host instance in the host that the Isolated BizTalk Host Group is designated for.
BTS_HOST_USERS SQL Server Database Role in the following databases:
BizTalkMgmtDb
BizTalkMsgBoxDb
BizTalkRuleEngineDb
BizTalkDTADb
BAMPrimaryImport
Thanks,
Prashant
Please mark this post accordingly if it answers your query or is helpful. -
"mail" server access info and messages deleted
Earlier today through an errant instruction, the server access info for Mail 4.6 was inadvertently deleted. This process also deleted all the messages viewable in
Mail's mailboxes: In/Sent/Trash !
From Time Machine, I restored the server access information and the deleted messages!
All of the restored messages now appear as nnnn.emix (as expected) in Home/Mail/POP email address/INBOX.mbox/messages. Similarly for Sent Messages & Deleted Messages.
However, only new messages since restore appear in Mail!!! The restored messages do not appear (although they appear as nnnn.emix in Finder)!
What am I missing here?WOOPS!
My statement above about seeing current messages in Mail is only "partially correct." I find that if I close out Mail... then reopen the program, the messages that were there have disappeared... and, they've similarly disappeared from the nnnn.emix files in Finder!
So... something is clearly amiss!
Maybe you are looking for
-
Camera - Torch 9800 - Unable to capture the image
Hey everyone! Had a torch 9800 for 18 months now and always been working fine... until today. I went to use the camera and it all seemed to open up fine but instead of seeing what the lens sees the screen was black. The centre focus [ ] was there and
-
Printing of Graphics and Frames ,not coming properly in dot matrix printer
Hi Experts, I have one smartform layout for Good receipt note,have used the Logo and Frames .when i am printing in the Laser printer.everything is k.when i am printing in Dot matrix Printer(OKI Microline 380 24pin printer).the Logo and Frames are mis
-
I've just upgraded from CS6 at work to CC and when drawing image maps it's back to popping up this message: The previous solutions I can find (which worked in CS6) do not work here. When I go into my Preferences > Accessibility I only have this optio
-
Table extension for compression successful (Message no. 00999)
Dear All, Can you please anyone describe in more details about this problem? We are getting this problem very occasioanly and am not getting any clue...this idoc type has Z segments Table extension for compression successful Message no. 00999 Diagno
-
Struts logic:foward in JSF
Hi Everybody, I'm trying to migrate a struts application to JSF. My index.jsp has the following struts tag. <logic:forward name="display"/> The action code behind the foward, does some validation before the right page is display to the user. Is there