For those SQL admins who have managed their SQL backups using SQL dumps have had to wrestle with file sizes for many years.   There are better ways of backing your databases up using things like SQL connectors to a backup software like CommVault or other backup programs but many times you just need a SQL Dump file.    Depending on the size of the data in the Database they can be quite large.  

The good news is that there is lot of empty space in those files and they compress very well.   But the bad news to go with that is if they are larger files you will find yourself having issues with programs like WinZIP. 

With SQL 2008 this is no longer an issue because it will perform compression natively during the creation of the SQL dump file.    To compress the backup use the following command syntax:

BACKUP DATABASE <database name> TO <backup Device> WITH COMPRESSION

To take that to the next level and set compression on by default for all database dumps execute the following commands:

EXEC sp_configure ’show advanced options’,1

RECONFIGURE

ESEC sp_configure ‘backup compression default’,1

RECONFIGURE

So no more large SQL dump files.    As if you needed another reason to upgrade your SQL Servers.

Go To Start —>Run —-> Type "cmd" and hit enter.
In the command line type systeminfo | find /i "install date"

Hackers love information about your network.  If you are not using Host Headers on your IIS website then IIS could be returning the IP address of the machine in the TCP header of the response.   In single server situations where the server is in a DMZ of a firewall, the machine is most likely using the same address that DNS resolves.   If this is the case, it may not matter as much because it is giving away information that that is freely available through DNS anyway.   

This becomes more of an issue where you have a load balancing device like a Cisco CSS or ACE device distributing the traffic across multiple servers.   In this situation you would not want the server to return it’s configured IP address because you would be providing information about your network that could be used against you. 

Microsoft in Q834141 states there are 2 options to fix this issue.    Two solutions provided have a patch requirement.   This shouldn’t be a problem because no one in their right mind would run a server accessible on the Internet that wasn’t fully patched..  Right?    I will also provide another option that I will call Option TRF.

Here are the Options for your reading pleasure…

Option TRF (easiest):

1. Configure all your websites to use Host Headers.    Most if not all modern browsers support host headers.  This will fix the issue and will not require a reboot or force you to confirm patch levels.    I do still recommend that you keep your sever patched. 

Microsoft Option 1: Set the UseHostName property

To set the UseHostName property, follow these steps:

1. Click Start, click Run, type cmd, and then click OK to open a command prompt.
2. Change to the folder where the Adsutil.vbs tool is located. By default, this folder is the following:       %SYSTEMROOT%\Inetpub\AdminScripts
3. Type the following command, where x is your site identifier: cscript adsutil.vbs set w3svc/x/UseHostName true

Microsoft Option 2: Set the SetHostName property

To set the SetHostName property, follow these steps:

1. Click Start, click Run, type cmd, and then click OK to open a command prompt.
2. Change to the folder where the Adsutil.vbs tool is located. By default, this folder is the following:        %SYSTEMROOT%\Inetpub\AdminScripts
3. Type the following command, where x is your site identifier and hostname is the alternate host name that you want to use: cscript adsutil.vbs set w3svc/x/SetHostName hostname

There has always been a gray fuzzy line on how much access does a DBA give to a developer working on a production database.   Too little access and they developer can’t do their job without involving the DBA and too much access has it’s own set of problems and is just not a good security practice.

It is common practice for developers to want to trace a SQL process to troubleshoot a problem or error.   In SQL 2000 you had a choice to either involve the SQL administrator each time you needed to run a trace, or have system administrator rights on the SQL server and do it your self.  SQL 2005 changes this with its server level permissions.  Using the following SQL command you can grant tracing permission to a SQL user.

GRANT ALTER TRACE TO username

In a previous posting, I mentioned the risks of the “xp_cmdshell” extended stored procedure and how to disable the command.    It is a good step towards a more secure SQL installation but more can be done.   In that same article, I mention that many SQL installations run the SQL services using the local system credentials.    It is recommend that you follow these steps and run the services as a user with as little rights as possible on the SQL host machine.  Note: I am going to assume this server is part of active directory, although the process is pretty close to the same for a stand alone server. 

First, you need to create a user for the SQL services.   Follow these steps:

1. Create a user called “sqluser” and give it an appropriately complex password. 
2. Create a global security group called “sqluser_group” .  
3. Open the properties of “sqluser” and go to the “member of” tab.
4. Add the sqluser to the “sqluser_group”.  
5. Making sure the “sqluser_group” is still selected click the “Set Primary Group” button.
6. Highlight the “domain users” group and click the remove button   

We now have  a user that can only authenticate to the domain and has no domain right (with the exception of rights granted to everyone).   

Next is to tell SQL to run as the newly created account.   The steps to do this are as follows:

SQL 2005

1. Open SQL Server Configuration Manager and connect to the instance using an account with administrative privileges.
2. Select SQL Server 2005 Services
3. Double click the SQL Server instance you want to reconfigure.
4. On the “Log On” tab, select “This account” and fill in the Account name and password fields.
5. Click “OK” to finalize the change

SQL 2000

1. Open SQL Server Enterprise Manager
2. Connect to the server or instance you are wanting to reconfigure.
3. Right click on the server and select properties.
4. Navigate to the “Security” tab.
5. Select “This account” and fill in the account and password field. 
6. Click OK.   When prompted, enter the password again to verify it.

Both versions require you to restart the services in order for the changes to take effect.   I also caution you to not make these changes in the services control panel.   While that may seem faster, it will not work.   SQL explicitly grants NTFS and registry permissions to the account when you follow this process.  It only grants the rights it needs to run.

If you have SQL data or write SQL backup files in any directory other than the default directories, you will need to explicitly grant NTFS change permissions to the user account.

Following these steps will get you one step closer to a more secure SQL installation.

Windows server security has been a hot topic for many years now.  Password complexity, periodic password changes, restrictive NTFS rights are all great steps toward a secure Windows installation.   Unfortunately many system administrators leave a big hole in their SQL sever installations by letting the SQL services run under the local system account.   This account has local admin privileges and therefore any process executed by the SQL server or SQL agent are running with those privileges.

Enter the “xp_cmdshell” extended stored procedure.   This procedure will allow you to execute commands as if you were typing them in a command window under the windows account that SQL sever is configured to run.   If that account is the local system account, the process has full access to the user database, file system and registry.  

In a situation where a username and password is compromised in SQL (this can be common on accounts with password that don’t change) a hacker can basic tools to further compromise your system.   A common hacking attempt would be to execute the extended stored procedure to first create an account, then another command to give them local administrative rights to the local server.  It can do this if SQL is running as a local administrator equivalent.  Now they have complete access to the system with a “valid” account.  They can now install new software, turn on RDP, fetch backup files, replace files…  it is pretty much endless path of destruction.  In addition, by being a local administrator, they also now have DBO access to all the databases in your SQL installation making things worse.

Now that I have  spread a lot of doom and gloom about a single SQL command, let me tell you the best way to prevent it.    If you aren’t using it…   Disable it.    Log into Query Analyzer (SQL 2000) or Management Studio (SQL 2005) as SA or SA equivalent and run the following command:

-- Allow advanced options to be changed.

EXEC sp_configure 'show advanced options', 1

GO

-- Update the currently configured value for advanced options.

RECONFIGURE

GO

-- Disable the feature.

EXEC sp_configure 'xp_cmdshell', 0

GO

-- Update the currently configured value for this feature.

RECONFIGURE

GO

I am sure that some readers will say that this is a handy command.   I agree it is, but use it wisely and grant permission to it sparingly or change the windows account that the SQL services are running.    Look for more of this in the future.

Chances are that if you have just done a fresh install of SQL 2005 you will get an error when you try to create your first SQL 2005 maintenance plan.   This error tells you that the “‘Agent XPs component is turned off as part of the security configuration for this server”  and refers you to your system administrator or the SQL Books Online.

In order to enable the “Agent XPs” component. Start up SQL Management Studio and click the “New Query” button on the tool bar.   Execute the following script in the query window (on the right hand side of the screen) . 

sp_configure 'show advanced options', 1;

GO

RECONFIGURE;

GO

sp_configure 'Agent XPs', 1;

GO

RECONFIGURE

GO

If you are using Microsoft’s file replication services (FRS),  I am sure you have found a need to monitor the status of a FRS replica set.  Microsoft has a tool called Sonar.exe that will help you keep keep your eye on what is going on and help you diagnose replication problems.

Diagnose your replication problems download Sonar.exe.

Technorati Tags: Microsoft – FRS – File Replication Services

I have been using VMWare for a while and love the feature to mount an ISO file as a drive letter in the virtual environment.  It extremely convenient and it is much faster than using CDs or DVDs to do installs.   Recently I found the need to use an ISO file.  Sure I could burn the file to a CD or DVD and use it, but I wanted to realize the speed and convience that I was used to in my Virtual environments.

I have used the demo of Alcohol in the past and liked it but didn’t really want to pay anything to use it.  Yeah, I can be cheap sometimes.   So I did some searching and stumbled upon a free tool from Microsoft that will allow me to do this.  The Windows XP Virtual CD-ROM Control Panel.  This tool fit all my needs..  It was a small download, free, and it worked.

The directions from the readme:

Readme for Virtual CD-ROM Control Panel v2.0.1.1

THIS TOOL IS UNSUPPORT BY MICROSOFT PRODUCT SUPPORT SERVICES

System Requirements
===================
- Windows XP Home or Windows XP Professional

Installation instructions
=========================
1. Copy VCdRom.sys to your %systemroot%\system32\drivers folder.
2. Execute VCdControlTool.exe
3. Click “Driver control”
4. If the “Install Driver” button is available, click it. Navigate to the %systemroot%\system32\drivers folder, select VCdRom.sys, and click Open.
5. Click “Start”
6. Click OK
7. Click “Add Drive” to add a drive to the drive list. Ensure that the drive added is not a local drive. If it is, continue to click “Add Drive” until an unused drive letter is available.
8. Select an unused drive letter from the drive list and click “Mount”.
9. Navigate to the image file, select it, and click “OK”. UNC naming conventions should not be used, however mapped network drives should be OK.

You may now use the drive letter as if it were a local CD-ROM device. When you are finished you may unmount, stop, and remove the driver from memory using the driver control.

Download the XP Virtual CD Control Panel from Microsoft today.

Chances are that if you use Windows you have had to just shut down your machine when it become instable.  I am not trying to pick on Windows.  Most of the time it isn’t Windows fault, it is fairly common for poorly written applications and drivers cause the OS to malfunction.  This isn’t anything specific to Windows, if you run a buggy application on any OS, you will get the same type of results. 

You can shut down the computer by simply pressing the power button on the computer, but there is a way for you to shut down the computer that’s less harmful to the operating system. To do it:

1. Press [Ctrl][Alt][Delete] to display the Windows Security dialog box.
2. Hold down the [Ctrl] key and click the Shut Down button.
3. Click OK to confirm that you want to perform an emergency shutdown of the computer.

Be aware that when you perform an emergency shutdown, Windows doesn’t prompt you to save any open documents. To avoid losing your work, make sure that you save anything you’re currently working on (if possible) before performing an emergency shutdown.