Press "Enter" to skip to content

Category: Security

Oracle Error ORA-28353: Failed to Open Wallet

Published 2020-10-09 by Kevin Feasel

Rene Antunez diagnoses an Oracle error:

I noticed the original error after applying the October 2018 bundle patch (BP) for 11.2.0.4. While I realize most clients are no longer in 11.2.0.4, this information remains valid for anyone upgrading from 11.2 to 12, 18 or 19c.

I had been doing several tests on my Spanish RAC (Real Application Cluster) Attack for 12.2. The goal was to patch my client to October 2018 PSU; obtaining enough security leverage to avoid patching their database and do their DB (database) upgrade to 18c. I created RAC VMs to enable testing. I also set up my environment to match the client’s, which had TDE with FIPS 140 enabled (I will provide more details on this later in the post).

While the patching was successful, the problem arose after applying the patch. I was unable to open the database despite having the correct password for the encryption key.

When I first read the title, I thought it was a joke making fun of Oracle’s licensing practices.

Comments closed

Clone Logins and Users with dbatools

Published 2020-10-08 by Kevin Feasel

Jana Sattainathan takes us through a couple of DBA scenarios:

One of the more frequent requests that a SQL Server DBA receives is to “Clone a login” with all its permissions. For example a request could be

– Clone BILL_BLACK’s login and create a new login JACK_JOHNSON with exactly the same privileges in all databases.
– Clone AD group login BILLING_APP_ADMINS and create a login for new AD group BILLING_APP_CONSULTANTS with the same permissions as BILLING_APP_ADMINS in all databases

Read on to see how.

Comments closed

The Dangers of the securityadmin Role

Published 2020-09-29 by Kevin Feasel

Tibor Karaszi warns us to be wary of the securityadmin role:

Over the last week, I’ve seen two discussions where the securityadmin server role was suggested.

The scenario is typically that we don’t want to make this person a sysadmin, but we want this to manage logins and stuff like that.

But Tibor explains why you should watch out—my rule of thumb is to treat securityadmin as just as important as sysadmin. It’s not the same, but someone with securityadmin can do a lot of damage to a server.

Comments closed

Managing Power BI Administrators

Published 2020-09-29 by Kevin Feasel

Melissa Coates has some guidance for us:

The Power BI administrator role is a high-privilege role which should be carefully managed. As with many aspects of administration and governance, this involves having a balance between people being able to get things done and risk of when too many people having elevated permissions.

Click through for the blog post as well as a video.

Comments closed

Problems with Power BI’s Publish to Web

Published 2020-09-25 by Kevin Feasel

Adam Saxton explains when you might not want to use the Publish to Web option in Power BI:

Some don’t realize that Power BI Publish to Web is not secure. Adam shows you that this is the case. It’s a bit scary and there are other options to have secure embedding.

For demos and other resources which are supposed to be accessible to everybody, Publish to Web works great. But if you’re deploying company dashboards, not so much.

Comments closed

Operational Database Security in Cloudera Data Platform

Published 2020-09-24 by Kevin Feasel

Liliana Kadar, et al, walk us through some of the database security and auditing features in Cloudera Data Platform:

Database object-level security is available through the centralized authorization framework of Apache Ranger. 

Both fine-grained access control of database objects and access to metadata is provided. Protected database objects include: database, table, column, view and User Defined Functions (UDFs). 

Fine-grained access control for special administrative operations that can be performed on OpDBMS is also supported. 

Click through for the full story.

Comments closed

Discovering MrbMiner

Published 2020-09-24 by Kevin Feasel

Randolph West gives us the low-down on some malware:

Tencent Security has released a report (written in Chinese) describing a new malware attack by the name of “MrbMiner” on SQL Server instances exposed to the Internet with passwords that can be brute-forced.

According to the report it installs an application written in C# by the name of assm.exe which communicates with a command-and-control server to download a digital coin mining tool, which may be disguised as various Windows system services. The malware uses several techniques to ensure that it sticks around.

Randolph has some more advice on how to determine if it is on one of your servers.

One quick thing I’d like to point out is that this is not a flaw within SQL Server; it only infects a machine which has a username and password it can guess.

Comments closed

Automating a Permissions Audit with dbatools

Published 2020-09-09 by Kevin Feasel

Garry Bargsley walks us through the process of a permissions audit made easier:

My post for T-SQL Tuesday #130 is going to be how I automated my companies SQL Server Permissions Audit process. Even though this only occurs every quarter it is something that I as the DBA never look forward to and the business partners never really enjoy. In an effort to streamline the process from start to finish I built automation using PowerShell, dbatools and ImportExcel. The process now builds the permissions audit file, extracts individual users from Active Directory and e-mails the information to the appropriate team(s) for review.

Read on for details about the process.

Comments closed

Using oysteR to Track Security Vulnerabilities in R Packages

Published 2020-09-01 by Kevin Feasel

Colin Gillespie walks us through using the oysteR package:

The {oysteR} package is an R interface to the OSS Index that allows users to scan their installed R packages. A few months ago, I stumbled across a fledgeling version of this package and decided to make a few contributions to help move the package from GitHub to CRAN. A few PRs later, I’m now a co-author and the package is on CRAN.

Click through for a demo.

Comments closed

Checking that Power BI Security Roles are Correct

Published 2020-08-28 by Kevin Feasel

Fred Kaffenberger poses a question:

If you can ask, how do we know that we are improving, you should also be able to ask how do we know that the security roles are implemented correctly. Data culture is not just for the business, but for the reporting team as well. I haven’t seen much discussion of auditing security roles in Power BI circles, so I’m genuinely curious about how others tackle this issue. Does everyone simply work hard and hope for the best? Or do you restrict everything at the database level and use different apps for different groups instead? There may even be regulatory reasons which require you to restrict it at the database level. But even if you do restrict everything at the database level, you still need to validate that security as well.

Read on for a verification technique.

Comments closed