Having Microsoft Azure host SQL Server databases on their servers is very cost-effective and efficient. Within minutes, one can have a SQL Server database hosted in the cloud and available to applications on the cloud or on premise.
As with all cloud resources, and especially databases, security is a huge concern. Fortunately, SQL Azure includes features to restrict what can connect to your database server but you need to know how to use them and realize that the default settings do not protect you best.
Setting Firewalls and Virtual Networks
This is an important feature for cloud solutions so that only permitted sources are allowed to get data from your server and databases. You can set the IP Addresses you allow at the database level and server level. The database settings take precedence over the server settings.
Cannot Open Server Error
If you try to connect to the database from an unauthorized IP address, it triggers an error like this:
Cannot open server ‘ServerName’ requested by the login. Client with IP address ‘188.8.131.52’. is not allowed to access the server. To enable access, use the Windows Azure Management Portal or run sp_set_firewall_rule on the master database to create a firewall rule for this IP address or address range. It may take up to five minutes for this change to take effect.
By Default, All Azure Resources can Connect to Your Database
By default, all Azure resources can connect to your server and databases hosted on Azure:
Allowing All Azure Services to Connect to Your Server is a Huge Security Hole!
If you “Allow access to Azure Services” set to On, you create a huge security hole for your server and every database in it. Not only can all your resources connect to your databases, Any Azure resource from any organization can connect to your database.
This setting is NOT restricted to the Azure resources in your subscription. It’d be nice to restrict permissions to the current subscription or list of subscriptions but that’s not possible. It’s everything on all of Microsoft Azure or you need to specify each IP address.
Turn Off Permissions to All Azure Services
Set the permissions to OFF to disallow all Azure services to connect to your SQL server:
Explicitly Specify the IP Addresses Allowed
To avoid the ability of rogue Azure resources from breaching your database security, you need to manually specify the IP Address of every resource that may connect to your server and databases. This can be a real pain.
We are excited to announce the release of Total Access Analyzer for Microsoft Access 2019! Total Access Analyzer examines all your database objects to provide extensive documentation, code analysis, object cross-reference, and diagrams with over 390 presentation-quality reports.It detects 300+ types of errors, suggestions, and performance tips, so you can learn and apply Best Practices to fix problems, improve your design, and speed up your Access applications.>New Features
Access Analyzer 2019 is an upgrade from the 2016 version and includes these enhancements:
Supports Microsoft Access 2019, 32-bit and 64-bit versions.
Document All Database types supported by Microsoft Access 2019.
Improved Blueprint Documentation.
Additional Cross-Reference and Validation including Subform References.
Improved Memory Management.
Data Macro Documentation.
Document Workgroup Security in ACCDBs.
Better Support of Documentation for Multiple Databases.
Module Bracket Reports.
Improved User Interface Shows more Progress Details.
Recently, Microsoft Access users are confronted with this error when they open their database on Windows 10 machines:
“Microsoft Access has detected that this database is in an inconsistent state, and will attempt to recover the database. During this process, a backup copy of the database will be made and all recovered objects will be placed in a new database. Access will then open the new database. The names of objects that were not successfully recovered will be logged in the ‘Recovery Errors’ table.”
This seems to be related to Microsoft security updates that were released over the past few months.Our investigations lead us to these two links:
Microsoft Azure lets you economically and quickly host enterprise quality SQL Server databases in the cloud. The cost of each database is relatively modest.
Managing Resources and Costs for Individual Databases
However, as you add more databases, larger databases, and/or databases that require more resources, costs increase. Providing more resources to a database is helpful when it demands it, but when users aren’t on it or during non-business hours, it may be wasted capacity. Even during business hours, one can have some databases being utilized more than others at unpredictable levels.
Pooled Resources Across Multiple Databases
Fortunately, Azure offers an Elastic Pool option to share resources across multiple databases. If the demand on your databases is inconsistent (spiky), you can provide a high level of capacity that’s available to the most demanding database while allowing other databases to share those abundant resources when needed.
You no longer need to set the limits of each database,
You are not charged a per database monthly fee which is great for supporting lightly used databases.
Migrating Existing SQL Server Databases to Elastic Pool
Microsoft provides information on SQL Elastic Pools but does not explain how to convert existing databases to an Elastic Pool.
FMS President Luke Chung wrote a new paper with step-by-step instructions on how to convert existing SQL Server databases on Azure to an Elastic Pool without the need to change the database connection strings:
Starting May 9, we received many reports of Remote Desktop connections failing globally. Users received error messages like this when they tried to remote to machines they connected to successfully for a long time:
Remote Desktop Connection Error
An authentication error has occurred.
The function requested is not supported
Remote computer: <computer name>
This could be due to CredSSP encryption oracle remediation.
For more information, see https:/go.microsoft.com/fwlink/?linkid=866660
The link goes to this page, https://support.microsoft.com/en-us/help/4093492/credssp-updates-for-cve-2018-0886-march-13-2018, and explains the Credential Security Support Provider protocol (CredSSP). It offers extensive information on a series of updates since March 2018. It recommends some steps but isn’t very clear what those changes are nor whether those changes are needed to be made by network administrators globally via group policies, or group policies on every PC and VM.
Caused by a Microsoft Security Patch
The Microsoft Security patch issued on Tuesday, May 8th triggered the problem by setting and requiring remote connections at the highest level (CredSSP Updates for CVE-2018-0886)::
It changed the default setting from Vulnerable to Mitigated which means that any PC using CredSSP is not be able to use insecure versions. If your PC received the May update but the target PC hasn’t implemented the CredSSP update, the PC receives the error message when it tries to connect to that PC.
The automatic Windows patch to raise the security level is not implemented if the PC doesn’t allow automatic updates. This mismatch between the implementation of a security requirement (which is not optional) without the corresponding automatic update may be the source of this problem.
However, there are many situations such as development, testing, build, staging, and deployment environments which require a stable environment that would be destroyed by automatic Windows updates.
We continue to research this.
The symptoms are rather strange because we found that some machines successfully connected while others didn’t.
For instance, we had a Windows 7 machine that hosted Remote Desktop. A Windows 7 PC had no problem connecting to it, but the same user connecting from a Windows 10 machine failed when that was never an issue before and the host machine allowed remote connection for years.
There are also reports of problems with Windows 10 machines connecting to Windows 10 machines, and people locked out of their Azure VMs.
One could rollback the security update, but rather than risking other security problems, there’s a quick fix.
Simply adjust the Remote Desktop settings on the host machine to a lower security level. From File Explorer, choose Computer, right-click and select Properties, then click Change Settings, and go to the Remote tab.
From Windows 10, uncheck the option to “Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended)”:
From Windows 7, it’s setting the option to the Less Secure option rather than More Secure:
Once these are set, users can remote to the machine again.
Based on this blog post, a Microsoft colleague told us this:
“I double checked the Windows bug database and they are aware of the problem. No ETA on a fix yet unfortunately. Your workaround is what’s suggested to temporarily get around the error, although it is not suggested as a long-term fix.”
This section was added after our initial workaround and is based on the experience of many users struggling with this problem.
The problem is often caused because the local machine is patched with the Windows Update and the machine it’s connecting to is not patched for the CredSSP issue. If both systems were patched then this error would not occur.
There are two options:
Update the Target Machine
Update the target machine with the patch for the CredSSP issue (preferable).
Update the Local Machine
In many cases, you don’t have the option to modify anything on the target machine. You may even be prevented from modifying your own machine, but assuming you have administrator rights, you can change the Group Policy on your local machine to use the Vulnerable setting.
Big picture, it’s ridiculous to lower one’s security settings to connect to a machine that wasn’t updated. It would be much better if it prompted or automatically connected to lower level machines without turning off the higher security level for everything else. All it takes is one target machine that you can’t modify to force this change on your machine. But at least you can get your work done.
Enter run “gpedit.msc” to edit group policy, or from Windows start, enter “Group Policy” and select “Edit group Policy”:
From the treeview, choose Computer Configuration -> Administrative Templates -> System -> Credentials Delegation
Select “Encryption Oracle Remediation” from the right pane (if it’s not there, it probably means your machine wasn’t patched):
Enable and set the Protection Level to Vulnerable:
Hope this helps.
Additional Problem: Cannot Connect via VPN
We’ve discovered problems with VPN connection if the PC has Remote set to the higher security level.
The network connection fails with error: Cannot load the Remote Access Connection Manager service. Error 711:
Lower Your Remote Desktop Security to have the Security to Make the VPN Connection
Apparently, the Remote Desktop setting on the client side impacts its ability to connect via VPN to the host side.
By lowering the setting to less secure for others to connect to the PC, the PC can now successfully connect to the VPN. What a mess.
I’ve also been involved in other online discussions:
It’s late August, and it’s shocking that this problem remains after so many months. I am extremely frustrated by the Windows update policies and Microsoft’s inadequate testing before these security patches are deployed. This is very disruptive and dangerous to many organizations trying to fulfill their missions expecting their PCs to be reliable.
Microsoft security “purists” claim the current approach is necessary to address the serious threats facing users. I guess it wouldn’t be an issue if the updates worked without disruption. However, the downside of this medicine may exceed the illnesses they are trying to prevent.
Microsoft Azure lets you easily create and deploy enterprise quality SQL Server on the cloud and scale it to suit your application’s needs. From the SQL Server database’s Azure dashboard, you can see the Database Transaction Unit (DTU) usage against the specified DTU limit for the database.
One Hour Usage Graph
This is what we saw for usage over one hour. The cyan line across the top is the DTU limit. The dark blue line is the DTU used. The limit is what you pay, so it’s important to scale it to what the application needs.
One Hour Azure SQL Server DTU use versus limit
While everything seemed fine at the weekly level, looking at the hourly graph gave us a shock. It looks like the database is maxed out for most of the hour. It seems conclusive that we need to increase our DTU level.
65 Minute Graph
But when we set the range to 65 minutes and saw this:
65-minute Azure SQL Server DTU use versus limit
These are completely different displays of the same period of time. The 65 minute graph never hits the maximum DTU. What’s going on?
Facebook and Mark Zuckerberg are getting blamed for a large number of issues from promoting fake news, election fraud, mishandling user data, and profiting from selling user data.
While some of that may be true, the Facebook security breach is actually a violation of Facebook API licensing rules by the people who used it. Facebook provided the data and encouraged developers like us to create innovative solutions for the Facebook ecosystem. They weren’t selling the data.They weren’t even charging us to use it.
Our Facebook App with Social Network Analysis and Maps
In 2010, we created a Facebook application using our Sentinel Visualizer technology to perform Social Network Analysis (SNA) based on a user’s friends’ friends. It would automatically cluster friends so you could quickly see their groups (high school, college, work, family, in-laws, clubs, etc.).
Each box (picture) was one of your friends, and you could move them around the network, hover over them to get their info, or click on them to go to their page.
We also plotted friends on a Microsoft Bing Map making it easy to see who were near you or where you were visiting.
We launched our free Sentinel Visualizer Facebook App to a limited number of users and it started to gain followers. People were amazed to see which of their friends knew each other. The application started to go viral. We were having trouble supporting the traffic.
Not Allowed to Save Facebook Data
One of the things developers couldn’t do was to save Facebook’s data. All we collected were the user names and email addresses people provided when they registered our program. Unfortunately, other developers didn’t abide by Facebook’s terms and the data improperly got to Cambridge Analytica and others.
Facebook Stopped Making the Data Available
Our app ceased to work when Facebook limited their APIs and prevented our ability to get to the list of your friends’ friends among your network.
It’s not entirely Facebook’s fault for trying to spur innovation by sharing their data for free. Some developers violated the trust Facebook gave them.
The Full Story
Here’s our new web page describing our experience in detail: