Friday, 27 February 2009

Ad hoc access to OLE DB provider has been denied

Using post SP2 SQL 7 (+ 2000 etc) attempting to access an OLEDB data source using OPENROWSET can produce the slightly spurious error:

Ad hoc access to OLE DB provider 'MSDASQL' has been denied. You must access this provider through a linked server.

In usual Microsoft style the message doesn't really mean what it says. From SQL 7 SP2 onwards MS by default blocked ad hoc query access with OLEDB. As the message suggests you could setup a linked server but that can be a real pain. Alternatively if you need ad hoc access server wide you could turn on ad hoc access for the SQL server you are using, explained in MS speak here:

http://support.microsoft.com/default.aspx?kbid=266008

Ah, but it's not that simple. A little more witchcraft is required. The following registry settings can be used to enable ad hoc access:

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\Providers] "DisallowAdhocAccess"=dword:00000000


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\Providers\Microsoft.Jet.OLEDB.4.0] "DisallowAdhocAccess"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\Providers\MSDAORA] "DisallowAdhocAccess"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\Providers\MSDASQL] "DisallowAdhocAccess"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\Providers\SQLOLEDB] "DisallowAdhocAccess"=dword:00000000

Still not working?!

  • Go to Enterprise Manager > Security > Linked Servers

  • Right-click select "New Linked Server..."

  • Select an OLEDB provider.

  • Click "Provider Options".

  • Check "Disallow adhoc access".

  • Click OK

  • Enter a name for the linked server.

  • Click OK

  • Delete the new linked server.

  • Right-click select "New Linked Server..."

  • Select an OLEDB provider.

  • Click "Provider Options".

  • Unheck "Disallow adhoc access".

  • Click OK

  • Enter a name for the linked server.

  • Click OK

  • Delete the new linked server.


No-one said it would be easy...

Friday, 20 February 2009

Command line shut down or restart

Quite frequently all PCs in our office have to be restarted for various updates, configuration changes etc. We also have a policy of all PCs being turned off overnight and have become a little draconian in enforcing this - the electricity bills are huge otherwise!

A local or remote shut down or restart can be triggered using the command line.

shutdown [-i -l -s -r -a] [-f] [-m \\computername] [-t xx] [-c "comment"] [-d up:xx:yy]

No args Display this message (same as -?)
-i Display GUI interface, must be the first option
-l Log off (cannot be used with -m option)
-s Shutdown the computer
-r Shutdown and restart the computer
-a Abort a system shutdown
-m \\computername Remote computer to shutdown/restart/abort
-t xx Set timeout for shutdown to xx seconds
-c "comment" Shutdown comment (maximum of 127 characters)
-f Forces running applications to close without warning
-d [u] [p]:xx:yy The reason code for the shutdown
u is the user code
p is a planned shutdown code
xx is the major reason code (positive integer less than 256)
yy is the minor reason code (positive integer less than 65536)

You will need to be an administrator or have admin rights to remotely shut down or restart another PC. Whilst this can be useful technique only grant admin rights to those who really need them otherwise anyone in the office could start restart other workstations!!!

Disable SSLv2 in IIS 6 for PCI Compliance

Anyone working on PCI Compliance will know the restrictions placed on IIS. The recommendations are only common sense but remarkably few companies have implemented them.

SSLv2
SSLv2 has always been full of holes and there is now very little need for it to be enabled on any server. Almost no clients require it and if it is enabled it is potentially a serious security problem.

  • Open Registry Editor.

  • Select HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server

  • On the Edit menu select New then DWORD Value

  • Name the new value Enabled

  • Ensure the value is set to 0

  • Restart the server


Full details on disabling SSLv2 can be found in the following MS knowledge base article:
http://support.microsoft.com/kb/187498

Cryptographic Algorithms
If the scan for PCI compliance has picked up SSLv2 then it will almost certainly have warned about a number of weak algorithms (http://support.microsoft.com/kb/245030)

The following list need to be disabled to ensure the only Cipher algorithms available are 128 bit+ :
RC4 64/128
RC4 56/128
RC2 56/128
RC2 56/56
RC4 40/128
RC2 40/128

To disable a cipher:

  • Open Registry Editor.

  • Select HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers

  • Select the key for the cipher you wish to disable

  • On the Edit menu select New then DWORD Value

  • Name the new value Enabled

  • Ensure the value is set to 0

  • Restart the server


It is also worth considering disabling the MD5 hash as well, although be very careful that it is definitely not in use!

To disable MD5:

  • Open Registry Editor.

  • Select HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5

  • Select the key for the cipher you wish to disable

  • On the Edit menu select New then DWORD Value

  • Name the new value Enabled

  • Ensure the value is set to 0

  • Restart the server

Monday, 9 February 2009

CFDOCUMENT Font Issues - Type 1

This has been reported many times but there are a number of issues with CFDOCUMENT and embedding fonts in PDFs - in particular in MX7. One client required a PDF to use the Dax font and had initially provided Type 1 fonts, these of courses didn't work as ColdFusion didn't recognise them. TrueType TTF fonts were then provided but still didn't work despite the fonts being installed in the system fonts folder and being correctly referenced by the font family name in the page CSS.

The core issue is that CFDOCUMENT will attempt to use the first version of a font with a matching font-family name - regardless of it's type. Our system had Type 1 and TrueType versions of Dax installed but CFDOCUMENT always tried to use the Type 1 version. The only way to resolve the issue was to completely remove the Type 1 version, the output now works perfectly!