MSSQL – Two common issues while restoring a backup and it’s solutions

There are two most common issues while restoring the database (usually ending in .bak format).

First error
System.Data.SqlClient.SqlError: The backup set holds a backup of a database other than the existing ‘user_database‘ database. (Microsoft.SqlServer.Express.Smo)

Solution for First error

On the Restore page that loads up, make sure that the Destination for restore has the database you want to restore and in the Source for Restore, choose From device: And browse by clicking [..] and Add the file location there, the location where your database backup resides. You may need to browse the backup. If you get permission denied, copy the bak in the MSSQL folder.

Attaching the database backup file

Restore it. Make sure that the Restore Checkbox is selected. And Click OK. And get ready for the error

Here comes the first errorSystem.Data.SqlClient.SqlError: The backup set holds a backup of a database other than the existing ‘user_database’ database. (Microsoft.SqlServer.Express.Smo)
And the solution is to go to Options -> Overwrite Existing Database . But if you aren’t so lucky, you will be welcomed by another error as seen below. where it’s solution is to edit the path from D:\ to C:\ or whichever Drive, where your MSSQL is installed.

System.Data.SqlClient.SqlError: Directory lookup for the file “D:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\user_database.mdf” failed with the operating system error 3(The system cannot find the path specified.). (Microsoft.SqlServer.Express.Smo)

Both THE Solutions are in a single screen shot. The final screenshot

Bad Request (Invalid Hostname) when accessing via IP

Customer wanted to have a dedicated IP, but once I change the IP from the plesk control panel, I couldn’t get the website when accessed using IP. Instead, it was giving me the plesk control panel’s default page. Reason ? Default Website was having the IP as “All Unassigned”. Set that to the main IP address. But after that I was getting a new error.

What I could get was “Bad Request (Invalid Hostname)” in bold letters. Here is what I did to fix the same.

Start -> Run -> inetmgr -> Expand the (+) -> Websites -> Right click on the domain name -> Take Properties -> Website -> IP Address (make sure that it has the dedicated IP assigned there) and then click “Advanced”

Add/Edit Web Site Identification

IP Address : Choose the dedicated IP from drop down list
TCP/IP Port : 80
Host Header Value : Leave it blank (Important)

Leaving the Host Header Value should fix the issue and fetch the website when accessing it using the IP.

Initial Hardening or Securing and performance tweaking of a Windows Server 2003 – Part I

I am hereby mentioning a brief howto on securing a default Windows Server 2003. 90% of the sages at SupportSages are Unix fanatics and I am a rebel belonging to the rest of 10% But often we get requests on securing Windows Servers and hence I am hereby briefing the basic steps we should take to secure a windows server. As the lead sage says, security is a process which starts even before the installation of OS or designing a network and can’t be done in a day or two, just the initial hardening can be. So the steps mentioned here is just the initial hardening. I would love to add more based on suggestions of you. I will mention the fundamentals of troubleshooting and fixing the permission issues of windows in another post. This post is for a standalone server and not a member of an AD (Active Directory).

For all the TUI/CLI guys out there. did you MS Windows Server 2008 can run without a GUI. You just have to install Server Core. You now can command Windows to do what you want

Subscribe to MS’s Security bulletin list at http://technet.microsoft.com/hi-in/security/dd252948(en-us).aspx lists.

Disable all services you do not need

Distributed File System
Distributed Link Tracking Client
Distributed Link Tracking Server
Fax Service
Indexing Service
Netmeeting Remote Desktop Sharing
Print Spooler
Telnet

Sevices you may or may not disable, if not already disabled. Usually a server installation turns this off. Did you know out of 86 default installed services 43 of them are disabled by default.

ClipBook
Computer Browser (On a server do you want this ?)
Help and Support (Again, don’t you have other sages around you for this?)
IMAPI CD-Burning COM Service (Dont need this)
Messenger
Remote Registry
TCP/IP NetBIOS Helper

Harden the TCP/IP Stack

Just like you do in Linux by editing sysctl.conf, you can configure various TCP/IP parameters in the Windows registry in order to protect against network-level denial of service attacks including SYN flood attacks, ICMP attacks and SNMP attacks. You can configure registry keys to:

* Enable SYN flood protection when an attack is detected.
* Set threshold values that are used to determine what constitutes an attack.

Follow the HowTo at http://msdn.microsoft.com/en-us/library/aa302363.aspx

Renaming the Administrator and Guest Account to something else.

Follow the Howto @ http://support.microsoft.com/kb/816109

In that Howto, the AD Users and Computers Snap in is taken by selecting “Start”, “Programs”, “Administrative Tools”, and “Active Directory Users and Computers” or by simply typing dsa.msc in the Start -> Run.

Enabling HTTP Compression

This is not security related, but may improve performance. Took from a website and hence including here also. But remember that Horde error happening for Middle East which is described earlier in one of the posts can creep in.

Check out the URL http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/d52ff289-94d3-4085-bc4e-24eb4f312e0e.mspx?mfr=true

DIsable parent paths (if enabled)

If we are doing monthly management of the server, even if the customer asks to enable parent paths, don’t do it on the server of a hosting firm. Lots of risks are there. Good thing is that in IIS 6.0 it is disabled by default. Ask the developers to use absolute path. If it is enabled, disable it. But on a live production server, if it is enable, before disabling the parent path communicate with the contact person for the firm as it may break websites using it.

• Start the Internet Services Manager (Start – Programs – Administrative Tools – Internet Services Manager
• Right click on the web site and select properties
• Select the ‘Home Directory’ tab
• Click the ‘Configuration’ button under the Application Settings
• Select the ‘App Options’ tab
• Uncheck the ‘Enable parent paths’ box and click Apply

Article  link here says how to enable it. http://support.microsoft.com/kb/q226474/ . But its for reference only.

Use Dedicated Application pools

Again performance related Always try to isolate websites using dedicated applicaiton pools. You can define it under IIS or in many control panels, it is just a click of the button or an option to be checked. Error in one dedicated pool will not affect other pool and hence othe websites. Also this will be helpful when troubleshooting / debugging issues as well.

Changing the RDC or Remote desktop port

Take registry using regedit and browse the hive keys to

HKEY_LOCAL_MACHINE > System > CurrentControlSet > Control > TerminalServer > WinStations > RDP-Tcp

and then change the Registry subkey PortNumber to a non-default, above 1024 one.

On Server 2008, in addition to changing the registry key above, you also need to create a new Inbound TCP rule in your windows firewall to allow connections on your new port.  You can then disable the existing remote desktop inbound rule (which is hard coded to port 3389) and / or add a new one to allow your port. Below command should work also.

netsh advfirewall firewall add rule name=”New Remote desktop” dir=in action=allow protocol=TCP localport=’NEW_PORT_NO’

Refer http://support.microsoft.com/kb/947709 for more help on writing firewall rules.

If working on a hacked or suspected hack system, keep the Security Identifier list available at http://support.microsoft.com/kb/243330 handy.

Lots of tools useful for forensics and daily auditing purposes will be coming on next post or even this post itself will get re-published. Till then read about IPTables equivalent in windows (oh..No..Kinda equivalent) http://support.microsoft.com/kb/813878

One website in Plesk is asking for user name and password. What is the solution

This is common issue, but solutions varies based on situations. It could be one or a combination of a solutions listed below. If you had to go through another solution to solve it, please add it over here for others.

• Permission issue was making the website to ask for the password. Run the Plesk permissions fix from the Plesk reconfigurator. It could help you 10% of the time
• If it is asking for username and password, right after you changed the password of the account, 80% of the cases, below command based solution would work.
  

  cd %plesk_bin%
  websrvmng –update-anon-password –domain-name=domainname.com

• Login to plesk, select the domain, click web directories. And there, select the the protection tab and click remove protection if enabled – Only 5% chances to have this solve your issue
• Try resetting the domain password from Plesk, with Additional Write/Modify permissions checked. This may sync the IUSR_username’s password and the Plesk/FTP password. If it didn’t move on to next option to manually synchronize it.
• Go to IIS > Web sites > domainname.com > Properties > Directory Security tab > Click on Edit button within “Authentication and access control” section > enter “password” in password filed > click OK.
  After that, Go to Users Management > find user IUSR_pleskusername > Right Click > set password > proceed > enter “password” > click OK. If this also didn’t fix, issue is much more serious and move on to next options
• Depending on the Plesk versions you use, Plesk group `psacln` should be allowed to access the server from the network. For that Go to, Administrative Tools > Security Settings > Local Polices > User Rights Assignment > Access this computer from the network
• Check whether there is any new FTP accounts added with the “Home directory” as httpdocs itself. If so please remove it and then change the password at Domain Setup and save it
• Check whether the plesk_username and IIS_pleskusername are added and has proper permissions for the DriveLetter:\Inetpub\vhosts\domainname.com as well as DriveLetter:\Inetpub\vhosts\domainname.com\httpdocs.

Okay those are my current solutions.

Unable to delete a domain from Windows Plesk

Error was this one. Mailenable Free version was the mail server installed.

Unable to delete DSMail service for domain: Unable to remove domain mail: mailmng failed: MEAOSM.Domain.GetDomain failed
———————- Debug Info ——————————-
0: C:\Program Files\SWsoft\Plesk\admin\plib\class.PhDomain.php:327 psaerror(string “Unable to delete DSMail service for domain: Unable to remove domain mail: mailmng failed: MEAOSM.Domain.GetDomain failed”)
1: C:\Program Files\SWsoft\Plesk\admin\plib\class.BsDomain.php:277 phdomain::delete()
2: C:\Program Files\SWsoft\Plesk\admin\plib\class.BsDomain.php:470 bsdomain->delete(integer “0″)
3: C:\Program Files\SWsoft\Plesk\admin\plib\class.Manager.php:334 mdeletedomains(array)
4: C:\Program Files\SWsoft\Plesk\admin\htdocs\domains\domains.php3:166 manager->removedomains(array)

Solution would be

C:\Documents and Settings\Administrator\Desktop> cd %plesk_bin%
C:\Documents and Settings\Administrator\Desktop> mchk.exe –domain –domain-name=domain.com

If the plesk is installed on another drive, after the %plesk_bin%, you would need to do a drive change by a simple D:\ or so, which will get you the exact plesk binary directory.

Ofcourse replace domain with real domain name to be deleted.