Though already running in production mode, the web application is still changing because new features are being added on a daily basis. As a result of this, schema changes are pushed to the database almost weekly and I just don’t have the time to maintain the SQL scripts required to keep replication in sync with the schema changes. It is much easier to just: 1) take down replication and delete the DR database, 2) update the schema on the primary database, 3) restore a new copy of the second DR from a backup of the primary, 4) reseed identity columns on the DR database, 5) set up replication from scratch.

It may sound stupid, but whatever. Setting up replication from scratch through the UI works out to be easier than maintaining the change scripts required to keep several hundred tables properly replicated while new tables are columns are being constantly added. The only pain-in-the-ass part of this method is that the identity columns of hundreds of tables in the DR database need to be reseeded each time. Fortunately this can be done quickly.

Our rule is that indentity columns of type int should have values in the range of 1 – 1073741823 on the main database, and on the second database the range should be 1073741824 and up. For bigint it should be 1 – 10737418239 on the main database and 10737418240 and up on the second database.

So for a table tbl_abc which has an identity column of type int to run the following 2 SQL statements on the DR database:

The first sets the seed value to 1073741824. However, the application might have previously failed over to the DR database and there may already be rows with identity columns having a value of 1073741824 and up. The second statement above correcly sets the seed to the next available value, if 1073741824 is already used.

The output of following SQL script will generate the pair DBCC statements for all tables in the database named ‘tbl_%’.

The output needs to be captured as text and cleaned up a little (remove headers, etc.), before being resumbitted as a SQL command. Note that if the table has many rows (over several hundred thousand), it could take a while for DBCC CHECKIDENT to complete.

Why not just simply compile and link xxx.exe as a native 64-bit application and get much more than 4GB? Well, the application may be using libraries and components which are only available as 32-bit binaries. In this case, building a 64-bit app is not an option. Also, if you have been following Rico Mariani’s (of Visual Studio fame) blog, you would know that there are some disadvantages of running native 64-bit applications vs. 32-bit applications under WoW64 – the main thing being that all address pointers would be twice the size, meaning a larger memory footprint and slower memory access.

You can use the DUMPBIN.EXE utility (also part of Visual Studio tools), to find out the setting of the /LARGEADDRESSAWARE flag in the header.

In the output of DUMPBIN look out for Application can handle large (>2GB) addresses. This means that your 32-bit app will be able to address the full 4GB address space when running under Windows x64. Note that when running the app in 32-bit Windows configured with the /3GB option, the app will be able to address 3GB.

To avoid your queries from running under non-optimal execution plans, the script should be run periodically, typically weekly or nightly, when the the database is not in use.

This is happeming because Max Text Replication Size by default is set to 65536 and SQL Server has attempted to replicate a row where the data in a column is greater than this size. From the SQL Server Management Studio you can view and change this setting under Server Properties | Advanced dialog.

Increase this number to a higher value – up to 2147483647. Make this change on all SQL Servers involved in the replication. If you don’t like UI stuff, you can also make this change via a SQL Query.

The Downgrade Attack: SSL v2 has no notion of integrity checking for handshake packets. Thus, an attacker could change the algorithms and key lengths chosen by the client while the appropriate handshake message was on the wire. This can result in a weak SSL connection being setup between the client and the server even though this is not what the two intended. Armed with this weak connection, the attacker could log all the traffic going by during the data exchange and could then use a brute force application to attack the weak encryption.

The Truncation Attack: SSL v2 does not allow the parties involved to distinguish when the connection is ended by one of them or by a malicious third party. Thus an attacker can freely interrupt secure client-server connections. If the attacker additionally understands the application, the semantics and ordering of messages being exchanged, then he/she can potentially alter the meaning of a message by interrupting the connection at precisely the correct instant.

Instructions for disabling SSL 2.0

• Open the registry editor and navigate to the following key:

  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ SecurityProviders\SCHANNEL\Protocols\SSL 2.0

• Under the Client key set Enabled DWORD value to 0×0
• Under the Server key set Enabled DWORD value to 0×0

If you hire someone to run a penetration test on your server/web site, this is one of the things they look out for. Eliminating it right from the start would prevent this blemish on your pen test report.

References
http://support.microsoft.com/?kbid=245030

• Using RegEdit, open the following key:
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
• Set the account name in the DefaultUserName entry. If DefaultUserName does not exist, create a new entry as a string value (REG_SZ).
• Set the password in the DefaultPassword entry. If DefaultPassword does not exist, create a new entry as a string value (REG_SZ).
• Set the AutoAdminLogon entry to 1. If AutoAdminLogon does not exist, create a new entry as a string value (REG_SZ).

Click on the picture for larger image.

The next time the computer restarts it will automatically login as the specified user.