RE: SQL and Account Permissions
From: securityfocus@leafgrove.comDate: 03/06/02
- Previous message: Bob at firstcodings: "Another ISAPI filter : deny user authentication through IIS to users you want."
- In reply to: Bill Mote: "SQL and Account Permissions"
- Next in thread: Chip Andrews: "Re: SQL and Account Permissions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: <securityfocus@leafgrove.com> To: "'Bill Mote'" <bill.mote@bigfoot.com>, <focus-ms@securityfocus.com> Date: Wed, 6 Mar 2002 01:50:02 -0000
Bill
A couple of good recources on SQL Service Account permissions:
SQL Server Diagnostics, Part2, Chapter 8
SQL Server 7.0 Resource Guide Part 7 Chapter 10 has almost the identical
article
If you don't have either book, the meat of the relevant section is
below:
-----------------------------------------
Troubleshooting SQL Server Services Accounts
If you have difficulty starting either the MSSQLServer or SQLServerAgent
service under a particular user account, you can:
.Use Windows NT User Manager to verify that the account has Log on as a
service rights on the computer. (Both of these must be assigned within
the security context of the local computer, not the domain.)
If services are started by someone who is not a member of the Windows NT
local administrators group, the service account must have these
permissions:
.Full control of the main Microsoft SQL Server directory (by default,
\Mssql7).
.Full control of the SQL Server database files, regardless of storage
location.
.The Log on as a service right. Ensure that all logon hours are allowed
in the Logon Hours dialog box.
.Full control of registry keys at and below
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer.
.Selection of the Password Never Expires box.
.Full control of registry keys at and below
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSSQLServer.
.Full control of registry keys at and below
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib.
If the service does not have the appropriate permissions, certain
functionality cannot be accomplished. For example, to write to a mail
slot, the service must have a Windows NT domain user account, not just
local system, with network write privileges. The service must be a
Windows NT account with local administrator privileges to:
.Create SQL Server Agent CmdExec and ActiveX Script jobs not belonging
to members of the sysadmin role.
.Use the automatic server restart feature of SQL Server Agent.
.Create SQL Server Agent jobs to be run when the server is idle.
. For the MSSQLServer service, right-click the server, click
Properties, and then click the Security tab. Under Startup service
account, enter the appropriate account and password. If the password is
incorrect or has changed, the service cannot be started until the
correct password is entered.
Caution For the MSDTC service only, use Services in Control
Panel to reenter the user account password. If the password is incorrect
or has changed, the service cannot be started until the correct password
is entered. If necessary, change the account's password using User
Manager, and then enter that password for the service using Services in
Control Panel.
. For the SQLServerAgent service, expand the server, and then
expand Management. Right-click SQLServerAgent and click Properties. On
the General tab (the default) in the Service startup account section,
enter the account and password.
. Assign the account experiencing the problem to another service.
If you still have difficulty starting the MSSQLServer or SQLServerAgent
service under a particular user account, assign that account to another
service (for example, the Spooler service) and verify that the service
can be started successfully. If not, the account is either not
configured properly or cannot be validated by the domain controller (for
example, if no domain controller is available).
-----------------------------------------
Cheers
James D. Stallard
-----Original Message-----
From: Bill Mote [mailto:bill.mote@bigfoot.com]
Sent: 05 March 2002 18:56
To: focus-ms@securityfocus.com
Subject: SQL and Account Permissions
I have a *great* opportunity to install Win2k Server sp2 fresh on a new
box that is going to run SQL 7.0 sp3. I have used the recommendations
from Dameon Abernathy's book, "Essential Check Point FireWall-1" to
harden the operating system.
I want to setup a unique NT account to run the SQL agents and I'm
wondering what are the minimum requirements for permissions on that
account? Should I skip NT authentication all together and use an SQL
account? Which is more secure? What are the trade-offs?
You always hear about hackers using unchecked buffers to compromise a
service and execute commands with the same permissions as the account
running the service. Well, I want that account to have as little access
as possible.
Thanks in advance,
bm
- Previous message: Bob at firstcodings: "Another ISAPI filter : deny user authentication through IIS to users you want."
- In reply to: Bill Mote: "SQL and Account Permissions"
- Next in thread: Chip Andrews: "Re: SQL and Account Permissions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
