Re: Server or Service Accounts complete lockdown?
- From: "GaryB" <GaryB@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 15 Feb 2006 11:55:31 -0800
Hi Phillip,
Never to late to learn something! Thats exactly what I did after some soul
seraching and a break from trying to work it out!. I basically shared the
directories that needed it at share level, then applied NTFs permissions to
them to allow access to the developers. (seems so obvious now!).
If my SQL directory is in C:Programme Files\SQL\Data\etc and I have given
read permissions on that directory should the users be able to access thru
SQL Enterprise Manager? I only ask because they cant, but I would like them
to? I wonder if I need to somehow create accounts in each SQL DB to allow
"datareader" access.
Thanx again for your time
G
"Phillip Windell" wrote:
I guess it's too late now,...but you are never to apply NTFS permissions at.
the root of C because it will inherit down through the Windows folder and
all the sub folder and hose everything up.
4 folders "roots" you should never mess with:
1. The root of C
2. Windows Folder (or WINNT)
3. Program Files
4. Documents and Settings
Do all your "stuff" by creating new folders and work the permissions on
them.
NTFS permission have nothing to do with Shares,..they still have their same
effect whether a share exists or not.
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
"GaryB" <GaryB@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C88FD931-BA19-495E-83A7-E0DBB5F73345@xxxxxxxxxxxxxxxx
Hi Roger -trees!
Something really odd is happening here & I cant see the wood for the
Created a Dev group in AD2003 and added the developers to it, then a Techthe
group and added myself to that. On the 2000 server I created groups called
dev & tech and added the AD groups as members. I then add these groups to
C drive properties and give full access to tech & read only to dev.user
Heres the strange bit - I have full access but dev team are prompted to
input their respective domain logons. They do so both with domain\user &
but they cannot get access even if I change access to full control. The Caccess
drive isnt shared (only c$) so I am applying these permissions via NTFS.
I know they are working for the tech group, as I temporarily removed
for the tech group and I could access drives through the run commandto
(\\2000server\c$)
Can you see what I am doing wrong?
Lastly, if I "can" get the dev team read access to the C Drive, would that
allow them to open SQL Enterprise manager from the desktops, or do I need
create user groups in SQL then assign them read only rights?access
Thanx
G
"Roger Abell [MVP]" wrote:
Well, I do not know specifics of your environment, but yes I would
define a Devs group with the new accounts of the Devs as members.
I would give these to the developers after the group has been used
to grant the accesses they will have, so that they are not interrupted.
Then, with them using the new accounts I would take over the existing
and then I would go back and check that the new accounts and groups
were not granted anything "extra" in the overlapping time.
Going this way is more simple than setting up a new service account
(for SQL ?) as it is only a password change. But, make absolutely
certain you know all places the account is used and where the new
password will need to be configured.
If you want to contain them, then you need to understand all of the
accesses that they have had available. For example, the account
used by the web application for SQL database access. You also
need to understand what it is that they do, and provide for a safe
way for them to do an equivalent. For example, what databases
are they accustomed to accessing, and how, so that they can still
do what they need but in a way that lets you protect the live version
of the database. It is common for devs to have grants in SQL Server
to databases, and they likely have used SA or DBO access to the
live database up to now. The new accounts will need something
similar so they can do their work - I would suggest DBO access
to a dev version of the database(s) and no access (or read only)
to the production version.
Again, very much depends on the specifics of your setup.
"GaryB" <GaryB@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:147488C4-2286-462B-A7A8-99034DAB325B@xxxxxxxxxxxxxxxx
Many Thanx Roger,
Makes a lot of sense what you suggest. Does this look OK for starters
1 - Change the password that the developers use to log into servers &
update
services that use it. Retain that account for system services only.
2 - Create an account in 2003AD for "Devlopers" and add the 2 users to
that
group.
3 - On 2000 servers add the "devlopers" account and give read only
toto
drives.
If its OK I will post back with other changes I make form your links
permissioncheck I am in the right direction? Lastly what are te default
in
your view for 2000server C drives that ahve SQL or IIS installed.
Thanx
G
- References:
- Re: Server or Service Accounts complete lockdown?
- From: Roger Abell [MVP]
- Re: Server or Service Accounts complete lockdown?
- From: Roger Abell [MVP]
- Re: Server or Service Accounts complete lockdown?
- From: GaryB
- Re: Server or Service Accounts complete lockdown?
- Prev by Date: Take a stab at the hotmail FW: jpeg.image spams
- Next by Date: Re: IAS and DHCP
- Previous by thread: Re: Server or Service Accounts complete lockdown?
- Next by thread: Re: Server or Service Accounts complete lockdown?
- Index(es):
Relevant Pages
|
