Re: Login with no Fixed Server Role and DB Role can stop SQL Agent Service?

From: BP Margolin (bpmargo@attglobal.net)
Date: 08/23/02 

From: "BP Margolin" <bpmargo@attglobal.net>
Date: Fri, 23 Aug 2002 08:25:48 -0400

Johnathen,

Well, I'm out of ideas ... sorry ;-(

If no one else chimes in, you might consider opening a case with Microsoft
Product Support Services. If it turns out to be a bug in Enterprise Manager,
then PSS should not charge you.

-------------------------------------------
BP Margolin
Please reply only to the newsgroups.
When posting, inclusion of SQL (CREATE TABLE ..., INSERT ..., etc.) which
can be cut and pasted into Query Analyzer is appreciated.

"Johnathen Liew" <johnliew@rocketmail.com> wrote in message
news:e#fkdinSCHA.3552@tkmsftngp08...
> BP,
>
> I guess I didn't clearly specify the rights of the user. The user is
holding
> a Window 2000 Login with Domain User default permissions, therefore he is
> not suppose to stop any of the services of my SQL Server 2000.
>
> Thanks.
>
> Johnathen
>
> "BP Margolin" <bpmargo@attglobal.net> wrote in message
> news:O$yHp1jSCHA.1496@tkmsftngp11...
> > Johnathen,
> >
> > I did a quick review of this thread, and unless I'm mistaken you never
> > actually answered the question about the permissions the user has re:
the
> > operating system. Forget about SQL Server for the moment. What are the
> > permissions for the user's Windows login? Would the user, completely
aside
> > from Enterprise Manager, be able to successfully issue a "net stop" for
> the
> > SQL Server Agent Services from a command prompt?
> >
> > -------------------------------------------
> > BP Margolin
> > Please reply only to the newsgroups.
> > When posting, inclusion of SQL (CREATE TABLE ..., INSERT ..., etc.)
which
> > can be cut and pasted into Query Analyzer is appreciated.
> >
> > "Johnathen Liew" <johnliew@rocketmail.com> wrote in message
> > news:enf0UrZSCHA.1644@tkmsftngp08...
> > > BP,
> > >
> > > As I said, the user uses the limited login to register the SQL server
on
> > his
> > > Enterprise Manager, but he is still able to stop the SQL Agent
> > Services....
> > >
> > > Any ideas?
> > >
> > > Johnathen
> > > "BP Margolin" <bpmargo@attglobal.net> wrote in message
> > > news:Ov$ZuwTSCHA.3360@tkmsftngp11...
> > > > Johnathen,
> > > >
> > > > Thanks for the additional information.
> > > >
> > > > Check the login used to register SQL Server within Enterprise
Manager
> > ...
> > > >
> > > > Right-click the server name, choose Properties, choose "Edit SQL
> Server
> > > > Registration properties ..."
> > > >
> > > > -------------------------------------------
> > > > BP Margolin
> > > > Please reply only to the newsgroups.
> > > > When posting, inclusion of SQL (CREATE TABLE ..., INSERT ..., etc.)
> > which
> > > > can be cut and pasted into Query Analyzer is appreciated.
> > > >
> > > > "Johnathen Liew" <johnliew@rocketmail.com> wrote in message
> > > > news:uKqBGJNSCHA.3736@tkmsftngp11...
> > > > > Hi BP,
> > > > >
> > > > > Sorry for the lack of exact information. This restricted user is
> > suppose
> > > > to
> > > > > connect thru the SQL Server by means of SQL Client Tools and
> > > Connectivity.
> > > > > He will use Enterprise Manager to execute the DTS package. We
found
> > out
> > > > > that, he is able to stop the SQL Agent Service by going into
> > Enterprise
> > > > > Manager, right-clicking the SQL Agent Service, and stop it. This
> user
> > is
> > > > > holding a SQL login, and is not holding any Windows 2000 login in
> the
> > > SQL
> > > > > Server.
> > > > >
> > > > > Any ideas?
> > > > >
> > > > > Johnathen
> > > > >
> > > > > "BP Margolin" <bpmargo@attglobal.net> wrote in message
> > > > > news:O8PQ$jLSCHA.1648@tkmsftngp08...
> > > > > > Johnathen,
> > > > > >
> > > > > > You might indicate in the future the exact process by which the
> user
> > > is
> > > > > able
> > > > > > to stop the SQL Server Agent service.
> > > > > >
> > > > > > It sorta sounds as if you are mixing SQL Server permissions with
> > that
> > > of
> > > > > the
> > > > > > operating system.
> > > > > > Stopping a service ... regardless if it is the SQL Agent
service,
> or
> > > any
> > > > > > other ... is a function of the rights of the user defined on the
> > > > operating
> > > > > > system.
> > > > > >
> > > > > > To express this another way ... the SA is god within SQL Server,
> > > right.
> > > > > > Well, unless the SA has the requisite operating system
> permissions,
> > > the
> > > > SA
> > > > > > can NOT start the SQL Server service. (BTW, just to completely
> > > accurate,
> > > > > the
> > > > > > SA can stop SQL Server via the SHUTDOWN command, even if the SA
> > would
> > > > not
> > > > > > normally have the operating system permissions to stop the SQL
> > Server
> > > > > > service.)
> > > > > >
> > > > > > Review the operating system rights granted the user.
> > > > > >
> > > > > > -------------------------------------------
> > > > > > BP Margolin
> > > > > > Please reply only to the newsgroups.
> > > > > > When posting, inclusion of SQL (CREATE TABLE ..., INSERT ...,
> etc.)
> > > > which
> > > > > > can be cut and pasted into Query Analyzer is appreciated.
> > > > > >
> > > > > > "Johnathen Liew" <johnliew@rocketmail.com> wrote in message
> > > > > > news:uvvEeaLSCHA.1756@tkmsftngp11...
> > > > > > > Hi,
> > > > > > >
> > > > > > > We have a scenerio, where we need to create a DTS package,
which
> > is
> > > > run
> > > > > by
> > > > > > a
> > > > > > > designated user. This user should have no other rights other
> than
> > > > > running
> > > > > > > the DTS package. We created a login, with no Fixed Server
Roles
> > and
> > > no
> > > > > > > Database Roles. This user is able to execute the package, but
he
> > is
> > > > able
> > > > > > to
> > > > > > > stop the SQL Agent services as well, which is bad, but he
cannot
> > > > > > drop/create
> > > > > > > tables, which is good.
> > > > > > >
> > > > > > > Is this a SQL Server bug? Any idea anyone?
> > > > > > >
> > > > > > > We are using SQL Server 2000 Enterprise Edition with SP2.
> > > > > > >
> > > > > > > Thanks
> > > > > > > Johnathen Liew
> > > > > > >
> > > > > > > "Donna Lambert [MS]" <dlambert@online.microsoft.com> wrote in
> > > message
> > > > > > > news:I0wk$8URCHA.2468@cpmsftngxa06...
> > > > > > > > Adrian,
> > > > > > > > Seems like it would be much simpler to password protect your
> dts
> > > > > > packages.
> > > > > > > > Just a suggestion.
> > > > > > > > Donna Lambert
> > > > > > > > Microsoft SQL Server Support
> > > > > > > >
> > > > > > > >
> > > > > > > > Disclaimer:
> > > > > > > > This posting is provided "AS IS" with no warranties, and
> confers
> > > no
> > > > > > > rights.
> > > > > > > >
> > > > > > > > Are you secure? For information about the Microsoft
Strategic
> > > > > Technology
> > > > > > > > Protection Program and to order your FREE Security Tool Kit,
> > > please
> > > > > > visit
> > > > > > > > http://www.microsoft.com/security.
> > > > > > > >
> > > > > > > >
> > > > > > > > Recent viruses on the Internet underscore the threat to all
> > > computer
> > > > > > users
> > > > > > > > and highlight challenges facing the entire industry in
> providing
> > > > > > security
> > > > > > > > that everyone needs to conduct business. I encourage you to
> sign
> > > up
> > > > to
> > > > > > > > receive automatic notification of Microsoft Security
Bulletins
> > by
> > > > > > visiting
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
> > > > > > > > bulletin/notify.asp. For more information on security, our
> > > Strategic
> > > > > > > > Technology Protection Program and to order your FREE
Security
> > Tool
> > > > > Kit,
> > > > > > > > please visit http://www.microsoft.com/security. We will be
> happy
> > > to
> > > > > > answer
> > > > > > > > any questions or provide assistance with your security
needs.
> > > > > > > >
> > > > > > > > --------------------
> > > > > > > > | Content-Class: urn:content-classes:message
> > > > > > > > | From: "Adrian" <adrianw@persoft.com.my>
> > > > > > > > | Sender: "Adrian" <adrianw@persoft.com.my>
> > > > > > > > | Subject: DTS Security
> > > > > > > > | Date: Thu, 15 Aug 2002 20:29:53 -0700
> > > > > > > > | Lines: 8
> > > > > > > > | Message-ID: <2d4401c244d5$2fa91c50$35ef2ecf@TKMSFTNGXA11>
> > > > > > > > | MIME-Version: 1.0
> > > > > > > > | Content-Type: text/plain;
> > > > > > > > | charset="iso-8859-1"
> > > > > > > > | Content-Transfer-Encoding: 7bit
> > > > > > > > | X-Newsreader: Microsoft CDO for Windows 2000
> > > > > > > > | X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
> > > > > > > > | Thread-Index: AcJE1S+pE2PllW9uQampwdIwCabugg==
> > > > > > > > | Newsgroups: microsoft.public.sqlserver.security
> > > > > > > > | Path: cpmsftngxa06
> > > > > > > > | Xref: cpmsftngxa06
microsoft.public.sqlserver.security:7577
> > > > > > > > | NNTP-Posting-Host: TKMSFTNGXA11 10.201.226.39
> > > > > > > > | X-Tomcat-NG: microsoft.public.sqlserver.security
> > > > > > > > |
> > > > > > > > | Hi,
> > > > > > > > | I want to create a user id where this id can only run
> > > > > > > > | DTS. Other function like starting of the SQL Agent, backup
> > > > > > > > | database should not be given access right. Could anyone
> > > > > > > > | help what type rights should i assign to this userid.
> > > > > > > > |
> > > > > > > > | Thanks
> > > > > > > > | Adrian
> > > > > > > > |
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: login security question
    ... > I have an application which connects to the SQL server. ... Use Enterprise Manager to access the database / roles. ... Give the Application Role the appropriate permissions. ... what the stored proc is called) using the secret password for the App Role ...
    (microsoft.public.sqlserver.server)
  • Re: SQL Server Security: NT Groups
    ... permissions from their group membership. ... So if I'm a member of GroupA and GroupA is granted a login ... SQL Server and access database B. ... membership, role membership with deny taking precedence. ...
    (microsoft.public.sqlserver.security)
  • Permissions!
    ... permissions to database objects are concerned. ... I have a SQL Server 7.0 database table which has 6 columns. ... REVOKE or DENY permissions to these 3 users? ... Please note that I login to my Windows 2000 Professional machine using ...
    (microsoft.public.sqlserver.security)
  • Re: SQL Server Security: NT Groups
    ... >permissions from their group membership. ... >So if I'm a member of GroupA and GroupA is granted a login ... >>I'm new to SQL Server security and I don't know if it is ... >>then just add the 2 logins to the SQL Server Roles. ...
    (microsoft.public.sqlserver.security)
  • Re: Security question ..
    ... > If you use NT authentication, a user's permissions to a database are ... Your assertion that a user's permissions are independent of the application ... Even using Access and "exploring" will require an ODBC login to SQL Server. ...
    (microsoft.public.sqlserver.server)