Re: Locked out of Enterprise Manager

From: Denny (mrdenny@gamespy.com)
Date: 02/14/03 

From: "Denny" <mrdenny@gamespy.com>
Date: Thu, 13 Feb 2003 17:32:08 -0800

Don't you just hate hackers. There such a pain.
When you went into the Server Config and changed it to Windows Auth you did
change it to windows log in only. The reason that EM (Enterprise Manager)
stopped working is that it didn't know what login to connect with. As you
seamed to have had it set to a SQL Login (It's not set for Windows Auth and
is using your Windows Account).

The login that you see on the Security tab of the Server Config window is
the Windows accout that the SQL Server runs under. If you open windows task
manager, select the processes tab, click view and Select Columns, then check
User Name. Click ok and check Show processes from all users, you'll see
that the SQL Server is running under the account name entered here.
.\Username is the same as localhost\UserName or MachineName\UserName. You
should be fine with that username in there.

As long as it's set to Windows only the "SA" login is useless. You will
need to change all your DSNs to use the Windows login, instead of a SQL
Login.

Edit Registration will have a place to enter a login is user select use SQL
Server Auth. However your server is set to Windows only, so that won't work
at all.

Yes BuiltIn\Admins is related to windows. That is the Administrators group
on your machine.
SA is a standard (or SQL) account (again it's useless with the server set to
Windows Auth).
The MyName which is a standard account is also useless with the server set
to Windows Auth.
The MyMachine/MyName doesn't really need to be there (unless your not in the
Windows Admin group).
It's good practice (at least I think it is) to remove the access from the
BUILTIN\Admin group and define all the users manually.
You will need to create an account for MachineName\IUSR_MachineName so that
the web server can connect.

I think I answered all the questions, if I missed any, please let me know. 

--
Denny Cherry
Database Administrator
GameSpy Industries
"Fox" <fox @ connexions .net> wrote in message
news:uK6sIW80CHA.2296@TK2MSFTNGP10...
> My goal was to get my SA account more protected. I am being hit
> several thousand times a day, apparently hackers seeking a password.
>
> It was suggested that I change the SA to Windows log in only.
> I thought I was in the right place when I went into the Server Config.
> I reset that to Windows Authentication. For the Start and Stop
> account, I had previously used the "This Account" option. But
> that was a while ago and I have no idea why other than that I
> am the only person who logs into the computer. I am the only
> person here ......
>
> That log in was in the format of [.\myname] . I am now guessing that
> is an SQL log in only, since there is no domain or machine name
> in there. So, I immediately lost the ability to access the only instance
> of the server I have. I fuddled around and stumbled onto the
> Edit Registration and saw another opportunity to play God.
> I set this one to Windows Authentication figuring I would either
> be locked out entirely or be re-established. The latter was true and I was
> able to log back into the server. Now I re-opened the Server
> Config and saw that it was still set to Windows Only  and still
> had the same login. So this perplexes me. Why is it working
> now and not before (rhetorical question)?
> Should I leave that alone or enter a new log in
> and change it back to Windows Only ? What is the format
> for the login since there is no browse ability? Note that I
> have no domain and no Active Directory. So I suppose it
> would be MachineName\Myname in some format.
>
> Will this be the answer to better protection of the SA account ?
> And will I need to change DSN connection logins and then
> also the templates I use against the database ?
>
> Edit Registration config has no place to enter a log in.
> That also has me a bit confused as to why it works.
> That merely had the choice of SQL or Windows.
> Is that automatically related to the Windows Admininstrator ?
>
> One more question to round this off and to keep safe.
> I see the Built In Admin in the Security Logins area.
> That appears to be related to the Windows Admin Group.
> Is this what explains my being able to have Enterprise find
> my server after chaning to Windows Only in the Editing Registration ?
> Note also that this says that SA is "standard".
> There is also a "myname" which is standard as
> well as a MachineName\MyName which is
> Windows User. Is my goal to have all of these
> Windows User ? My IUSR is also Windows User
> which I am guessing is the best way to control public
> access (hopefully).
>
> I am sorry if the above is convoluted. I really only need
> a few answers and I am supposing that after that I will have
> a good handle on all of it.
>
> Best Regards,
> Fox
>
>
> "Denny" <mrdenny@gamespy.com> wrote in message
> news:e6Sxim70CHA.2308@TK2MSFTNGP09...
> > Fox,
> >
> > I'll try to explain.
> >
> > The "Edit Registration Settings" window are your settings for connecting
> > your EM to the Server.  (EM is just a Client Application, even when
> > installed on the server).
> > The "Server Config" Screen is where the actual server settings are
setup.
> >
> > Making changes to the "Server Config" Screen makes changes to the actual
> > server (and should only be done with some thought and care), while
changes
> > to the "Edit Registration Settings" screen makes changes to your
client's
> > connection to the server.
> >
> > Does that answer your questions?  If not feel free to post or email me
> > directly.
> >
> > --
> > Denny Cherry
> > Database Administrator
> > GameSpy Industries
> >
> > "Fox" <fox @ connexions .net> wrote in message
> > news:OySeaV70CHA.1812@TK2MSFTNGP11...
> > > OK I am back to squasre one all is normal.
> > >
> > > But if anyone can clarify for me the relationship
> > > between the Edit Registration Settings and the
> > > Server Config Settings as far as how they both regards
> > > Logging in I would surely appreciate it.
> > >
> > > Thanks,
> > > fox
> > >
> > > "Fox" <fox@connexions.net> wrote in message
> > > news:uKg9mu50CHA.2308@TK2MSFTNGP09...
> > > > I went and did it. I followed some good advice, but did not
understand
> > it
> > > > entirely. Now I have issues ;)
> > > >
> > > > This takes place locally in Enterprise Manager.
> > > > I went into the Server Config properties and changed to Windows
> > > > Authentication.
> > > > My login for Start and Run SQL server was in this format. [
>  .\myname ]
> > > > I am supposing this was an SQL authentication, but do not remember.
I
> am
> > a
> > > > newbie.
> > > > Does the format tell me that this was an SQL login since there is no
> > > domain
> > > > or machine name present ?
> > > > I ok' this as it was.
> > > > NEXT:
> > > > It appears that since my login and Password were probably not based
on
> a
> > > > Windows 2000
> > > > account, Enterprise Manager lost connection and would no longer
> > connect..
> > > I
> > > > then
> > > > went in to the Edit Server registration properties and changed that
to
> > > > Windows
> > > > Authetication. Now I rebooted Enterprise Manager and I am again
> > connected.
> > > > The
> > > > Server Config properties still says Windows Authentication and my
old
> > > login
> > > > is still
> > > > there. I am now afraid to close this since I have no idea what I
have
> > > > actually done and
> > > > where I no stand. Can anyone straighten me out ?
> > > >
> > > > Questions include whether to change the Config back to SQL
> > authentication
> > > or
> > > > to
> > > > change the log in to a trusted windows login. What would the exact
> > format
> > > be
> > > > if I change it to (I do not use a domain) machinename myname ?
> > > > If it matters to tell me, why was I able to get back in when I went
> into
> > > the
> > > > Edit Registration properties and changed to a Windows Authentication
?
> > > >
> > > > I do not understand the difference or relationship between the
> > > Registration
> > > > (and its
> > > > properties) and the Server Config and its properties.
> > > >
> > > > Thanks,
> > > > Fox
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • SecurityFocus Microsoft Newsletter #154
    ... MICROSOFT VULNERABILITY SUMMARY ... ISS RealSecure Server Sensor SSL Denial Of Service Vulnerabi... ... Roger Wilco Remote Server Side Buffer Overrun Vulnerability ... available for Microsoft Windows operating systems. ...
    (Focus-Microsoft)
  • Re: Locked out of Enterprise Manager
    ... My goal was to get my SA account more protected. ... It was suggested that I change the SA to Windows log in only. ... I thought I was in the right place when I went into the Server Config. ...
    (microsoft.public.sqlserver.security)
  • SecurityFocus Microsoft Newsletter #49
    ... Subject: SecurityFocus Microsoft Newsletter #49 ... Microsoft Windows NNTP Denial of Service Vulnerability ... Microsoft IIS SSI Buffer Overrun Privelege Elevation Vulnerability ... Microsoft ISA Server H.323 Memory Leak Denial of Service... ...
    (Focus-Microsoft)
  • Re: ASP.NET User.Identity.Name value after a domain username chang
    ... Since .NET is just calling into Windows API calls to resolve the user name, ... I have an ASP.NET application that is on a Win2000 server in a domain ... I have a very confusing issue when the domain login of a user is ... I thought this might have been some caching issue on the client so I ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: CAN WE LOGIN TO A WINDOWS 2003 ACTIVE DIRECTORY DOMAIN OVER TH
    ... Having a user login to a windows 2003 server over the internet is not a good ...
    (microsoft.public.windows.server.active_directory)