RE: Developers/Production Security

From: Alvin Zhao[MSFT] (alvinzh@online.microsoft.com)
Date: 03/20/03

• Next message: Vinodk: "Re: Stored Procedure Question"
• Previous message: Leon Parker: "Stored Procedure Question"
• In reply to: Marc Miller: "Developers/Production Security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: alvinzh@online.microsoft.com (Alvin Zhao[MSFT])
Date: Thu, 20 Mar 2003 02:16:26 GMT

Hi Marc,

When you connect to SQL Server in your program, you connect with a userid
and password, which is the security context that you use to access SQL
Server. You use this userid to perform all the server operation. When the
user is a member of sysadmin, the program will execute extended stored
procedure like xp_cmdshell in the security context of the account that
starts SQL Server service. If the user is not a member of sysadmin, it
executes xp_cmdshell in the context of another local account,
SQLAgentCmdExec, and not the SQL Server logon account. You can set
permissions on the SQLAgentCmdExec account accordingly. To run xp_cmdshell
for a non-system administrator user, you must grant the following rights.

MSSQLServer and SQLServerAgent Services

 - Act as part of the Operating System.

 - Increase Quotas.

 - Replace a process level token.

 - Log on as a batch job.

SQLAgentCmdExec Account

 - Log on as a batch job.

You must restart the entire server, not just the SQL Services, in order for
any changes made to user rights permissions to take effect.

Sincerely,

Alvin Zhao
Microsoft Support

This posting is provided "AS IS" with no warranties, and confers no rights.

• Next message: Vinodk: "Re: Stored Procedure Question"
• Previous message: Leon Parker: "Stored Procedure Question"
• In reply to: Marc Miller: "Developers/Production Security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Error 15401 using sp_grantlogin (not addressed by current KB articles) ... Restarting Windows 2000 resolved the problem for this particular account, ... confused when it sees a duplicate SID. ... > One way to get SQL Server to agree with the renamed NT ... > Preview (to ensure the script was created), ... (microsoft.public.sqlserver.security) Re: SharePoint V3 Install Error ... But it our case it had to do with Group Policies that forbid the account of ... WSS FAQ:www.wssv3faq.com/wss.collutions.com ... Event Source: WindowsSharePointServices3Search ... whatever you are installing WSS as sufficient rights to the SQL Server ... (microsoft.public.sharepoint.windowsservices) RE: Problems with WebParts ... to a database called aspnetdb. ... > The connection string specifies a local SQL Server Express instance using a ... > server account must have read and write access to the applications directory. ... > This is necessary because the web server account will automatically create ... (microsoft.public.dotnet.framework.aspnet) Re: Cannot connect to Query Analyzer ... For Query Analyzer, I tried replacing the file as you suggested but had the ... same results (Enterprise Manager starts up fine, ... I created an account on my laptop and changed SQL ... Try replacing the MMC app for SQL Server from the original ... (microsoft.public.sqlserver.connect) Problems with WebParts ... The connection string specifies a local SQL Server Express instance using a ... database location within the applications App_Data directory. ... server account must have read and write access to the applications directory. ... logged-in user needs the dbcreator privilege in the appropriate SQL Server ... (microsoft.public.dotnet.framework.aspnet)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint