RE: Win2000 OS Access for SQL Server Admin
From: Kevin McDonnell [MSFT] (kevmc_at_online.microsoft.com)
Date: 03/10/04
- Next message: Kevin McDonnell [MSFT]: "RE: SQL Authentication"
- Previous message: Jeff L.: "RE: defaulting newly created objects to DBO"
- In reply to: Mateo: "RE: Win2000 OS Access for SQL Server Admin"
- Next in thread: Peter_at_NL: "RE: Win2000 OS Access for SQL Server Admin"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 10 Mar 2004 19:30:18 GMT
Previous post:
My questions are, why did this service fail to start and
yet the other SQL services start successfully before
granting the Administrators or the System account
sysadmin privileges?
Changes in sp3 make it necessary for SQL agent if required to run as a
Admin account. LocalSystem has more privledges than local administrator.
If you're not using SQLAgent, then you could either disable the service or
set it to manual.
SQL Server Agent will need local Windows administrator privileges if one of
the following is true:
SQL Server Agent connects to SQL Server using SQL Server Authentication
(not recommended).
SQL Server Agent uses a multiserver administration master server (MSX)
account that connects using SQL Server Authentication.
SQL Server Agent runs Microsoft ActiveX® script or CmdExec jobs owned by
users who are not members of the sysadmin fixed server role.
Also, what are the security risks with granting System sysadmin privileges
vs creating a local windows account and using this to startup the
services? I'd like to use the most secure method.
The risk are associated with a comprimise of the system. If "bad guys" can
comprise a SQL box, then they may be able to run under the context of the
service account. So, if the account has admin or domain admin privledges,
then you're at risk. Best practices are to run the MSSQLService account
under a local nt user account or domain user account.
This goes hand in hand with good Password policies, protecting the server
by a firewall, keeping the server up to date on patches (Windows Update/SMS
or SUS), running good Anti virus software.
You need to assess your threats to your environment and decide what actions
are necessary to take. Example, what protocols are running on this
machine, what machines have access to this machine? Is the machine in a
DMZ or is it sitting in the local lan in the Accounting Dept.?
Thanks,
Kevin McDonnell
Microsoft Corporation
This posting is provided AS IS with no warranties, and confers no rights.
- Next message: Kevin McDonnell [MSFT]: "RE: SQL Authentication"
- Previous message: Jeff L.: "RE: defaulting newly created objects to DBO"
- In reply to: Mateo: "RE: Win2000 OS Access for SQL Server Admin"
- Next in thread: Peter_at_NL: "RE: Win2000 OS Access for SQL Server Admin"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
