Re: SQLServer2005MSSQLUser - Using Sledgehammer to crack a peanut?



Look at the group in SQL Server. Note that members of this
group are in the sysadmin group by default.
Those groups are created by the installation for the service
accounts for the various services. That one in particular is
for the SQL Server logon account. Members of this group also
have additional permissions on the server itself.
If they had you add all users to that group, they just had
you make everyone a sysadmin on that SQL Server box and give
the extra OS permissions needed by the service account. And
yes that is a huge security risk.
I can't think of any reasonable explanation as to why
someone would do that. I can think of reasons, but nothing
reasonable.

-Sue

On Mon, 16 Jul 2007 17:44:01 -0700, Paul Miller <Paul
Miller@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

Recently a 3rd Party Application was installed on a couple of client PCs, and
a database was added to our SQL server.
The guy who came to do the installation said we needed to add our
"Domain\Users" account to the
SQLServer2005MSSQLUser$Server$SQLInstance Group.

I'm afraid by doing this we have given way too much access to our SQL server
to all users, but I'm not 100%.

Could someone please let me know if we have created a huge security risk,
and if possible, a reason why, so I can throw it back at the 3rd Party?

Thanks very much

.



Relevant Pages

  • Maybe this could help
    ... I've found a solution to update SQL Server to SP3. ... It also works with SP2. ... Product Installation Status ... No mapping between account names and security IDs was done. ...
    (microsoft.public.sqlserver.setup)
  • Re: What Account Should Server Be Running?
    ... When SQL Server is installed it is installed as a service. ... Q. What account do I choose as the startup account? ... SQL Server and SQL Server Agent are installed as Windows services. ... During installation, you can choose which user account will be the startup ...
    (microsoft.public.sqlserver.server)
  • Re: Error 15401 using sp_grantlogin (not addressed by current KB articles)
    ... Restarting Windows 2000 resolved the problem for this particular account, ... confused when it sees a duplicate SID. ... > One way to get SQL Server to agree with the renamed NT ... > Preview (to ensure the script was created), ...
    (microsoft.public.sqlserver.security)
  • Re: SharePoint V3 Install Error
    ... But it our case it had to do with Group Policies that forbid the account of ... WSS FAQ:www.wssv3faq.com/wss.collutions.com ... Event Source: WindowsSharePointServices3Search ... whatever you are installing WSS as sufficient rights to the SQL Server ...
    (microsoft.public.sharepoint.windowsservices)
  • Re: sbs 2003 network slow why?
    ... Issue: Local Account Password Test ... SQL Server and/or MSDE authentication mode is set to Windows Only. ... The Everyone group does not have more than Read access to the SQL Server and/or MSDE registry keys. ... BUILTIN\Administrators group should not be part of sysadmin role. ...
    (microsoft.public.windows.server.sbs)