Re: Many Installations of MSSQLSERVER.
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: Fri, 3 Dec 2004 23:13:20 -0700
Many strands triggered in your reply.
It is great that you do have the buy-in to do things well,
and even better to hear that the LUA objectives of least
access have taken root.
First, one thing you mentioned was security of multiple
installs, if things were that way. You should be aware
that you can use the patch checking engine of the current
version of MBSA (MS Baseline Security Analyzer) to
check service pack and security patch level of SQL and
MSDE installs. From a machine where MBSA is installed
drop to a cmd prompt, cd to the MBSA install dir, and issue
mbsacli -hf -?
You can provide list of target machines in file, etc..
Now, this does not of course address the majority of SQL
install wellness issues like sane sa acct, accts/groups in
the SA server role, use of external procs, etc.. But, with
hfnetchk scan showing you 1) what machines did not let
you scan and 2) what machines have SQL and/or MSDE
instances you on staff DBA could no doubt come up with
a sproc that could interrogate those for the basic sanity
checklist of config items. Now, a last word on the use of
MBSA in this way. In addition to administrative rights on
the target machines, the hfnetchk scan will not work if the
targets are firewalled (doh - but for completeness mentioned),
if they do not have at least C$ shared (the admin shares, but
I have found that I really only need at least a temp C$ allowing
administrators even though the target has admin shares off, and
this one can turn on with remote script prior to the scan), or if
the remote registry service is shut off (again, can be started by
remote script prior to the scan).
Next, you made a mention of cost. I do not know whether your
shop is VStudio based, Delphi, or what. If VStudio it is now
pretty hard to not have license allowing dev version of SQL,
but you need to check what and how the dev shop is licensed.
Unless I am mistaken, as a holder of an SQL Server license
you are allowed client tools install without limit. I am no final
word on licensing matters. MSDE is of course free, and IIRC
the terms have loosened considerably from initial days.
I need to review whether the new mgmt interface tool MS has
released into beta is in the open beta, but that provides another
alternative relative to the client tools install.
It seems to me that a potentially compelling way to go would
be to look at central support of the main dev/test, but also
look at facilitating (temporary) dev local MSDE installs
(or better SQL Express - but that is a versioning issue no
doubt for the app release cycle). You could easily set up
such MSDE so that it gets a copy of a test suite DB loaded
into it with DTS from the dev/test SQL Server. Finally, if the
dev/test SQL Server is Enterprise version, it can accomodate
scenarios for devs in named SQL instances.
Anyway, it seems that there are a number of routes that are
cheap to free and within (what I understand of) licensing
(of course we did not mention CALs or per-proc lics).
So, other than periodic MBSA hfnetchk scans to know where
there is an SQL install (of course you could do that with a
script that just does some WMI poking into the registries of
the systems looking at the MSSQLServer keying - but MBSA
also gives basic health of the bits) how could you exert some
form of enforced control ? Like I said in initial post, about
the best idea I can come up with is to use software restriction
policies via GPO that impacts these dev machines. With it
you could prevent the users from running short list of key exes,
and of course you can have the GPO set the known / commonly
seen service instance names to disabled (it does not hurt to have
services named that are not on machines in scope of the GPO).
All this is totally circumventable while they are local admins.
However, it might just trigger enough of a hurdle to give them
pause to thing better of what they were about to try. With much
regret, the bottom line is that admins can, and that an example
semi-gently hung by the nails outside the coffee room has more
impact that all of the preparatory emails/notices of policy added
together. Getting them able to work as non-admins is IMHO
the key, both to your objectives here, and to the software
quality delivered (I have a total dislike of "well written",
and "well tested" apps which were however never tested by
a non-admin account !!).
Good luck Steve,
-- Roger Abell Microsoft MVP (Windows Security) MCSE (W2k3,W2k,Nt4) MCDBA "The Poster" <nospam@nospam_dontyoudare.net> wrote in message news:eEP$onR2EHA.3236@TK2MSFTNGP15.phx.gbl... > Thanks for your detailed post Roger. > > Would you believe that I've got the DBA and Project Managers support on this > one? This motion is driven by the DBA group and the Project group so as far > as support is concerned I'm on a winner. Question: Do you think that Client > side 'full installations' of SQL Server are costly, dangerous (remember > slammer?), and system intensive? The bottom line is that I have to figure > out some way of disabling the MSSQLSERVER service and all named instances > (and in time remove it) - to facilitate compliance I will be conducting > regular SQLScan's, where non-compliance will be dealth with. I have made > provisions for Client Tools (Query Analyzer, Enterprise Manager, etc) on the > DEvelopers systems - I appreciate these are essential tools that are needed > to perform there day to day duties. > > In the longer term, I'm planning on revoking Developers Admin level > priviledge on all systems. I've been reading alot of what Keith Brown has > been saying with regards to Security, and I (like our Software Architect) > have been converted to the Longhorn concept of Least Priviledged User > account - that is the most secure way to go. I can even use our own Chief > Software Architect as an example, he had his system rebuilt 6 months ago, > and since that day he has manged to do 99% of his development work as a > Standard user. > > Regards, > Steve. > > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message > news:erAlTPR2EHA.firstname.lastname@example.org... > > If you try using services control from GPO, to disable the > > SQL services, what you will likely find is that developers > > are resouceful and will just install a named instance of > > SQL as the main service is named for the instance name. > > You could cripple the other services which are not named > > in an instance sensitive way, but SQL itself would escape > > your net. > > > > Also, whether setting the service to disabled through the > > services portion of GPO or through direct tweaking of the > > start key in the reg, this does not prevent them from installing > > and running it. As they can install, they are apparently admins, > > and as admins they can change the service to manual or auto > > long enough to start it. When policy reapplies and sets it back > > to disabled it does not necessarily also stop it. Now, you > > may be able to combine setting the service to disabled with > > software restriction policy so that they cannot start it, but if > > you cannot be sure of the service instance name to disable it > > then they could get it started by the system at boot. > > > > To answer your actual question, I am not aware of a template > > for use in GPO to manage SQL or its internal state. > > > > So, what to do? > > First - make sure you understand why the devs have SQL > > installed. If your environment has legal VStudio on their > > machines, it is very possible that they legally have the > > dev version of SQL installed. Also, what are they working > > on? Perhaps these are MSDE version of SQL and will ship > > out packaged with what they are building. > > It might be more simple to just force those machines to > > have their patch level up-to-date. It might be better to > > provide them with the client tools for SQL but require > > them to use MSDE (which can be made to speak only > > machine-locally and be unresponsive over the wire). > > It would seem to me that the last thing one would want > > to do is make their job harder. I can imagine a number > > of dev scenarios in which forcing them to share a remote > > SQL could complicate their lives, but then I am the one > > with SQL server alway installed on the laptop ! On the > > other hand, making use of a SQL server remote from the > > apps they dev/test might be of value for the quality of > > what they will ship. It may be worth exploring whether > > this is so and you could find support in your objective > > from their project mgmt, as with their being admins it > > will be hard to make it so without also having cooperation. > > > > -- > > Roger Abell > > Microsoft MVP (Windows Security) > > MCSE (W2k3,W2k,Nt4) MCDBA > > "The Poster" <nospam@nospam_dontyoudare.net> wrote in message > > news:OYDIBvH2EHA.2196@TK2MSFTNGP14.phx.gbl... > > > G/day forum, > > > > > > I've got a problem where all my Development users have full > installations > > of > > > MSSQLServer. I want to disable this (for obvious security and financial > > > reasons) and allow SQL Server on a few dedicated (managed) Development > SQL > > > servers. > > > > > > This is what I'm thinking: > > > 1) Active Directory - Group Policy Object. The problem is I cant find a > > > relevant template that incorporates the SQL Services. > > > 2) Through Registry file modification of the Start value - > > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSSQLSERVER. > > > > > > Either way I'll be deploying the change through Group Policy, and > ideally > > I > > > would have a template that incorporated the SQL service, that way I > > wouldn't > > > have to directly go tampering with any registry files.. > > > > > > Your ideas and/or comments would be greatly appreciated. > > > > > > Regards, > > > Steve. > > > > > > > > > > > >