win2k security monsters

  • I am trying to prove a point with the network admin. They say that SQL Server Agent does not need Admin access to the server (win2k). I say it does in order to autorestart from an unexpected failure and to run Jobs not belonging to members of the sysadmin server role. This is a hot topic here. Also, if there is someway around SQL agent not having this level of rights, I would love any input. I have set up the SQL to start and stop with a dedicated user account with admin rights. Net services says this is a security hole...who is right?

    Thanks for any input.

  • Why are you running it as a user? MAIL, or access to the network? If running as

    a normal service it would have god rights on the local machine. Last question,

    you mean admin on the SQL box alone correct? In other words a domain user that

    belongs to the local server administrators group?

    Tim C //Will code for food


    Tim C //Will code for food

  • Maybe I could give some background. I had the server set up to start the SQL server Agent with a dedicated user on the local machine. This user had local Admin rights on the server and SA rights in SQL. I did this so that I could have users call a stored proc that kicks off a job (which exports a file via DTS). I do not want the users to have admin access so when the cmdshell job kicks, it goes to the account that starts up sql in order to run this. If the SQLserviceAgent was set up to start using a local account, it would not have permissions to run this job.

    The problem comes in when the 2k admin wants to lock the server down and not let the startup account have local admin rights on the 2k server. Although the user still has appropriate rights in sql, it cannot kick a cmdexec job because it does not have rights on 2k. I hope I cleared up your questions. I did find an article from microsoft on this issue...however, I can not convince my coworkers that this is needed.

  • Have you tried to setup SQL Server Agent Proxy account for those users who do not have 'sa' right to execute CMDExec job step? Grant user with 'sa' previlege is not good security practise in SQL Server.

Viewing 4 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic. Login to reply