Post reply

Security Gotcha

  • February 21, 2003 at 9:43 am

    #159669

    I have been slowly removing BUILTIN\administrators from our servers. Yesterday I removed it from a (test thankfully) cluster, I did add the id that SQL server runs under as SA specifically, it is Local Admin.

    But the id the Cluster service runs under apparently needs SA as well. So if you eliminate Builtin\adminstrators from a cluster you need to remember to add the Cluster service id as SA.

    KlK, MCSE


    KlK

  • February 21, 2003 at 10:13 am

    #449486

    Thanks for the note. Might be implementing a cluster soon and it's nice to see some info on gotchas.

    Steve Jones

    sjones@sqlservercentral.com

    http://www.sqlservercentral.com/columnists/sjones

    http://www.dkranch.net

  • February 21, 2003 at 10:24 am

    #449488

    I think it uses DMO to monitor and manage the SQL components.

    There was some form of ODBC logon failure referencing the Cluster Service ID.

    KlK, MCSE


    KlK

  • February 21, 2003 at 11:01 am

    #449493

    I have a two node active/passive cluster and when my sysadmin and I created the cluster we also created an account JUST for the cluster services. I've gotten rid of the BUILTIN/Administrators and have had no problems.

    I highly suggest that when installing anything, when asked for an account to run services under, you create a new service account. We use a login ID beginning with the @ symbol to identify services. So, @ClusterSvc is the one we created for our cluster to run under. For our backup services we would use @BackupSvc. This method can be used for all services and quickly identifies what logins are for services and which are users.

    -SQLBill

  • February 22, 2003 at 3:14 pm

    #449527

    There is a KB article on this:

    http://support.microsoft.com/default.aspx?scid=kb;en-us;263712

    The Cluster service account does need SA rights. This hasn't changed. BTW, it'll be the one that queries the service to make sure it's still up and fail-over if it's not.

    If you are using Full-Text on a system, cluster or not, you'll also need to add [NT Authority\System] access as well as a sysadmin. This article points that out and there are a couple of other KB articles for stand-alone systems where if you don't, you have performance issues.

    K. Brian Kelley

    http://www.truthsolutions.com/

    Author: Start to Finish Guide to SQL Server Performance Monitoring

    http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1

    K. Brian Kelley
    @kbriankelley

Viewing 5 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic. Login to reply