NT Authority "Mystery Accounts"
-
There are a handful of Windows "mystery accounts" out there that I'd like to know more about, for a number of reasons ranging from curiosity to paranoia. All of these accounts can be configured as (NT authenticated group) SQL Logins--leastways on SQL 2000 sp3 on Windows XP pro, and probably other boxes on our system but I'm too chicken to try them out.
I call them "Mystery Accounts" because I can't find any serious documentation on them--certainly nothing on Microsoft Technet or Knowledge base (sites that would benefit from a serious overhaul on their search engines). These things appear to be MS "backdoor" functionality that they'd rather keep undocumented--but that's just me being parnoid again, right?
The ones I've heard about are:
NT Authority\Anonymous Logon
- I know this can be used to allow websites (ASP code?) on DMZ webservers to connect to SQL Server without any login/password configuration stuff. Pretty useful if you want to expose your database to the internet.
NT Authority\System
- (The one I'm focusing on now) Some references seem to think this is "LocalSystem", others think it is not, still others draw particulars between Windows 2003 and Windows [not 2003]. Huh?
NT Authority\Network Services
- Saw this while Googling about, associated with references to ASP .NET 2003. We do not have that installed here, yet SQL accepts it as a valid login...
NT Authority\Network
- Is this the same as or different from \Network Services? Who can say?
So what I'm really asking is, does anyone know of or have links to official (or even semi-official) sites that have detailed explanations just what these are, and if there are any more in this family?
Philip
-
I'm not sure where all of these are used. Probably a security site, like SANS.org might have some info. The system account is used for local services that need an account to connect. SQL might accept this if configured. You could lock out any of these is my gues.
-
The worst that will happen is that you'll get a call that the guy can't connect no more... But I don't think you will get it
. -
I don't want to block it, I want to enable it. The current plan is to install SQL Server (Developer Edition) on all the Developer's machines. No way do I configure this with the same domain account as the "real" instances [one small SQL Agent job-fired OSQL call and suddenly you're SysAdmin on Production], and it seems a bit much to establish a domain account for them individually... which leaves ye olde "LocalSystem" account. The conventional way of granting access rights to that is BUILTIN\Administrators, and I stopped using that week two of my DBA career... and then I thought, how to directly grant LocalSystm SysAdmin rights? (Which led to confused postings on non-SSC forums and inevitably to this thread.)
Yeah, I should probably just make a new domain account, but then I have to explain it all to the network admin, establish a password, and go through tedious configuration steps, and I'd rather try and do something clever* any day.
Philip
*Clever: A wifty idea you have today that generates copious amounts of work tomorrow.
-
*Clever: A wifty idea you have today that generates copious amounts of work tomorrow.
-
I don't recall where I found this, but I think it will do what you need:
sp_grantlogin 'NT AUTHORITY\SYSTEM'
go
sp_addsrvrolemember N'NT AUTHORITY\SYSTEM' , 'sysadmin'
go
Viewing 6 posts - 1 through 5 (of 5 total)
You must be logged in to reply to this topic. Login to reply