December 3, 2008 at 10:31 pm
Steve Jones - Editor (12/3/2008)
Comments posted to this topic are about the item
Breach of security is mandatory as only this lead to the improvement in the security practices.
kshitij kumar
kshitij@krayknot.com
www.krayknot.com
December 4, 2008 at 7:39 am
krayknot (12/3/2008)
Breach of security is mandatory as only this lead to the improvement in the security practices.
Are you saying that having the instance service account access files is a breach of security or that local Windows Administrators access files is a breach of security?
To me the question was more an operating system security question than a SQL Server security question. As such, there should be no SA account in the OS, and Agent service account should only have rights to execute the programs that allow it to manipulate data through the jobs interface, not access files directly. The instance service account needs full control of the data files in order to manage them, and the local Windows Administrators should have full control of the data files for the computer administrative purposes. It seems a fairly logical security setup to me.
December 4, 2008 at 8:41 am
I'm not sure what you mean as well. This is a question since there are services and subsystems in SQL that need access to files. For example, the service account needs the ability to write to data files and backup files, so it has control over files in certain folders.
December 5, 2008 at 12:31 am
krayknot (12/3/2008)
Steve Jones - Editor (12/3/2008)
Comments posted to this topic are about the itemBreach of security is mandatory as only this lead to the improvement in the security practices.
Not sure what you are trying to say....
December 5, 2008 at 11:13 am
Steve, I added "SA" to my answer and I think I am correct.
"SA" is represented externally as a service startup account and as such has full rights on the database files. I mean when I log in as SA (which I don't normally do, I use my Windows login) then if I am accessing external resources like files my security context will be SQL Server instance startup account. Which as was stated above, has full rights to the files (scope is limited to the files in this question)
I am not asking to get my points back, but if you do that it would be nice.
Regards,Yelena Varsha
December 8, 2008 at 6:15 am
Surely as mentioned earlier the SA account has by default full access to database objects. However if database storage is created on an external file system like a SAN the local server windows admin account may NOT have access.
Happy to be proved wrong but I do think you may have to look at this question again.
Pete
December 10, 2008 at 2:09 am
I think, Question is not very clear. For example If you remove Builtin\Administrator from sysadmin group, then Windows admin also does not have rights on newly created db.As mentioned in previous reply, SA is default Admin for SQL Server which can be enabled/disabled as per security policy.
Someone talked about SAN disk, he is very correct in his view. Win Admin does not have direct permission on network storage until made provision.
Let me know if there is any thing incorrect
🙂
January 10, 2009 at 8:32 pm
I am completely agree with you. The members of the local Administrators can be modify to exclude the local Windows Administrators group. This is a security good practice.
December 7, 2010 at 11:02 am
Mauricio Morales S (1/10/2009)
I am completely agree with you. The members of the local Administrators can be modify to exclude the local Windows Administrators group. This is a security good practice.
It's a good idea to ensure that Builtin\Administrators contains domain admins (I don't know whether it still does by defeult - it used to years back); that tends to mean that local domain admins get full control as well as local admins. And local Windows admins access rights are irrelevant unless you let them have domain access, assuming that the machine is set up to always boot as a domain member.
Also, I think that Yelena has a point about the SA account (when it exists) impersonating the sqlserver service account, so in effect it has full permissions.
Tom
Viewing 10 posts - 1 through 9 (of 9 total)
You must be logged in to reply to this topic. Login to reply