Directory/File Permissions

Question

Post reply

Directory/File Permissions

Greg Larsen

SSC-Insane

Points: 20961
More actions
October 21, 2002 at 4:31 pm

#58389

We have a software package that scans SQL Server and looks for Security issues. One of the scans looks at file permissions. This scan says reports an error for any file that has "Full Control" permissions associated with it on our SQL Server box.
It has been suggested that I remove the full control from the BINN directory, as well as 4000+ other files.
Here is the question: Has anyone ever changed the permissions for SQL Server binarys to something other than "Full Control"? If so do you have any advice on the do's, and don'ts.
Gregory Larsen, DBA
If you looking for SQL Server Examples check out my website at http://www.geocities.com/sqlserverexamples
Gregory A. Larsen, MVP

Viewing 6 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic. Login to reply

Greg Larsen SSC-Insane Points: 20961 More actions · Answer 1

This probably should read "Full Control to everyone" every place it says "Full Control".

Gregory Larsen, DBA

If you looking for SQL Server Examples check out my website at http://www.geocities.com/sqlserverexamples

Gregory A. Larsen, MVP

Andy Warren SSC Guru Points: 119902 More actions · Answer 2

We typically change the access to whatever account sql runs under plus domain admins, remove everyone. Nobody needs to be doing nothing on those drives!

Andy

http://www.sqlservercentral.com/columnists/awarren/

Andy
SQLAndy - My Blog!
Connect with me on LinkedIn
Follow me on Twitter

Scorpion_66 SSCertifiable Points: 7891 More actions · Answer 3

We reduce permissions on our Sql Server machines to admins only as a default. Of course, the SQL login and agent login is a local admin on the box, and its a dedicated server, so we do not have any issues with it.

Sometimes the backup admins bitch about not being able to get to some files, but they shouldn't be looking at our production boxes anyway, as our backups are written to network share to start with, and we image the box for a recovery prior to the lockdown in case of failure.

If your not gonna help, Please move to the side, because if your not helping the situation, your hurting it....

Greg Larsen SSC-Insane Points: 20961 More actions · Answer 4

Sounds like a reasonable thing. Seems like the SQL install could handle this, but does not. One more manual step when configuring a box I guess.

Gregory Larsen, DBA

If you looking for SQL Server Examples check out my website at http://www.geocities.com/sqlserverexamples

Gregory A. Larsen, MVP

Simon Sabin SSCrazy Eights Points: 8142 More actions · Answer 5

MS has some really good papers now on how to secure servers

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bestprac/bpent/bpentsec.asp

Simon Sabin

Co-author of SQL Server 2000 XML Distilled

http://www.amazon.co.uk/exec/obidos/ASIN/1904347088

Simon Sabin
SQL Server MVP

http://sqlblogcasts.com/blogs/simons