Registry Permissions

  • Hi,

    Can those of you who change permissions on your MS SQL Server registry hives, give me an idea of what you do to secure the keys while still allowing the server to do what it needs to do?

    I garnered this bit of info from the Microsoft's SQL Server configurations on OpenHack (eweek.com). But I wonder if anyone does this in real production systems.

    • Change permissions on HKLM\Software\Microsoft\MSSQLServer to Admins:F, System:F, Creator/Owner:F, SQLServiceAccount:R. Propagate this all the way down
    • Change permissions on HKLM\Sofware\Microsoft\MSSQLServer\MSSQLServer (no propagation) to Administrators:F, System:F, Creator/Owner:F, SQLServiceAccount:F. (To prevent SQL Server from being unable to bind to any network interfaces)

    Thanks for any feedback!!

    Enrique.

  • OpenHack 4's configuration is an extreme, but very effective solution. However, I don't know if it is considered "supported."

    A good resource, though, which includes Registry security, is Microsoft SQL Server 2000 Security white paper by Ben Thomas and Richard Waymire. Page 54 has the information on securing the registry:

    http://www.microsoft.com/sql/techinfo/administration/2000/security/securityWP.asp

    K. Brian Kelley

    http://www.truthsolutions.com/

    Author: Start to Finish Guide to SQL Server Performance Monitoring

    http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1

    K. Brian Kelley
    @kbriankelley

  • Brian, I've read that document, but missed those points about registry security. Thank you.

  • It's hidden well, isn't it? I missed it initially, too.

    K. Brian Kelley

    http://www.truthsolutions.com/

    Author: Start to Finish Guide to SQL Server Performance Monitoring

    http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1

    K. Brian Kelley
    @kbriankelley

Viewing 4 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic. Login to reply