April 2, 2007 at 9:50 am
I have been working on locking down my remote server(s). One of the items for lockdown was to remove public's access to registry procedures. For example,
REVOKE
execute on xp_instance_regread to public
On one of the remote servers, I granted securityadmin priviledges to one of the users. When that user tried to change the password on a generic account, we received the following error message:
The EXECUTE permission was denied on the object 'xp_instance_regread', database 'mssqlsystemresource', schema 'sys'. (Microsoft SQL Server, Error: 229)
Any ideas? Suggestions?
Argue your limitations and sure enough they will be yours (Richard Bach, Illusions)
Argue for your limitations, and sure enough they're yours (Richard Bach, Illusions)
July 3, 2007 at 1:47 am
that xp reads about the registry key details for sql server. May be the password change would have checked if the server has windows authentication or mixed mode in registry and would have failed as you have restricted the execute permission to that user.
Cheers,
Sugeshkumar Rajendran
SQL Server MVP
http://sugeshkr.blogspot.com
June 16, 2008 at 8:40 am
We revoke the execute on xp_regread as well for public. Now we have some users who are unable to register the server in SSMS and are getting the same errors.
How did you fix the problem, if at all?
TIA.
June 16, 2008 at 9:02 am
Likely the registry is being read to determine password policy settings from the operating system. The operating system reads them from the registry, so this is where SQL Server would read them as well.
K. Brian Kelley
@kbriankelley
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply