Post reply

Using local windows group setup by SQL 2005 install

  • November 13, 2008 at 7:53 am

    #383375

    I am working through our security policy for our SQL Service accounts.

    Up to this point, I had pretty much ignored the local windows groups that SQL 2005 sets up at time of install for the different service accounts for SQL Server, SSIS, Full text, Agent...I was thinking of just using these groups so my service accounts have the permissions needed for each service but it then dawned on me, what prevents one of my network admins of adding their login to one of these groups? They would then have sysadmin access to my sql server. These seems like a big security hole and a workaround for when you get rid of the built-in\admins group.

    This is suggested when reading through the best practice papers from Microsoft but I am very hesitant to use them. I am considering get rid of these on all my servers & granting permissions to each of my service accounts.

    Am I missing something as to why people think these are a good idea?

    John

  • November 13, 2008 at 8:22 am

    #898127

    Can't get rid of 'em as SQL Server uses 'em. However, you're right that they do create a security issue. It's even worse when you have a cluster, because those are domain groups. SQL Server 2008 on Windows 2008/Vista solves the issue by using service isolation, so even with the groups, you still have to be the service to gain access.

    However, if someone is a sysadmin over the server, you really can't stop them from gaining access. Technically all they have to do is stop SQL Server, bring it up in single-user mode, and they're in as syadmin. In that case SQL Server 2005/2008 will treat any member of the local Administrators group as a sysadmin fixed server role member. This is a fail-safe built in for the situation where someone has locked themselves out of SQL Server. So if you can't trust your admins, you're out of luck. What you can do is make sure that Account Management successes are auditing and track group membership changes on your SQL Server using your logging software.

    K. Brian Kelley
    @kbriankelley

Viewing 2 posts - 1 through 1 (of 1 total)

You must be logged in to reply to this topic. Login to reply