June 11, 2011 at 10:32 am
Hi All,
I have two questions on the below two users. Would like to know importance and when they will be used.
When does user 'NT AUTHORITY\ANONYMOUS LOGON' will be used?
What is the significance of this user What is the significance of $ account? What is this account? when it will get created?
How these accounts play a role in sql server?
Thanks in advance.
June 13, 2011 at 4:09 am
this account is powerfull and highest level of privileges on the local system,if you have revoked the Built-In\Administrator sysadmin rights then you have to give these rights to this account,by default it has sysadmin rights,this account is use by third party backup application like sysmentic Netbackup,EMC Networker etc
this account is use for SQL Writer Volume Shadow VSS
this account is by default in Administrator group of Local System
this account is also use by ISS(application Server)
the Dollar Sign ($) is computer account,it use to allow the access of SQL across the Network
Regards,
Syed Jahanzaib Bin Hassan
BSCS | MCTS | MCITP | OCA | OCP | OCE | SCJP | IBMCDBA
My Blog
www.aureus-salah.com
June 13, 2011 at 4:20 am
The NT AUTHORITY\ANONYMOUS LOGON should not be confused with NT AUTHORITY\SYSTEM.
NT AUTHORITY\SYSTEM represents the system of the host machine and is the one that typically has sysadmin rights in SQL and is used by local services (one that runas NT AUTHORITY\SYSTEM or LocalSystem). It has only permission on the local machine and no permission anywhere else on the network.
NT AUTHORITY\ANONYMOUS LOGON represents the unknown user, the anonymous user, someone the server knows nothing about. It typically is not a login in SQL and should not ever be a login in SQL. It does not automatically have sysadmin (because you know nothing about who that is it should NEVER have high permissions)
'NT AUTHORITY\ANONYMOUS LOGON' basically means that a windows authentication connection was made but that no account was specified. This typically happens in two cases.
1) A service that runs as NT AUTHORITY\SYSTEM on Server1 tries to connect to Server2. Because NT AUTHORITY\SYSTEM has no permissions elsewhere on the network, the connection comes in to Server2 as NT AUTHORITY\ANONYMOUS LOGON.
2) The Kerberos double-hop where account delegation has not been granted (google Kerberos double-hop, there's a lot of information available on it and the solutions)
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
June 13, 2011 at 5:40 am
Thank you very much.
June 13, 2011 at 5:45 am
Couple other points.
Services (like IIS) shouldn't use NT AUTHORITY\SYSTEM (localsystem) as that means they only have permission locally. It's probably a default installation setting, but it's a bad one. A properly created and configured domain account should be used
The computer accounts ( <Domain>\Server1$) have no permissions elsewhere on the network unless explicitly granted. They shouldn't be used much, if at all, again, properly configured domain accounts should be used.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
June 13, 2011 at 7:52 am
GilaMonster (6/13/2011)
Couple other points.Services (like IIS) shouldn't use NT AUTHORITY\SYSTEM (localsystem) as that means they only have permission locally. It's probably a default installation setting, but it's a bad one. A properly created and configured domain account should be used
The computer accounts ( <Domain>\Server1$) have no permissions elsewhere on the network unless explicitly granted. They shouldn't be used much, if at all, again, properly configured domain accounts should be used.
IIS can, so long as the app pool identity or the application context, if specified in web.config, is something else. It's usual default is Network Service, which maps as Domain\ComputerName$ when it leaves the computer.
The only permissions the computer accounts have by default is the ability to change password in Active Directory and to set their own service principal names (like HOST/computername).
But, generally speaking and as Gail pointed out earlier in this thread, if you can make it run without using System, you should. System has greater than administrator rights, some implicitly on the operating system. So if you're following the Principle of Least Privilege, system is overkill in most cases.
K. Brian Kelley
@kbriankelley
June 13, 2011 at 7:54 am
GilaMonster (6/13/2011)
The NT AUTHORITY\ANONYMOUS LOGON should not be confused with NT AUTHORITY\SYSTEM.NT AUTHORITY\SYSTEM represents the system of the host machine and is the one that typically has sysadmin rights in SQL and is used by local services (one that runas NT AUTHORITY\SYSTEM or LocalSystem). It has only permission on the local machine and no permission anywhere else on the network.
NT AUTHORITY\ANONYMOUS LOGON represents the unknown user, the anonymous user, someone the server knows nothing about. It typically is not a login in SQL and should not ever be a login in SQL. It does not automatically have sysadmin (because you know nothing about who that is it should NEVER have high permissions)
'NT AUTHORITY\ANONYMOUS LOGON' basically means that a windows authentication connection was made but that no account was specified. This typically happens in two cases.
1) A service that runs as NT AUTHORITY\SYSTEM on Server1 tries to connect to Server2. Because NT AUTHORITY\SYSTEM has no permissions elsewhere on the network, the connection comes in to Server2 as NT AUTHORITY\ANONYMOUS LOGON.
2) The Kerberos double-hop where account delegation has not been granted (google Kerberos double-hop, there's a lot of information available on it and the solutions)
You will also see NT Authorithy\Anonymous Logon when a Windows (trusted) connection is attempted from an untrusted computer. For instance, a computer that's not on the domain or a trusted domain. Another case is if the process trying to connect to SQL Server is connecting from another system and is using an account local to that system (not just System) that doesn't have special rights to appear as a different account when leaving the system (as Network Service does when it connects to a networked resource).
K. Brian Kelley
@kbriankelley
June 13, 2011 at 8:07 am
Thanks Brian.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
Viewing 8 posts - 1 through 7 (of 7 total)
You must be logged in to reply to this topic. Login to reply