Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

SQL Server security thinking 2

Status
Not open for further replies.
masds

masds

Technical User
Mar 3, 2005
100
CA

So many resources and articles talking about SQL Server security, also the microsoft training books. They all fail to give me a clear and manageable strategy to setup a security SQL Server database, many concepts are fuzzy and never be clarified for me.

For example, the setup program will set appropriate security permissions for install directory and registry after install that only local administrators and SQL Server service account have read and write permission on above. Then most articles will recommend not to use local administrator as SQL Server sysadmin, that means the SQL Server sysadmin doesn't have the above permission to the files and registry but the local administrators have. This makes no sense to me! This is just one example, I believe there are many.

Security seems a easy topic, but actually it's absolutely not! In my point of view, it's full of concepts in conflict that always confuse user.
 
Sort by date Sort by votes

Any security strategy maybe arguable, I guess here I need successful DBA experience when setting up security policy. I'm tired of reading unlimited of materials from internet and unsure which one I should choose from.
 
Upvote 0 Downvote
The reason that it is recommend to have your SQL Service account not be a local admin on the server is in case someone breaks into the SQL Server and gets access.

If the SQL Service has admin rights, this intruder can now create a new machine account on the server with admin rights, and basically take over the server. They would also be able to download and install any software they wanted to.

If the SQL Server doesn't have admin rights it is much harder for the intruder to do these things.

Denny
MCSA (2003) / MCDBA (SQL 2000)

--Anything is possible. All it takes is a little research. (Me)

[noevil]
(My very old site)
 
Upvote 0 Downvote

Thanks denny, is it neccessary to allow the SQL Server service to access the SQL Server installed files and registry? why?
 
Upvote 0 Downvote
If the SQL Server service doesn't have access to the files then it can't use the files to start the SQL Server service, or access the data files, or log files, etc.

The SQL Server service is a user account, just like an other user account. If the account doesn't have writes to something then it won't be able to use the files.

Denny
MCSA (2003) / MCDBA (SQL 2000)

--Anything is possible. All it takes is a little research. (Me)

[noevil]
(My very old site)
 
Upvote 0 Downvote

Thanks denny!

Another security related question:
I know I can turn on the audit in the security tab of the server in enterprise Manager, I guess it will tracing all the unsuccessful login to the SQL Server, so I want to know where it puts the auditing reports, is there actually a report somewhere?
 
Upvote 0 Downvote

I just wrote a FAQ on this, please look it and feel free to comment here.
 
Upvote 0 Downvote

Thanks mjia, it's good article.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

grnzbra
  • Locked
  • Question
SQL Server in Windows
Replies
1
Views
781
pjw001
pjw001
CodeWell
  • Locked
  • Question
SQL Server 2017 Install Issue - Database Not in Configuration Manager
Replies
0
Views
656
CodeWell
CodeWell
bethabernathy
  • Locked
  • Question
Front End Access 365 Database dsn Connection Fails when attempting to link to 2016 SQL server
Replies
1
Views
551
dhookom
dhookom
Ikatiemarie
  • Locked
  • Question
SQL Server 2008 SP_Send_dbmail
Replies
0
Views
1K
Ikatiemarie
Ikatiemarie
dgillz
  • Locked
  • Question
SQL View not available to Excel Power Query
Replies
1
Views
548
dgillz
dgillz

Part and Inventory Search

Sponsor

Back
Top