Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

remove users group from drive:\Program Files\Microsoft SQL Server folder Expand / Collapse
Author
Message
Posted Thursday, December 13, 2012 5:52 AM
SSC Journeyman

SSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC Journeyman

Group: General Forum Members
Last Login: 2 days ago @ 1:40 AM
Points: 94, Visits: 410
Hi Guys,

sql server 2008r2
windows 2008

Is it recommended to remove user groups from drive:\Program Files\Microsoft SQL Server folder and data folder?
It's flag out as one of our audit finding.

I tried removing it on my own test machine but it keep asking me to remove inheritance. Seems quite dangerous to me. Any kind soul can provide steps to remove it with affecting other existing permissions?

thanks!



Post #1396139
Posted Thursday, December 13, 2012 7:01 AM
SSC-Addicted

SSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-Addicted

Group: General Forum Members
Last Login: Wednesday, January 16, 2013 4:23 PM
Points: 415, Visits: 2,333
chewychewy (12/13/2012)
Hi Guys,

sql server 2008r2
windows 2008

Is it recommended to remove user groups from drive:\Program Files\Microsoft SQL Server folder and data folder?
It's flag out as one of our audit finding.

I tried removing it on my own test machine but it keep asking me to remove inheritance. Seems quite dangerous to me. Any kind soul can provide steps to remove it with affecting other existing permissions?

thanks!


If you're a bit unsure about this, theres no harm in asking a windows administrator for some assistance! They're supposed to know this I'm sure!

The message "remove inheritance" might be the one that is similar to windows 7 permissions warning I get, like "you must prevent this object from inheritting permissions". If there are not any specific permissions aplied to the "microsoft sql server" folder, it "inherits" the permissions from the folder "program files" that contains it (which could very well be inheritting permissions itself). If you need different permissions on the "microsoft sql server" folder, you then need to "prevent" the "microsoft sql server" folder from inheritting permissions. You can see the effects and mechanics of this by doing the operation on test folders and subfolders you create yourself, and highly recommended to be familiar with permissions on windows.

On windows 7, I right click folder, select properties -> security -> click advanced button -> click change permissions -> unclick "include inheritable permissions form this objects parent" -> this causes a windows security dialog box, I click "add" to "convert and add inhterited parrent permissions as explicit permissions on this object" (this way I know exactly what permissions were applying and can edit those instead of creating permissions from scratch) -> make my changes, ok it. The dialog might be somewhat different on a server depending on version, but essentially you're copying the existing permissions to explicit settings on the current folder then editting those. The folders contained within the current folder will then inherit the permissions you are changing as they will still have their permissions inheritted.
Post #1396172
Posted Thursday, December 13, 2012 8:44 AM
SSC Journeyman

SSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC Journeyman

Group: General Forum Members
Last Login: 2 days ago @ 1:40 AM
Points: 94, Visits: 410
Hi patrick,
Thanks for ur kind advise. One question before i test it out tml.
If i do it this way, will the permissions(not imherit, granted explicity) of the folders which are contained in microsoft sql server folder be removed? Since all of it will inherit from microsoft sql server new permissions after tweaking.

Btw is it a gd practise to remove user group from sql server folder? Thanks
Post #1396234
Posted Thursday, December 13, 2012 9:29 AM
SSC-Addicted

SSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-Addicted

Group: General Forum Members
Last Login: Wednesday, January 16, 2013 4:23 PM
Points: 415, Visits: 2,333
chewychewy (12/13/2012)
Hi patrick,
Thanks for ur kind advise. One question before i test it out tml.
If i do it this way, will the permissions(not imherit, granted explicity) of the folders which are contained in microsoft sql server folder be removed? Since all of it will inherit from microsoft sql server new permissions after tweaking.

Any advice you get from the net should obviously be tested and it never hurts to get a second opinion or otherwise find a senior windows administrator who can help out. I nowadays let others admin the windows servers I do any work on. That said, I don't mind offering up what I know.

To the best of my knowlege the folders contained WITHIN microsoft sql server folder will now inherit from the UPDATED permissions of the microsoft sql server that they are contained in.

Btw is it a gd practise to remove user group from sql server folder? Thanks

What I am thinking is to grant this folder the least permissions needed. My initial thought is that it should be ok to remove the users group, as they would hopefully just access SQL and let the server access the files using the account under which the SQL service is running. If the users group had permissions to the folder and also had any other access that enabled them to connect to the server, the SQL datafiles could possibly be read and copied for attachment elsewhere. Normally you do not allow users to connect to servers either by remote desktop or windows file sharing, but this might not be taken into consideration by the auditing.

Do everything you can to test what you plan to do including doing the permissions changes on a test sql server and making sure things still work.

Before removing or otherwise changing permissions, you should also document what permissions exist currently so that you can restore them later should you make a mistake or for whatever reasons the changes you attempted to make were not correct. Make sure you do not remove your own access obviously if you are really the one tasked with making changes. If I were in your position, I would test your changes on a developmental or express edition server that will better suit testing and try to then access that developmental or express edition SQL Server with an account that mirrors the permissions your users usually run under.

Similar discussions:

http://social.msdn.microsoft.com/Forums/en-US/sqlsecurity/thread/67ea5e53-9d40-4a68-bd0e-f47c1d243d41

http://www.mssqltips.com/sqlservertip/2768/protecting-the-sql-server-backup-folder/
Post #1396253
Posted Sunday, December 16, 2012 4:52 AM
SSC Journeyman

SSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC Journeyman

Group: General Forum Members
Last Login: 2 days ago @ 1:40 AM
Points: 94, Visits: 410
thanks!

hi anyone here in the forum also remove users group as part of hardening?
thanks!
Post #1396982
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse