Home Forums SQL Server 2008 SQL Server 2008 - General remove users group from drive:\Program Files\Microsoft SQL Server folder RE: remove users group from drive:\Program Files\Microsoft SQL Server folder

  • December 13, 2012 at 9:29 am

    #1568364

    chewychewy (12/13/2012)

    Hi patrick,

    Thanks for ur kind advise. One question before i test it out tml.

    If i do it this way, will the permissions(not imherit, granted explicity) of the folders which are contained in microsoft sql server folder be removed? Since all of it will inherit from microsoft sql server new permissions after tweaking.

    Any advice you get from the net should obviously be tested and it never hurts to get a second opinion or otherwise find a senior windows administrator who can help out. I nowadays let others admin the windows servers I do any work on. That said, I don't mind offering up what I know.

    To the best of my knowlege the folders contained WITHIN microsoft sql server folder will now inherit from the UPDATED permissions of the microsoft sql server that they are contained in.

    Btw is it a gd practise to remove user group from sql server folder? Thanks

    What I am thinking is to grant this folder the least permissions needed. My initial thought is that it should be ok to remove the users group, as they would hopefully just access SQL and let the server access the files using the account under which the SQL service is running. If the users group had permissions to the folder and also had any other access that enabled them to connect to the server, the SQL datafiles could possibly be read and copied for attachment elsewhere. Normally you do not allow users to connect to servers either by remote desktop or windows file sharing, but this might not be taken into consideration by the auditing.

    Do everything you can to test what you plan to do including doing the permissions changes on a test sql server and making sure things still work.

    Before removing or otherwise changing permissions, you should also document what permissions exist currently so that you can restore them later should you make a mistake or for whatever reasons the changes you attempted to make were not correct. Make sure you do not remove your own access obviously if you are really the one tasked with making changes. If I were in your position, I would test your changes on a developmental or express edition server that will better suit testing and try to then access that developmental or express edition SQL Server with an account that mirrors the permissions your users usually run under.

    Similar discussions:

    http://social.msdn.microsoft.com/Forums/en-US/sqlsecurity/thread/67ea5e53-9d40-4a68-bd0e-f47c1d243d41

    http://www.mssqltips.com/sqlservertip/2768/protecting-the-sql-server-backup-folder/