I created 2 local windows accounts in my laptop, both accounts are in users group.
I installed SQL Server 2008 with the below startup accounts assigned:
- SQL_ENGINE - to start db engine
- SQL_AGENT - to start SQL Agent
As part of hardening requirement, i removed the "users group" permission from the binn folder.
After removing, I'm not to startup the AGENT - error5: access is denied.
Have no problem starting up SQL Engine though.
From my investigation, the issue is due to "SqlServerSQLAgent$TOMMY$MSSQLSERVER2008" not having access to the binn folder. It is working before hardening as the binn folder has users group permission and SQL_AGENT belongs to the group.
My question is, why doesn't SQL Server grant "SqlServerSQLAgent$TOMMY$MSSQLSERVER2008" access to binn folder by default? I thought is should do so by default? Only "SQLServerMSSQLUser$TOMMY$MSSQLSERVER2008" is granted so no issue with DB Engine started up after hardening.
D:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER2008\MSSQL\Binn
Hope someone understand what I'm trying to explain.