SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


SCCM Security Config for SQL Servers


SCCM Security Config for SQL Servers

Author
Message
Ness
Ness
SSC Eights!
SSC Eights! (973 reputation)SSC Eights! (973 reputation)SSC Eights! (973 reputation)SSC Eights! (973 reputation)SSC Eights! (973 reputation)SSC Eights! (973 reputation)SSC Eights! (973 reputation)SSC Eights! (973 reputation)

Group: General Forum Members
Points: 973 Visits: 974
Hi All,

I prefer my systems to work on the least privilege wherever possible but I have an account connecting for SCCM and it has been put in a AD group that has sysadmin, and that makes me unhappy. I understand that this account has to connect and the reasoning but for some reason it creates two connections to every database on my server about every 5 mins. This worries me even more as the server in question has in excess of 1600 db's on it (don't ask - an old design, which is too expensive to change) and that means it's hammering the connections + 3200 which will have an effect on the other connections and threading

Does anyone know the required permissions for a SCCM SQL service account and what perms it needs at the db level (for monitored databases not SCCM itself)?

SQL DBA
Every day is a school day, and don't trust anyone who tells you any different.
http://sqlblogness.blogspot.co.uk
Orlando Colamatteo
Orlando Colamatteo
SSC-Dedicated
SSC-Dedicated (39K reputation)SSC-Dedicated (39K reputation)SSC-Dedicated (39K reputation)SSC-Dedicated (39K reputation)SSC-Dedicated (39K reputation)SSC-Dedicated (39K reputation)SSC-Dedicated (39K reputation)SSC-Dedicated (39K reputation)

Group: General Forum Members
Points: 39012 Visits: 14411
If all SCCM is doing in inspecting System Views, Catalog Views and DMOs then you may be able to go to something like this:

1. Create a Login for the SCCM service to use to login, or add the SCCM service account if that's how it authenticated to the DB instance (probably done already).
2. Create a User in every user database on the instance for that Login plus model (to support having a user in all new DBs) and leave the user in the public Database Role only, i.e. the user should not need any explicit permissions.
3. While in master grant VIEW SERVER STATE to the Login.
4. While in master grant VIEW ANY DEFINITION to the Login. The ANY is very important because it denotes a sever-level permission that permeates all databases as well, as long as the login has a user in the database.

That will offer the SCCM Login the ability to view all server-level and database-level metadata. Any permissions required to allow the SCCM login to modify server or database level settings will require additional grants.

__________________________________________________________________________________________________
There are no special teachers of virtue, because virtue is taught by the whole community. --Plato
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search