January 9, 2009 at 3:48 am
After running MBSA 2.1, the results shows Administrative vulnerabilities:
"Folder Permissions
Permissions on the SQL Server and/or MSDE installation folders are not set properly."
This applies to the SQLServer2005MSSQLUser$ group and several folders including the data folder.
The only group member is the service account running the SQL Server service.
To correct this issue I have to assign permissions direct to the service account and not to the group (done by the install process)
Why is the install process creating an ACL based on the SQL Server groups and is the MBSA checking on the accounts?
Is it a best practice to change the ACL's after an install and replace the groups with accounts?
thanks,
Robbert Hof
January 11, 2009 at 3:49 am
You should never assign privileges / rights / permissions to an individual account. You assign privileges / rights / permissions to roles which groups / teams and individuals fulfil.
The way I've always managed SQL Server (2005) security is to create an AD (local domain scope) group that contains the relevant service accounts and then place those groups in the local (machine) groups. I also use the AD groups to grant privileges via Group Policy. For NTFS DACLs, I create Read-Only and Write groups, apply the NTFS permisisons to those groups with the relevant membership (sql server service account groups + any sql admins)
--
Andrew Hatfield
January 11, 2009 at 11:20 am
I think this might be a generic error in that having a single member as part of the group. There might be a setting that wants to have more than one member of the group.
I'd add another account, re-run this, and see if this goes away.
And let us know 🙂
January 13, 2009 at 12:39 am
Adding an extra user to the group did not help.
(I added the local administrator).
The same behaviour when adding another group containing the same user.
MBSA only allows permissions set to an account, not to a group.
Too bad, I want to use this tool to investigate the security settings of a server before it goes live.
January 17, 2009 at 10:53 am
Hi, could You please be more specific on the steps You take to set it up correctly? To be honest, I'm a bit lost in the description of the tasks You do. Thanks and have a nice day.
Sincerely
Jaroslav Novotny
January 17, 2009 at 11:38 am
To be honest, I'm not a big fan of MBSA. I use it to check patch levels and do password checks, but when it comes to SQL Server, I don't rely on it at all, especially when it comes to permissions. I'd rely on the permissions that were set by the installer with respect to SQL Server 2005/2008.
K. Brian Kelley
@kbriankelley
February 23, 2009 at 2:11 pm
Hi Brian, I have gone thru one of your article where you have done a great job in explaining the user accounts. Related to that and knowing that you are not a big fan of MBSA (neither am I but still need to answer to folks here...:-(), do you know the exact role BUILTIN\Users group plays in SQL Server 2008? I have noticed that removing this group from the BINN folder ACL causes the SQL Server 2008 services to not start after a reboot. Specifically the SQL Agent service. I am still doing some digging into this but would like to know if you have come across a similar behavior.
Thanks much
Shishir
Viewing 7 posts - 1 through 6 (of 6 total)
You must be logged in to reply to this topic. Login to reply