October 13, 2004 at 2:18 pm
Hello,
We have a security question. We removed Builtin\Administators from our SQL 2000 Servers for security reasons. The SQL Server services run as a domain user. This domain user has sa access. Because of a problem with full-text search, we had to add 'NT Authority\System' to SQL Server and grant it sysadmin role. (see KB article http://support.microsoft.com/default.aspx?scid=kb;en-us;317746)
This prevented local Windows administrators from logging in to SQL Server. BUT, we recently discovered that a local Administor on the server CAN schedule a job with the 'at' command and run as the local system account. The local system account has access to SQL Server and the sa role - we are assuming the local system account authenticates to SQL thru NT Authority\System (???).
Is there any way to prevent this, and still allow Search to continue to work? This seems like a security hole since it allowed someone without SQL Server access the ability to run as 'sa'.
Thanks for your help.
October 13, 2004 at 5:12 pm
Your answer is yes and no.
Yes at got thru NT Authority\System you cannot remove at from that I do believe unless at is now tied to Task Scheduler service (which I believe is now is). You thus could go into services and set Task Scheduler to be another account. But the point is to block anything but Full-Text Search.
I would create a docmain user account with Admin privledges and grant access to that account as system admin in SQL. Then change the SQL Full-Text Search service to run under that account. Should then have access just like under system. Try this on a test machine and see if doesn't work.
October 14, 2004 at 7:26 am
Both Task Scheduler and the Microsoft Search service must be run under the System account. Task Scheduler will allow you to set a different service account and will even attempt to start. However, it'll throw an error indicating that it must run under System.
Here is the KB article indicating Microsoft Search should run under the System account. It doesn't mention this, but Search can also AccVio if it's not running under System.
You can set the AT service account on the server.
Local to the server (Terminal Server session okay):
1) Go to %SYSTEMROOT%\Tasks
2) Advanced | AT Service Account
Of course, a Windows administrator can always set it back, but I believe that's something that could be audited.
K. Brian Kelley
@kbriankelley
October 14, 2004 at 8:39 am
Thanks for your replies. We will look into changing the AT service account.
One follow up question - is there any way to disable AT altogether?
October 14, 2004 at 8:48 am
Stop and disable the Task Scheduler service.
K. Brian Kelley
@kbriankelley
Viewing 5 posts - 1 through 5 (of 5 total)
You must be logged in to reply to this topic. Login to reply