SQLServer And SQL ServerAgent Account Privileges
Jun 15, 2007
After installing SQL Server 2005, a security scan was performed on the SQL server. Below are a few items that the scan identified within the Windows User Rights Assignment as potential vulnerabilities; it is worthy to note in Microsoft's defense that we lock things down pretty tightly in our IT shop. I suspect the SQL Server install assigns these OS privileges to the SQLServer and SQLServerAgent accounts by default. I have not heard of the 1st, 3rd and 4th below and suspect that they are not essential to the normal operation of SQL Server, but would like to know if anyone out there knows for sure. We are considering eliminating some or all of these privieleges for the SQLServer and SQLServerAgent system accounts at the OS level.
1) SQLServer and SQLServerAgent accounts have "Bypass Traverse Setting" privilege within Windows User Rights Assignment
2) SQLServer and SQLServerAgent accounts have "Log on as Batch Job" privilege within Windows User Rights Assignment. I realize I need this to schedule SQL Server jobs which run batch jobs and such, but any other reason to keep this privilege.
3) SQLServer and SQLServerAgent accounts have "Memory Quota" privilege within Windows User Rights Assignment
4) SQLServer and SQLServerAgent accounts have "Replace Process Token" privilege within Windows User Rights Assignment
Any guidance on this would be greatly appreciated.
Regards,
Jason
View 1 Replies
ADVERTISEMENT
Jun 13, 2007
I recently installed SQL Server 2005 and setup a database for one of the systems that I support as a DBA. After installation and the system, which has remote developers, was tested successfully, our security group performed a security scan on the SQL server. The scan revealed a few potential vulnerabilities. Below are the questionable items that the scan identified within the Windows User Rights Assignment. I believe the SQL Server installation assigns these system privileges to the SQLServer and SQLServerAgent accounts by default. I'd like to know how many, if any of these privileges, are necessary.
1) SQLServer and SQLServerAgent accounts have "Bypass Traverse Setting" privilege within Windows User Rights Assignment
2) SQLServer and SQLServerAgent accounts have "Log on as Batch Job" privilege within Windows User Rights Assignment. I realize I need this to schedule SQL Server jobs which run batch jobs and such, but any other reason to keep this privilege.
3) SQLServer and SQLServerAgent accounts have "Memory Quota" privilege within Windows User Rights Assignment
4) SQLServer and SQLServerAgent accounts have "Replace Process Token" privilege within Windows User Rights Assignment
Any guidance on this would be greatly appreciated.
Thanks in advance,
Jason Malasovich
SQL Server DBA
View 1 Replies
View Related
Aug 28, 2007
Hi all,
Please let me know what specific privileges an user account needs to be used as LOG ON AS account for SQL Server Agent in SQL Server 2005.
Does the account needs to me in the domain administrator group?
Thanks,
Hariarul
View 2 Replies
View Related
Nov 15, 2015
I'm trying to install SQL Server Management studio 2012 on my Windows 7 (x64) standalone laptop. When I click "New SQL stand-alone installation..." it runs a Setup Support Rules check and always fails "Setup Account Privileges". I've looked into the error and I keep getting that I need to change security rules but I don't have that option in window 7. How do I get around this without having to resort to a computer running Windows Server?
I have Visual Studio 2013 premium installed along with Localdb v11. I just want to connect and manage my database engine through SSMS when developing any application.
View 2 Replies
View Related
Aug 10, 2006
Bummer. I can't remember the SA password. I had setup a user account, but I can't change anything or add any new accounts using this login. I can't get in using the windows authentication method no matter how I am logged into this machine.
Any suggestions? I have never been able to use Windows Authentication. There must be something I'm missing here. I have spent hours and hours trying to get into this machine. I just want to replicate a database. This is very frustrating.
Thanks guys.
View 3 Replies
View Related
Oct 11, 2007
the password of sa account is empt
I use "sqlcmd -S servername -U sa " command but failed
any suggestions?
thanks
View 8 Replies
View Related
Nov 15, 2007
Hello,
I am totally confused by what account I should be running my sql server database and my business layer service as.
I take it that when installing sqlserver and my service that I should be logged in as administrator.
Should I be using "Local Service", "Local System" or "Network Service" to run these processes as?
Summary of my business layer service
* Clients connect to this service on a tcp/ip port
* It accesses the file system
* it connects to the database
Thanks,
JP
View 4 Replies
View Related
Jan 5, 2006
During install of SQL Server 2005, we can of course use a domain account or the built-in system account for running the services. I lean toward domain for obvious reaons but would like to know a +/- to each option and why I'd choose one over the other and what consequences or limitations one may encounter if I choose one over the other.
View 6 Replies
View Related
Jul 31, 2000
Iam trying to start SQL server agent but it gives the following error.
SERVICE CONTROL FAILURE
An error - 5 (Access is denied) occured while performing this service operation on SQLserveragent service.
Can anyone let me know what is the problem and how it could be solved.
Any help would be appreciated.
Thanks,
Kris.
View 1 Replies
View Related
Apr 11, 2007
Hi,Hopefully someone can help me. I'm having difficulty with the syntax to delete a record from 4 joined tables when creating a job.I have an 'Applicants' table linked to four other tables 'Courses', 'EmploymentHistory', 'Qualifications', and 'References' using the field 'ApplicantID'.I want to create a job to delete all the records where the Finalised field = '0' and the record was created more than 3 days ago.The syntax I have been using on just one of the joined tables to start with doesn't delete from the joined table:USE OnlineApplicationsDELETE Applicants FROM ApplicantsINNER JOIN CoursesON Applicants.ApplicantID = Courses.ApplicantIDWHERE Finalised = 0 AND Created < DATEADD(d, 3, Created) How can I delete the records from the other four tables?Thanks
View 6 Replies
View Related
May 13, 2006
I installed SQL2005 (first time). I have a couple of problems that perplex me.
I can connect to my instance when starting up SQL Management Studio no problem. After connecting, I can manually backup and restore DBs, no problem.
However, when I attempt to start SQL Server Agent - I get the follwoing message:
Unable to start service SQLAgent$GREATPLAINSV80 on server USIND-BAT3835N1.
===================================
The SQLAgent$GREATPLAINSV80 service on USIND-BAT3835N1 started and then stopped. (ObjectExplorer)
------------------------------
Program Location:
at Microsoft.SqlServer.Management.UI.VSIntegration.ObjectExplorer.Service.Start()
The error log is as follows:
Date,Source,Severity,Message
05/13/2006 12:08:57,,Information,[098] SQLServerAgent terminated (normally)
05/13/2006 12:08:56,,Error,[382] Logon to server 'USIND-BAT3835N1GREATPLAINSV80' failed (DisableAgentXPs)
05/13/2006 12:08:56,,Error,[298] SQLServer Error: 772<c/> Cannot generate SSPI context [SQLSTATE HY000]
05/13/2006 12:08:56,,Error,[298] SQLServer Error: 772<c/> SQL Network Interfaces: The Local Security Authority cannot be contacted [SQLSTATE HY000]
05/13/2006 12:08:56,,Error,[000] Unable to connect to server 'USIND-BAT3835N1GREATPLAINSV80'; SQLServerAgent cannot start
05/13/2006 12:08:56,,Error,[298] SQLServer Error: 772<c/> Cannot generate SSPI context [SQLSTATE HY000]
05/13/2006 12:08:56,,Error,[298] SQLServer Error: 772<c/> SQL Network Interfaces: The Local Security Authority cannot be contacted [SQLSTATE HY000]
I researched using Microsoft SQL Home knowledge base for error 772, cannot generate SSPI context and [SQLSTATE HY000] and didn't find anything that seems to apply.
Why can I connect to the database engine but not start SQL ServerAgent?
View 4 Replies
View Related
Dec 22, 1999
I have found a huge prefomance degridation running something thru a Job on the server and running it through ISQL.
I have a sp the runs in about 24 min thru ISQL, but when I fire it off thru a job at night using the Agent, it take roughly 4.5 hours... Way slow...
Any thoughts?
View 1 Replies
View Related
Sep 30, 2006
Hi,
I was looking at a previos thread in this very queston and the answers given to it, I tried a SSIS package that works fine on its own but on creating a new job and invoke it, the JOB fails ,it says its not able to locate the file specified,
I tried copying the package to the server machine wher am creating the job,but again the same error; and when i try to alter the protection level of the SSIS package to Server Storage its throwing an error like '' This protection level cant be applied to this destination,The system can't verify that the destination supports storage capacity. this error occurs when saving to XML."
I am using OLE DB Destination in the dataflow task of the SSIS package I ve created. Please guide whr am going wrong. Some detailed steps which has some screenshots depicting step by step procedure of creating a JOB that calls a SSIS package will be highly helpful
Thanks in Advance,
View 4 Replies
View Related
Dec 17, 2007
I have built a SSIS package which runs fine in BIDS. I went into SqlServer Management Studio and created a new job and job step. When Iselect the SQL Server Integration Services Package, I get the belowerror. There are no options on selecting a SSIS package.I searched this error for about 5 hours yesterday and the onlysolution I could find was a user who rebooted their server which fixedthis problem. I did restart the server, which did not fix theproblem.Can anyone help provide more information on this problem and thesolution to it? Thank you, Jason.The specified module could not be found. (Exception from HRESULT:0x8007007E) (SqlManagerUI)------------------------------Program Location:atMicrosoft.SqlServer.Management.SqlManagerUI.DTSJob SubSystemDefinition.Microsoft.SqlServer.Management .SqlManagerUI.IJobStepPropertiesControl.Load(JobSt epDatadata)atMicrosoft.SqlServer.Management.SqlManagerUI.JobSte pProperties.UpdateJobStep()atMicrosoft.SqlServer.Management.SqlManagerUI.JobSte pProperties.typeList_SelectedIndexChanged(Objectsender, EventArgs e)at System.Windows.Forms.ComboBox.OnSelectedIndexChang ed(EventArgse)at System.Windows.Forms.ComboBox.WmReflectCommand(Mes sage& m)at System.Windows.Forms.ComboBox.WndProc(Message& m)atSystem.Windows.Forms.Control.ControlNativeWindow.O nMessage(Message& m)atSystem.Windows.Forms.Control.ControlNativeWindow.W ndProc(Message& m)at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32msg, IntPtr wparam, IntPtr lparam)
View 1 Replies
View Related
Dec 4, 2006
I have been running a script in SQL Server 2000 as sa also as a Active Directory user who has administrator rights (I tested both approaches SQL Server then Windows Authentication) in Query Analyser which grants execute rights to the stored procedures within the database instance and Query Analyser does not give any errors when I run the script. I have made sure that each transaction has a go after it. I then return to Enterprise Manager, check the rights (I apply them to roles so that when we create another SQL Server user we just grant him/her rights to the role) and discover that the role has not been granted the rights. I seems to be occurring only with 2 of the procedures. Is there a known bug that might be causing this?
yours sincerely
Craig Hoy
View 9 Replies
View Related
May 9, 2002
I have several DTS jobs that runs well as a job with my nt login account for the SQL agent service startup account, but if I use the System account
they fail with this error.
" Error opening datafile: Access is denied. Error source: Microsoft Data Transformation Services Flat File Rowset Provider"
The data has change access to the System account under the NT security.
Thank you in advanced.
Jorge
View 2 Replies
View Related
Mar 2, 2004
Hi all, i hope you can help me.
Basically a dts package has been setup that pulls in data from another companies server, this data requires to be on-demand i.e individual users can pull in updates of the data when they require it.
I am using xp_cmdshell and dtsrun to pull in the data. This obviouly works fine for me as i am a member of sysadmin.
Books online quotes " SQL Server Agent proxy accounts allow SQL Server users who do not belong to the sysadmin fixed server role to execute xp_cmdshell"
So i went to the SQL Server Agent Properties 'Job System' tab and unchecked 'Non-sysadmin job step proxy account' and entered a proxy account.
The proxy account has been setup as a Windows user with local administrator privilages and even a member of the sysadmin server role - just in case.
Now when i log onto the db with my test account - a non-sysadmin - and attempt to run the stored proc to import the data i recieved the message 'EXECUTE permission denied on object 'xp_cmdshell', database 'master', owner 'dbo' '
hmm... so basically i have either misunderstood BoL or there is something not quite right in my setup.
I have search the net for a few days now and yet i can find no solution.
Can anyone help?
View 2 Replies
View Related
Jul 20, 2005
Hi there,BOL notes that in order for replication agents to run properly, theSQLServerAgent must run as a domain account which has privledges to loginto the other machines involved in replication (under "SecurityConsiderations" and elsewhere). This makes sense; however, I waswondering if there were any repercussions to using duplicate localaccounts to establish replication where a domain was not available.Anotherwords, create a local windows account "johndoe" on both machines(with the same password), grant that account access to SQL Server onboth machines, and then have SQL Server Agent run as "johndoe" on bothmachines. I do not feel this is an ideal solution but I havecircumstances under which I may not have a domain available; mypreliminary tests seem to work.Also, are there any similar considerations regarding the MSSQLSERVERservice, or can I always leave that as local system?Dave
View 1 Replies
View Related
Apr 25, 2007
I have a situation that I have discovered in our QA database that I need to resolve. When I looked at the Activity Monitor for our server, I discovered that a process is running under a domain user account for one of our .Net applications. The problem is that that domain user account has not been created as a SQL login account on the server. I am trying to figure out how someone can log in to the database server with a domain user account that has not been added to SQL Server as a login account.
Does anyone have any insight on this? I don't like the idea of someone being able to create domain account that can access the database without me granting them specific access.
- Larry
View 6 Replies
View Related
Nov 28, 2004
Hi,
in mixed mode,
is there a way to prevent access from user SA to a specific database?
thanks
View 1 Replies
View Related
May 29, 2004
I have just noticed something very discomforting.
I was told that a user with DBO privileges is able to alter their own database. A conversation of course began to where I was in disagreement with him. The ultimate test of course would be setup the scenario. To my surpise he was right!
I checked the BOL documentation and my concerns were verified.
I have checked permissions on the user I created as well as on a user that previously exists on the MSSQL Server. Only DBO permissions were given to the tested users.
I thought maybe this had something to do with the autogrow setting which is a setting we would enable on a dedicated MSSQL Server but not on a shared MSSQL Server. I toggled this option and the DBO was still able to make size changes to their database.
This is very upsetting as we charge for additional reserved database space. Aside from that, we wouldn't want to have a user with unlimited resources to the server. I could easily fill up a hard drive if I were to update the autogrow setting of the database as DBO and run an infinite loop that would insert data into tables.
I then tested the ability for a user to restore a backup and to my surprise it worked without error for the DBO only privileged user. The DBO user was also able to restore previously dated databases assuming that they knew the file name which would not be hard to guess since it is appended with a date stamp (My_Database_20042905.BAK).
Why is this? Is there a way to correct this and prevent the DBO user to only have access to their database but not the above mentioned type privileges?
View 2 Replies
View Related
Feb 21, 2008
Basically to defend against SQL injection I want to be able to stop basic users or admins from being able to drop tables or doing other damaging activities. I'm using ms sql express, how can I do this? A friend mentioned that he uses MySql and user privileges can be set up in this way.
View 2 Replies
View Related
Jun 26, 2001
Is there a way to alias a table such that a particular user with privileges on that table (created by another user - not 'dbo') does not have to qualify it with the owner name? I am seeking a database level solution. Thanks.
View 1 Replies
View Related
Sep 3, 1998
I`m having a privileges problem when I go into enterprise manager.
I am unable to do things like create an index. I believe every time I open enterprise manager it is logging
me in as a user other than sa. How can I change this setting so that when I open enterprise manager I`m loggged
in as sa?
View 2 Replies
View Related
Jan 12, 2006
Hi. I'm trying to test something on a test db I have installed on my pc, but I am unable to process as I'm doing it. So, basically what I want is to give execute privilege on a procedure to a user, so the user can execute this procedure without having the privileges explicity granted on it (what this procedure do is to truncate a table on which the user has no access). As I've read, SQL Server stored procedures privileges runs with the definers permissions, not the one that is actually executing the procedure. So, what I'm doing is this: in query analyzer, logged in as sa, I did
use test
create table t ( a integer )
create procedure can_truncate as
truncate table t
sp_addlogin 'jmartinez',''
sp_grantdbaccess 'jmartinez','jmartinez'
grant execute on can_truncate to jmartinez
Then I went to connect again, as jmartinez and did:
exec can_truncate
and I get
Server: Msg 3704, Level 16, State 1, Procedure can_truncate, Line 2
User does not have permission to perform this operation on table 't'.
So, I wonder what more permissions would user jmartinez need in order to execute this procedure successfully. I hope you all understand what I am trying to achieve.
Thanks!
View 8 Replies
View Related
Feb 5, 2007
I am very new to the SQL database. I have the following query. I would appreciate if someone could clarify this for me:
I have created two users (user1 & user2) under the same login name test1 in SQL Server 2005 Database. Further I used the login name (test1) & password (******) of SQL Server in connection string to connect to database.
Now I want to know that how & where can I refer the user name (user1 or user2) to use its previliges.
How will I know that which user's privileges level is used in the connection.?
View 1 Replies
View Related
Oct 1, 2007
Is there any way I can give a user read only access to the database, yet have privilges to run a trace.
Any suggestions and inputs would help
Thanks
View 1 Replies
View Related
May 4, 2006
I am trying to get a DTS package to be run from the command line withthe dtsrun utility. The DTS package is stored in the database. The userI supply is a user in the database. I get an error stating "SQL Serverdoes not exist or access denied." It looks to me like the SQL Serverinstance does exist because it tries to start the package. I get"DTSRun: Executing". If I put in a server that is non-existent, I do notget that message. I also know that my username and password are correct.Here is output from my attempt to run dtsrun for my DTS pkg (server,user, password change to protect my db security):C:>dtsrun /Sserver_name /Uuser /Ppass /Npkg_nameDTSRun: Loading...DTSRun: Executing...DTSRun OnStart: DTSStep_DTSExecuteSQLTask_1DTSRun OnError: DTSStep_DTSExecuteSQLTask_1, Error = -2147467259 (80004005)Error string: [DBNETLIB][ConnectionOpen (Connect()).]SQL Serverdoes not exist or access denied.Error source: Microsoft OLE DB Provider for SQL ServerHelp file:Help context: 0Error Detail Records:Error: -2147467259 (80004005); Provider Error: 17 (11)Error string: [DBNETLIB][ConnectionOpen (Connect()).]SQL Serverdoes not exist or access denied.Error source: Microsoft OLE DB Provider for SQL ServerHelp file:Help context: 0DTSRun OnFinish: DTSStep_DTSExecuteSQLTask_1DTSRun: Package execution complete.I suspect that my user I am connecting to the database with does nothave privileges to execute the DTS package. I cannot determine, fromBOL, what privs I need to grant to this user to let them execute thispackage. Any ideas?TIA,Brian--================================================== =================Brian PeaslandJoin Bytes!http://www.peasland.netRemove the "nospam." from the email address to email me."I can give it to you cheap, quick, and good.Now pick two out of the three" - Unknown
View 5 Replies
View Related
Aug 11, 2006
I am having trouble with providing the minimum security to a user. After issuing the following:
GRANT EXECUTE ON SCHEMA :: DBO TO skillsnetuser;
I test the permissions with
exec as login = 'skillsnetuser'
exec prcElmtList 1, 1, 102268
revert;
and receive this message
Msg 229, Level 14, State 5, Line 2
SELECT permission denied on object 'Org', database 'SNAccess_Dev', schema 'dbo'.
The principal that owns the dbo schema is dbo and is the principle for all procedures and tables in that schema.
What can I do to shed some light on what is causing this access problem?
View 10 Replies
View Related
May 25, 2008
After installing Express, I tried running the QuickStart utility and received an error that I have insufficient privileges to create. I am the administrative user on my laptop and don't understand why I am unable to run the utility.
I did have an instance previously and had no problems with it until it was corrupted somehow.
I am running on Vista.
Any help will be greatly appreciated.
View 12 Replies
View Related
Aug 24, 2006
Is it possible to grant all privilege for all tables of a specified database through script? Because i have to send the script to user side and i can't do it manually in Enterprise Manager.regards,
View 1 Replies
View Related
Apr 10, 2015
Is there any script to know users and their database roles privileges and server roles of particular database?
View 1 Replies
View Related
Sep 14, 2005
Hi,
I'm trying to write a script to grant privileges to a user (we are trying to allow Windows Authentication in our application).
Previously, we used the following syntax:
grant select, insert, delete, update on area to mattuser
Where mattuser is a valid sql server user.
However, we want to do something like the following:
grant select, insert, delete, update on area to MATT2000IUSR_MATT2000
Where IUSR_MATT2000 is a valid user on computer MATT2000.
We get an error when we try to run this script as follows:
Incorrect syntax near ''
How do we grant permissions for this user, other than doing it manually?
Regards.
Matt.
View 3 Replies
View Related
