Chapter 1 Securing Your Server and Network (1): Select SQL Server business Manager

Original: http://blog.csdn.net/dba_huangzj/article/details/37924127, featured folder: http://blog.csdn.net/dba_huangzj/article/ details/37906349

No one may publish in the form of "original" without the permission of the author. Have to be used for commercial purposes. I am not responsible for any legal liability whatsoever.

Objective:

SQL Server is a Windows service that executes on a Windows operating system with a Windows user or system user right. It is important to choose the appropriate account to execute SQL Server. This series of articles focuses only on security.

Choosing the right account is important. One reason is that assuming permissions are inappropriate, the user (client) is able to make unintended use of Windows OS or other resources through SQL Server.

Realize:

The first time you select an account occurs during the installation process, but can be changed after installation. How to install SQL Server beyond the scope of this article. So here skip the setup process and select the Account section. After the installation is complete, the following steps can be implemented.

Implementation steps:

1. In the command line input: Services.msc Open Service Manager. Locate the SQL Server service,

2. Right-click this service. Select Properties and view the current execution account:

3. Open SQL Server Configuration Manager, find the SQL Server corresponding instance name option, I have two instances on the machine, one is 2008r2. One is 2012,2012 for the named instance, so select the SQL Server (SQL2012) service and right-click on "Properties".

4. After opening the Properties page, select the login page.

5. Select "Built-in account". There are three options available in the drop-down box, which may be explained in some ways:

6. When you have changed your account, click "OK" button. You will be prompted to restart the SQL Server service. Click "Yes". Then restart the service, since changing the execution account must restart the service, so assume that it is in a formal environment. Need to be cautious and planned to change.

7. So far. We demonstrated how to change the execution account for SQL Server. The following will introduce some principles and considerations.

Principle:

The SQL Server service inherits the permissions of the Windows account on the underlying operating system (that is, Windows OS). It does not necessarily require administrator privileges on the machine.

It is only necessary to have permissions on the data file/transaction log file, the error log file, the folder where the backup file resides, and a small amount of system permissions.

Assuming that you change the service account after installing SQL Server, it is strongly recommended that you use the SQL Server Configuration Manager implementation instead of the Windows Service Control Manager. Because the latter does not have a very good authority control.

In Windows Server R2, the virtual account is used by default during the installation of SQL Server (which will be described in the article) as the startup account. Assuming that you chose "built-in account" in step 5, you do not need to provide password, which are managed and preset by the operating system password. Here's a brief introduction to the two types of accounts in step 5:

• Local System: This is a Windows system account that has administrator privileges on the computer on which it appears as (<Domain>\<Machine>) on the network. Assuming that the machine exists in a domain environment, you can grant access to network resources to such accounts.
• Network Service: This account has a lot of native permission restrictions relative to the local system, but is able to access networking resources as well as the local system.

You can select a Windows or domain account that you have already created. Use the full name (<Domain>\<Account>) as the execution account, but make sure that the account is not affected by the "Password Expiration policy" on Windows It is possible that the entire SQL Server service is stopped after the system has been executing for a period of time because the password expires.

As a practice, it is recommended to use the actual Windows account instead of the built-in account, because the built-in account is shared by multiple services and the rights control is inferior to the actual Windows account. For example, an attacker could log on to SQL Server with administrator privileges and use external stored procedures such as xp_cmdshell for operating system-level attacks.

Using an actual Windows account can reduce the chance of such a situation happening.

A lot of other information:

To allow a Windows account to perform a service (not all accounts can perform the service). "Log on as a service right" (Chinese is the "Trust computer and user account can perform delegation") permission is required. Procedures such as the following:

1. On this computer. Open the Administrative Tools and select Local Security Policy. Chinese is "Local Security Policy", WIN8 system can control Panel → "System and security" to find "Log on as a service right" (Chinese for "Trusted computer and user account can perform delegation"):

2. Add the required account number,

Assume that you use the Windows Server Core version number, because no GUI can be changed, or you may not be able to log in directly to the target Server with a GUI operation (non-core version number). Can be configured on some other machines:

Steps:

1. Open the Computer Manager (Compmgmt.msc) right-click root folder. Select Connect to a computer, enter the server address,

After a successful connection, it becomes. Note "Computer Management (local)" has become "Computer Management (SQL-A)":

2. In the Services and Applications node, you can find the SQL Server Configuration Manager, and then you can make the configuration described earlier.

Create a domain user as a service account:

Assume that in a domain environment, you can use the Active Directory Management Center (Active Directory Administrative center) on a Live folder server (Active Directory server) Active Directory Users and Computers (Active Directory user and Computers) tools are added to the machine on the user's domain environment.

At the time of creation, the user option is just a tick. Except for special needs. Otherwise, it is not recommended to tick "user next login must change password":

Given the password timeout that you want to use for your service account, we recommend that you use the Managed service account (managed service accounts) that appears in Windows Server 2008, as described in the article.

Extended reading:

Configure Windows service accounts and permissions (http://msdn.microsoft.com/zh-cn/library/ms143504.aspx)
Next: http://blog.csdn.net/dba_huangzj/article/details/37927319

Chapter 1 Securing Your Server and Network (1): Select SQL Server business Manager