Chapter 1 Securing Your Server and Network (1): select the SQL Server Running Account and chaptersecuring
Source: http://blog.csdn.net/dba_huangzj/article/details/37924127, topics Directory: http://blog.csdn.net/dba_huangzj/article/details/37906349
Without the consent of the author, no one shall be published in the form of "original" or used for commercial purposes. I am not responsible for any legal liability.
Preface:
SQL Server is a Windows service that runs on a Windows operating system with the permissions of a Windows user or system user. It is very important to select an appropriate account to run SQL Server. This series of articles focuses only on security.
Selecting an appropriate account is very important. One of the reasons is that if the permissions are inappropriate, the user (client) can use SQL Server to perform unexpected use of Windows OS or other resources.
Implementation:
The account selected for the first time is in the installation process, but can be changed after installation. How to Install SQL Server is beyond the scope of this article, So skip to select the account part during installation. After installation, follow these steps.
Steps:
1. Enter services. msc in the command line to open the Service Manager. Find the SQL Server service,
2. Right-click the service, select properties, and view the current running account:
3. open the SQL Server Configuration Manager and find the option corresponding to the Instance name of SQL Server. There are two instances on the machine, one is 2008R2, and the other is the named instance named in. Therefore, select SQL Server (SQL2012) right-click this service and choose Properties ],
4. Open the properties page and select the logon page,
5. Select built-in account. There are three options in the drop-down box. The following sections will introduce these accounts:
6. after modifying the account, click OK to restart the SQL Server service. Click Yes and then restart the service. The service must be restarted because the account must be modified, therefore, in the formal environment, you must be cautious and make modifications in a planned manner.
7. Now, we have demonstrated how to modify the SQL Server running account. Next we will introduce some principles and precautions.
Principle:
SQL Server inherits the permissions of the Windows account on the underlying operating system (that is, Windows OS. It does not necessarily require administrator privileges on the machine. You only need to have permissions on the data file/transaction log file, Error Log File, directory where the backup file is located, and a small number of system permissions.
If you modify the service account after installing SQL Server, we strongly recommend that you use the SQL Server Configuration Manager instead of the Windows Service Control Manager, because the latter does not have good permission control.
In Windows Server 2008 R2, the Virtual Account (which will be introduced later) is used as the startup Account by default during SQL Server installation. If you select a built-in account in step 5, no password is required. These passwords are managed and preset by the operating system. The following describes two types of accounts in step 5:
- Local System: This is a Windows system account with administrator permissions on the computer where the Machine is located. It is displayed as (<Domain >\< Machine>) on the network. If the Machine exists in the Domain environment, this type of account can be authorized to access network resources.
- Network Service: This account has many Local permission restrictions, but can access network resources like the Local System.
You can select a Windows or Domain Account that has been created, and use the full name (<Domain >\< Account>) as the running Account, however, make sure that this account is not affected by the "Password Expiration Policy" on WIndows. Otherwise, the entire SQL Server service may be stopped because the password expires after the system has been running for a period of time.
As a practice, we recommend that you replace the built-in account with the actual Windows Account. Because the built-in account is shared by multiple services, the permission control is inferior to the actual WIndows account. For example, attackers can use the administrator privilege to log on to SQL Server and use external stored procedures such as xp_mongoshell to perform operating system-level attacks. Using a Windows account can reduce the chances of such a situation.
For more information:
To allow a Windows Account to run a service (not all accounts can run the service ), to grant [Log on as a service right] ([trusted computers and user accounts can be delegated]) Permission, follow these steps:
1. on the Local machine, open the management tool and select Local Security Policy. The Chinese language is Local Security Policy ], choose Win8 System Control Panel> system and security> Log on as a service right ([trusted computers and user accounts can be delegated] in Chinese ]):
2. Add the account you want,
If you use the WIndows Server Core version, you may not be able to modify the GUI, or you may not be able to directly log on to the target Server for GUI operations (non-core version, configurations can be implemented on other machines:
Steps:
1. Right-click the Computer Manager (compmgmt. msc), right-click the root directory, select connect to another computer, and enter the server address,
After a successful connection will become, note that [computer management (local)] has become [computer management (SQL-A )]:
2. on the [service and application] node, you can find the SQL Server Configuration Manager and then perform the preceding configuration.
Create a domain user as a service account:
In the domain environment, you can go to the Active Directory Server through the Active Directory management Center) the Active Directory Users and Computers tool on is used to add Users to machines in the domain environment.
When creating a user, you can only select the user option, unless otherwise special needs, it is not recommended to select [the user must change the password next Login ]:
If you want the password used for the service account to time out, we recommend that you use the managed service account in Windows Server 2008, which will be described in subsequent articles.
Additional reading:
Configure Windows service account and permissions (http://msdn.microsoft.com/zh-cn/library/ms143504.aspx)
Next article: http://blog.csdn.net/dba_huangzj/article/details/37927319
Help me debug a program. For c #
Visual Studio-related electronic materials and software summary:
VS code auxiliary tool Visual Assist X 10.4 perfect edition + special files
Bbs.topsage.com/..163726
CodeSmith 4.1.2 Professional Edition latest perfect edition. NET code template Generation Tool
Bbs.topsage.com/..159347
Altova MissionKit 2008 for Enterprise Software release ts perfect Edition
Bbs.topsage.com/..162733
Regular Expression auxiliary generation tool RegexBuddy 3.0.5 cracked version
Bbs.topsage.com/..162738
Pro Visual Studio 2005 Team System
Bbs.topsage.com/..146375
Microsoft Visual Studio 2005 Unleashed
Bbs.topsage.com/..146812
Visual Studio Team System Better Software Development for Agile Team
Bbs.topsage.com/..146393
. NET development language e-Data Summary:
Pro LINQ: Language Integrated Query in C #2008 ...... remaining full text>
What is the difference between net 20 and net 11 ???
. Net2.0 has many more controls than 1.1, class libraries and code are more streamlined, and development projects are faster. For details, go to the Microsoft website.
Visual Studio-related electronic materials and software summary:
VS code auxiliary tool Visual Assist X 10.4 perfect edition + special files
Bbs.topsage.com/..163726
CodeSmith 4.1.2 Professional Edition latest perfect edition. NET code template Generation Tool
Bbs.topsage.com/..159347
Altova MissionKit 2008 for Enterprise Software release ts perfect Edition
Bbs.topsage.com/..162733
Regular Expression auxiliary generation tool RegexBuddy 3.0.5 cracked version
Bbs.topsage.com/..162738
Pro Visual Studio 2005 Team System
Bbs.topsage.com/..146375
Microsoft Visual Studio 2005 Unleashed
Bbs.topsage.com/..146812
Visual Studio Team System Better Software Development for Agile Team
Bbs.topsage.com/..146393
. NET development language e-Data Summary:... the remaining full text>