Chapter 1 Securing Your Server and Network (2): SIDs for management services, securingsids

Source: Internet
Author: User
Tags bulk insert mssqlserver

Chapter 1 Securing Your Server and Network (2): SIDs for management services, securingsids
Source: http://blog.csdn.net/dba_huangzj/article/details/37927319, topics Directory: http://blog.csdn.net/dba_huangzj/article/details/37906349

Without the consent of the author, no one shall be published in the form of "original" or used for commercial purposes. I am not responsible for any legal liability.

Previous Article: http://blog.csdn.net/dba_huangzj/article/details/37924127

 

Preface:

 

Services such as SQL Server Run in the security context of a Windows account. If other services run with the same Windows Account, these services (non-SQL Server) may access some unexpected resources, such asAccess Control List(ACL/Access control list), and perform some operations that should not be performed. These operations are obviously unreasonable.

Starting from Windows Server 2008, Microsoft introduced a concept called "service SID". Each Service has a Security Identifier (Security Identifier ). With SID, you can create an identifier for a specific service in Windows security mode. This identity also allows different service permissions for the same account or built-in account.

The SID of each service is enabled and granted permissions during installation on Windows Server 2008.

 

Implementation:

Run the command line tool to view the existing SID and create a service:


1. Open the command line tool (CMD. EXE)

2. Enter the following command:

SC qsidtype mssql $ sql2012 -- mssql $ sql2012 is the name of the instance. If it is the default instance, you can use mssqlserver


The following two figures show the results of the named instance and the default instance:

Named instance: the local name instance is sql2012


 

Default instance:


For the above results, SERVICE_SID_TYPE has three possible types:

  • NONE: the service does not have a SID.
  • UNRESTRICTED: the service has a SID.
  • RESTRICTED: the service has a SID and a write-restriction token (token)

3. If SERVICE_SID_TYPE is set to NONE, run the following command to create the SID:


 

sc sidtype mssql$sql2012 UNRESTRICTED

If you useUser Account Control(UAC/User Account Control, listening every time a management task is executed) to achieve the above operation, you need to use the [run as Administrator] CMD command or press ctrl + x to open. When the SID of SQL Server is enabled, the SID is used for all additional permissions (such as the ACL on the backup directory and File Import using the bulk insert command) on the machine where SQL Server is located, instead of the running account of the SQL Server service.

 

Principle:

 

The SID of the SQL Server service is derived from the service and Instance name. The format is nt service \ MSSQLSERVER (default instance) or nt service \ MSSQL $ <INSTANCENAME> (named instance ).

Brief Explanation of SC commands:

  • The SC .exe command is used to interact with the service controller.
  • The SC qsidtype command is used to query the status of the current SID.
  • SC sidtype provides the modification function.

If you want to remove the SID, you can change the service to NONE. Instead, use UNRESTRICTED to create a SID.

Note: Do not use the RESTRICTED option for SQL Server, because this will cause some resources required by the SQL Server service to be blocked, resulting in SQL Server failure to start.




Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.