Chapter 1 Securing Your Server and Network (2): SIDs for management services, securingsids
Source: http://blog.csdn.net/dba_huangzj/article/details/37927319, topics Directory: http://blog.csdn.net/dba_huangzj/article/details/37906349
Without the consent of the author, no one shall be published in the form of "original" or used for commercial purposes. I am not responsible for any legal liability.
Previous Article: http://blog.csdn.net/dba_huangzj/article/details/37924127
Preface:
Services such as SQL Server Run in the security context of a Windows account. If other services run with the same Windows Account, these services (non-SQL Server) may access some unexpected resources, such asAccess Control List(ACL/Access control list), and perform some operations that should not be performed. These operations are obviously unreasonable.
Starting from Windows Server 2008, Microsoft introduced a concept called "service SID". Each Service has a Security Identifier (Security Identifier ). With SID, you can create an identifier for a specific service in Windows security mode. This identity also allows different service permissions for the same account or built-in account.
The SID of each service is enabled and granted permissions during installation on Windows Server 2008.
Implementation:
Run the command line tool to view the existing SID and create a service:
1. Open the command line tool (CMD. EXE)
2. Enter the following command:
SC qsidtype mssql $ sql2012 -- mssql $ sql2012 is the name of the instance. If it is the default instance, you can use mssqlserver
The following two figures show the results of the named instance and the default instance:
Named instance: the local name instance is sql2012
Default instance:
For the above results, SERVICE_SID_TYPE has three possible types:
- NONE: the service does not have a SID.
- UNRESTRICTED: the service has a SID.
- RESTRICTED: the service has a SID and a write-restriction token (token)
3. If SERVICE_SID_TYPE is set to NONE, run the following command to create the SID:
sc sidtype mssql$sql2012 UNRESTRICTED
If you useUser Account Control(UAC/User Account Control, listening every time a management task is executed) to achieve the above operation, you need to use the [run as Administrator] CMD command or press ctrl + x to open. When the SID of SQL Server is enabled, the SID is used for all additional permissions (such as the ACL on the backup directory and File Import using the bulk insert command) on the machine where SQL Server is located, instead of the running account of the SQL Server service.
Principle:
The SID of the SQL Server service is derived from the service and Instance name. The format is nt service \ MSSQLSERVER (default instance) or nt service \ MSSQL $ <INSTANCENAME> (named instance ).
Brief Explanation of SC commands:
- The SC .exe command is used to interact with the service controller.
- The SC qsidtype command is used to query the status of the current SID.
- SC sidtype provides the modification function.
If you want to remove the SID, you can change the service to NONE. Instead, use UNRESTRICTED to create a SID.
Note: Do not use the RESTRICTED option for SQL Server, because this will cause some resources required by the SQL Server service to be blocked, resulting in SQL Server failure to start.