Chapter 1 Securing Your Server and Network (2): SIDs for Management Services

Original: Chapter 1 securing Your Server and Network (2): SIDs for Management Services

Source: http://blog.csdn.net/dba_huangzj/article/details/37927319 , Special catalogue:http://blog.csdn.net/dba_huangzj/ article/details/37906349

No person shall, without the consent of the author, be published in the form of "original" or used for commercial purposes, and I am not responsible for any legal liability.

Previous article: http://blog.csdn.net/dba_huangzj/article/details/37924127

Objective:

Services such as SQL Server that run under the security context of a Windows account, and if other services are running with the same Windows account, these services (non-SQL Server) may access some unintended resources, such as files and folders Accesscontrol Lists (ACL/access list), and do some actions that should not be, these are obviously unreasonable.

Starting with Windows Server 2008, Microsoft introduced a concept called "Service Sid", with each service being a security Identifier (secure identity). With SIDS, you can create an identity for a specific service that can be used in Windows security mode. This identity also makes it possible for each service permission to use the same account or the built-in account to be different.

The SIDs for each service are enabled and granted permissions during the installation of Windows Server 2008.

Realize:

Use the command-line tools below to view the existing SIDS and create them for a specific service:

1. Open the command-line tool (CMD.EXE)

2. Enter the command:

SC qsidtype mssql$sql2012--mssql$sql2012 is a named instance name, and if it is the default instance, you can use MSSQLServer

The following two graphs are the result of named instances and default instances, respectively:

Named instance: the native named instance is sql2012

Default instance:

For the above results, there are three possible types of Service_sid_type:

• None: The service does not have a SID.
• Unrestricted: The service has SIDS.
• RESTRICTED: The service has a SID and has a Write-restriction token (token)

3. If Service_sid_type is none, you can use the following command to create a SID:

SC Sidtype mssql$sql2012 Unrestricted

If you use userAccount Control, which is used to listen for each administrative task, you need to use the "Run as Administrator" cmd command or Open with Ctrl+x. When the SID of SQL Server is enabled, the additional permissions on all SQL Server machines (such as ACLs on the backup directory, file import using the Bulk INSERT command, and so on) need to use SIDS instead of running accounts for the SQL Server service.

Principle:

The SID of the SQL Server service is derived from the service and instance name. The format is NT Service\mssqlserver (the default instance) or NT service\mssql$<instancename> (named instance).

For a brief explanation of the SC command:

• The Sc.exe command is used to interact with the service controller.
• The SC qsidtype command queries the status of the current SID.
• SC Sidtype provides modification functionality.

If you want to remove the SID, you can change the service to none. Instead, use unrestricted to create a SID.

Note: Do not use the restricted option for SQL Server because it will cause some of the resources required by the SQL Server service to be blocked, causing SQL Server to fail to start.

Filed under: http://blog.csdn.net/dba_huangzj/article/details/38017703

Chapter 1 Securing Your Server and Network (2): SIDs for Management Services