Chapter 1 Securing Your Server and Network (2): SIDs for Management Services

Original source: http://blog.csdn.net/dba_huangzj/article/details/37927319, featured folder:http://blog.csdn.net/dba_huangzj/article/details/37906349

I am not responsible for any legal liability whatsoever, without the permission of the author, to be published in the form of "original" or for commercial use.

Previous article: http://blog.csdn.net/dba_huangzj/article/details/37924127

Objective:

Services such as SQL Server that perform under the security context of a Windows account, assuming that other services are executed using the same Windows account, these services (non-SQL Server) will likely access some unintended resources, such as those on files and folders The Accesscontrol List, which is clearly unreasonable, and does something that should not be done.

Beginning with Windows Server 2008, Microsoft introduced a concept called "Service Sid", each of which is a security Identifier (secure identity). With SIDS, you can create an identity for a specific service that can be used in Windows security mode. At the same time, this identity can make it different for every service that uses the same account or a built-in account.

Each SID of a service is enabled and granted permissions during installation in Windows Server 2008.

Realize:

The following uses the command-line tool to view the existing SIDS and create them for a specific service:

1. Open the command-line tool (CMD.EXE)

2. Enter the command:

The SC qsidtype mssql$sql2012--mssql$sql2012 is a named instance name, assuming it is the default instance and capable of using MSSQLSERVER

The following two graphs are the result of both named and default instances:

Named instance: the native named instance is sql2012

Default instance:

For the above results, there are three possible types of Service_sid_type:

• None: The service does not have a SID.
• Unrestricted: The service has SIDS.
• RESTRICTED: The service has a SID and has a Write-restriction token (token)

3. Assuming that Service_sid_type is none, you can create a SID using the following command:

SC Sidtype mssql$sql2012 Unrestricted

Assume that you use the userAccount Control (UAC/user accounts controls to listen every time a management task is performed) and that the above operation requires the "EXECUTE as Administrator" cmd command or Open with Ctrl+x. When the SID of SQL Server is enabled, additional permissions on the machine where all SQL Server is located (such as ACLs on backup folders, file imports using the BULK INSERT command, etc.) need to use SIDS instead of the SQL Server service's execution account.

Principle:

The SID of the SQL Server service is derived from the service and instance name. The format is NT Service\mssqlserver (the default instance) or NT service\mssql$<instancename> (named instance).

For a brief explanation of the SC command:

• The Sc.exe command is used to interact with the service controller.
• The SC qsidtype command queries the status of the current SID.
• SC Sidtype provides the ability to change.

Assuming you want to remove the SID, you can change the service to none. Instead, use unrestricted to create a SID.

Note: Do not use the restricted option for SQL Server because this causes some of the resources required by the SQL Server service to be blocked, which causes SQL Server to fail to start.

Filed under: http://blog.csdn.net/dba_huangzj/article/details/38017703

Chapter 1 Securing Your Server and Network (2): SIDs for Management Services