Source: blog. csdn. netdba_huangzjarticledetails42424127, topic Directory: blog. csdn. netdba_huangzjarticledetails37906349 no one shall publish in the original form or use it for commercial purposes without the consent of the author. I am not responsible for any legal liability. SQLServ
Source: http://blog.csdn.net/dba_huangzj/article/details/37924127, topic Directory: http://blog.csdn.net/dba_huangzj/article/details/37906349 without the consent of the author, no one can be original form of release, but also have to be used for commercial purposes, I am not responsible for any legal liability. SQL Serv
Source: http://blog.csdn.net/dba_huangzj/article/details/37924127, topics Directory: http://blog.csdn.net/dba_huangzj/article/details/37906349
Without the consent of the author, no one shall be published in the form of "original" or used for commercial purposes. I am not responsible for any legal liability.
Preface:
SQL Server is a Windows service that runs on a Windows operating system with the permissions of a Windows user or system user. It is very important to select an appropriate account to run SQL Server. This series of articles focuses only on security.
Selecting an appropriate account is very important. One of the reasons is that if the permissions are inappropriate, the user (client) can use SQL Server to perform unexpected use of Windows OS or other resources.
Implementation:
The account selected for the first time is in the installation process, but can be changed after installation. How to Install SQL Server is beyond the scope of this article, So skip to select the account part during installation. After installation, follow these steps.
Steps:
1. Enter services. msc in the command line to open the Service Manager. Find the SQL Server service,
3. open the SQL Server Configuration Manager and find the option corresponding to the Instance name of SQL Server. There are two instances on the machine, one is 2008R2, and the other is the named instance named in. Therefore, select SQL Server (SQL2012) right-click this service and choose Properties ],
4. Open the properties page and select the logon page,
5. Select built-in account. There are three options in the drop-down box. The following sections will introduce these accounts:
6. after modifying the account, click OK to restart the SQL Server service. Click Yes and then restart the service. The service must be restarted because the account must be modified, therefore, in the formal environment, you must be cautious and make modifications in a planned manner.
7. Now, we have demonstrated how to modify the SQL Server running account. Next we will introduce some principles and precautions.
Principle:
SQL Server inherits the permissions of the Windows account on the underlying operating system (that is, Windows OS. It does not necessarily require administrator privileges on the machine. You only need to have permissions on the data file/transaction log file, Error Log File, directory where the backup file is located, and a small number of system permissions.
If you modify the service account after installing SQL Server, we strongly recommend that you use the SQL Server Configuration Manager instead of the Windows Service Control Manager, because the latter does not have good permission control.
In Windows Server 2008 R2, the Virtual Account (which will be introduced later) is used as the startup Account by default during SQL Server installation. If you select a built-in account in step 5, no password is required. These passwords are managed and preset by the operating system. The following describes two types of accounts in step 5:
Local System: This is a Windows system account with administrator permissions on the computer where the account is located ( \ If the machine exists in the domain environment, you can grant this type of account the permission to access network resources.
Network Service: This account has many Local permission restrictions, but can access network resources like the Local System.
You can select a created Windows or domain account, in the form of full name (( \) As the running account, but make sure this account is not affected by the "Password Expiration Policy" on WIndows, otherwise, the entire SQL Server service may be stopped due to password expiration after the system has been running for a period of time.
As a practice, we recommend that you replace the built-in account with the actual Windows Account. Because the built-in account is shared by multiple services, the permission control is inferior to the actual WIndows account. For example, attackers can use the administrator privilege to log on to SQL Server and use external stored procedures such as xp_mongoshell to perform operating system-level attacks. Using a Windows account can reduce the chances of such a situation.
For more information:
To allow a Windows Account to run a service (not all accounts can run the service ), to grant [Log on as a service right] ([trusted computers and user accounts can be delegated]) Permission, follow these steps:
1. on the Local machine, open the management tool and select Local Security Policy. The Chinese language is Local Security Policy ], choose Win8 System Control Panel> system and security> Log on as a service right ([trusted computers and user accounts can be delegated] in Chinese ]):
2. Add the account you want,
If you use the WIndows Server Core version, you may not be able to modify the GUI, or you may not be able to directly log on to the target Server for GUI operations (non-core version, configurations can be implemented on other machines:
Steps:
1. Right-click the Computer Manager (compmgmt. msc), right-click the root directory, select connect to another computer, and enter the server address,
After a successful connection will become, note that [computer management (local)] has become [computer management (SQL-A )]:
2. on the [service and application] node, you can find the SQL Server Configuration Manager and then perform the preceding configuration.
Create a domain user as a service account:
In the domain environment, you can go to the Active Directory Server through the Active Directory management Center) the Active Directory Users and Computers tool on is used to add Users to machines in the domain environment.
When creating a user, you can only select the user option, unless otherwise special needs, it is not recommended to select [the user must change the password next Login ]:
If you want the password used for the service account to time out, we recommend that you use the managed service account in Windows Server 2008, which will be described in subsequent articles.
Additional reading: configuring Windows Service accounts and permissions (http://msdn.microsoft.com/zh-cn/library/ms143504.aspx)