Re: Do local administrators on a system with SQL Server 2005 insta

27/03/2008, 14h13

I haven't seen anyone mention those pesky default local accounts that set
themselves up as sysadmin.

%servername%\SQLServer2005SQLAgentUser$%servername %$MSSQLSERVER
%servername%\SQLServer2005MSSQLUser$%servername%$M SSQLSERVER

It seems that the default setup puts the service account into the later. All
anyone with enough power would have to do is drop an account into one of
these and presto! What are all of the implications of taking these roles out
of the picture (or at least out of admin)? Where is the best documentation
for fixing this?

"Tibor Karaszi" wrote:

> << Thanks for the clarification Tibor! I thought it was by default
> simply because I see it that way on all our systems, but since they
> were all installed the same way that only means it is by default for
> me, not for the actual software. >>
>
> that is what I thought. The main reason I replied was just to not leave this thread hanging with a
> statement what can be read as the product being "not as secure" by default. :-)
>
> --
> Tibor Karaszi, SQL Server MVP
> http://www.karaszi.com/sqlserver/default.asp
> http://sqlblog.com/blogs/tibor_karaszi
>
>
> "Tonagon" <tony.roberts@marriott.com> wrote in message
> news:aedb14e4-8b3a-4d62-89f1-95fae5eaf3ee@p73g2000hsd.googlegroups.com...
> On Mar 14, 2:37 pm, "Tibor Karaszi"
> <tibor_please.no.email_kara...@hotmail.nomail.co m> wrote:
> > <<OH! Something to look out for though. If you deny login access to the
> > Windows Admin group then the SQL Agent service will stop running and
> > say it cannot connect. By default it will be connecting using a local
> > Windows Admin account. >>
> >
> > Agent do not run under an Admin account by default. It will run using the account you specify in
> > setup, and can also change later on using SAQL Server Configuration Manager. The handling of
> > service
> > account is done the same way and tools for SQL Server service as SQL Server Agent service.
> >
> > --
> > Tibor Karaszi, SQL Server
> > MVPhttp://www.karaszi.com/sqlserver/default.asphttp://sqlblog.com/blogs/tibor_karaszi
> >
> > "Tonagon" <tony.robe...@marriott.com> wrote in message
> >
> > news:8329df77-325f-4595-b1e1-85e8830dd0c3@y77g2000hsy.googlegroups.com...
> > On Mar 13, 9:13 am, Tonagon <tony.robe...@marriott.com> wrote:
> >
> >
> >
> >
> >
> > > On Mar 12, 7:29 am, "Spin" <S...@spin.com> wrote:
> >
> > > > "Zarko Jovanovic" <mind_lessIsHsAsTsEsSsPsA...@inet.hr> wrote in message
> >
> > > >news:fr8dkh$olp$4@sunce.iskon.hr...
> >
> > > > > simple: YES !
> >
> > > > How can I stop this behavior?
> >
> > > It just so happens that I had to figure out how to disable this myself
> > > just last week. I worked on SQL 2000, but hopefully this will work on
> > > 2005 as well.
> > > I put this into a .sql file and called it using osql, in this way I
> > > was able to scipt this change and execute it on our hundreds of
> > > different servers very quickly.
> > > However, you could just drop this into query analyzer (built into EM
> > > in 2005 I recall) and run it:
> >
> > > exec sp_denylogin [BUILTIN\administrators]
> >
> > > That is it, that will deby local admin access to MSSQL. I also
> > > scripted the changing of the sa password if you need that it is:
> > > exec sp_Password 'OriginalPasswordHere', 'New_passwordHere1', 'sa'
> >
> > > Hope that s!
> >
> > OH! Something to look out for though. If you deny login access to the
> > Windows Admin group then the SQL Agent service will stop running and
> > say it cannot connect. By default it will be connecting using a local
> > Windows Admin account. That will have to be changed (you can right
> > click it in EM and go to properties and change it).
> > I found a script for that as well, but it is rather long and I don't
> > even understand the whole thing. It works though! If you need that as
> > well I can put it in here.- Hide quoted text -
> >
> > - Show quoted text -
>
> Thanks for the clarification Tibor! I thought it was by default
> simply because I see it that way on all our systems, but since they
> were all installed the same way that only means it is by default for
> me, not for the actual software. I guess he wasn't concerned about
> that though since there was no response.
> Then againk, I am more then a little slow to check things myself.
>

27/03/2008, 14h48

err groups. I meant groups instead of accounts.

"Cory" wrote:

> I haven't seen anyone mention those pesky default local accounts that set
> themselves up as sysadmin.
>
> %servername%\SQLServer2005SQLAgentUser$%servername %$MSSQLSERVER
> %servername%\SQLServer2005MSSQLUser$%servername%$M SSQLSERVER
>
> It seems that the default setup puts the service account into the later. All
> anyone with enough power would have to do is drop an account into one of
> these and presto! What are all of the implications of taking these roles out
> of the picture (or at least out of admin)? Where is the best documentation
> for fixing this?
>
>
> "Tibor Karaszi" wrote:
>
> > << Thanks for the clarification Tibor! I thought it was by default
> > simply because I see it that way on all our systems, but since they
> > were all installed the same way that only means it is by default for
> > me, not for the actual software. >>
> >
> > that is what I thought. The main reason I replied was just to not leave this thread hanging with a
> > statement what can be read as the product being "not as secure" by default. :-)
> >
> > --
> > Tibor Karaszi, SQL Server MVP
> > http://www.karaszi.com/sqlserver/default.asp
> > http://sqlblog.com/blogs/tibor_karaszi
> >
> >
> > "Tonagon" <tony.roberts@marriott.com> wrote in message
> > news:aedb14e4-8b3a-4d62-89f1-95fae5eaf3ee@p73g2000hsd.googlegroups.com...
> > On Mar 14, 2:37 pm, "Tibor Karaszi"
> > <tibor_please.no.email_kara...@hotmail.nomail.co m> wrote:
> > > <<OH! Something to look out for though. If you deny login access to the
> > > Windows Admin group then the SQL Agent service will stop running and
> > > say it cannot connect. By default it will be connecting using a local
> > > Windows Admin account. >>
> > >
> > > Agent do not run under an Admin account by default. It will run using the account you specify in
> > > setup, and can also change later on using SAQL Server Configuration Manager. The handling of
> > > service
> > > account is done the same way and tools for SQL Server service as SQL Server Agent service.
> > >
> > > --
> > > Tibor Karaszi, SQL Server
> > > MVPhttp://www.karaszi.com/sqlserver/default.asphttp://sqlblog.com/blogs/tibor_karaszi
> > >
> > > "Tonagon" <tony.robe...@marriott.com> wrote in message
> > >
> > > news:8329df77-325f-4595-b1e1-85e8830dd0c3@y77g2000hsy.googlegroups.com...
> > > On Mar 13, 9:13 am, Tonagon <tony.robe...@marriott.com> wrote:
> > >
> > >
> > >
> > >
> > >
> > > > On Mar 12, 7:29 am, "Spin" <S...@spin.com> wrote:
> > >
> > > > > "Zarko Jovanovic" <mind_lessIsHsAsTsEsSsPsA...@inet.hr> wrote in message
> > >
> > > > >news:fr8dkh$olp$4@sunce.iskon.hr...
> > >
> > > > > > simple: YES !
> > >
> > > > > How can I stop this behavior?
> > >
> > > > It just so happens that I had to figure out how to disable this myself
> > > > just last week. I worked on SQL 2000, but hopefully this will work on
> > > > 2005 as well.
> > > > I put this into a .sql file and called it using osql, in this way I
> > > > was able to scipt this change and execute it on our hundreds of
> > > > different servers very quickly.
> > > > However, you could just drop this into query analyzer (built into EM
> > > > in 2005 I recall) and run it:
> > >
> > > > exec sp_denylogin [BUILTIN\administrators]
> > >
> > > > That is it, that will deby local admin access to MSSQL. I also
> > > > scripted the changing of the sa password if you need that it is:
> > > > exec sp_Password 'OriginalPasswordHere', 'New_passwordHere1', 'sa'
> > >
> > > > Hope that s!
> > >
> > > OH! Something to look out for though. If you deny login access to the
> > > Windows Admin group then the SQL Agent service will stop running and
> > > say it cannot connect. By default it will be connecting using a local
> > > Windows Admin account. That will have to be changed (you can right
> > > click it in EM and go to properties and change it).
> > > I found a script for that as well, but it is rather long and I don't
> > > even understand the whole thing. It works though! If you need that as
> > > well I can put it in here.- Hide quoted text -
> > >
> > > - Show quoted text -
> >
> > Thanks for the clarification Tibor! I thought it was by default
> > simply because I see it that way on all our systems, but since they
> > were all installed the same way that only means it is by default for
> > me, not for the actual software. I guess he wasn't concerned about
> > that though since there was no response.
> > Then againk, I am more then a little slow to check things myself.
> >

27/03/2008, 14h13	#1
Cory Messages: n/a Hébergeur:	Re: Do local administrators on a system with SQL Server 2005 insta I haven't seen anyone mention those pesky default local accounts that set themselves up as sysadmin. %servername%\SQLServer2005SQLAgentUser$%servername %$MSSQLSERVER %servername%\SQLServer2005MSSQLUser$%servername%$M SSQLSERVER It seems that the default setup puts the service account into the later. All anyone with enough power would have to do is drop an account into one of these and presto! What are all of the implications of taking these roles out of the picture (or at least out of admin)? Where is the best documentation for fixing this? "Tibor Karaszi" wrote: > << Thanks for the clarification Tibor! I thought it was by default > simply because I see it that way on all our systems, but since they > were all installed the same way that only means it is by default for > me, not for the actual software. >> > > that is what I thought. The main reason I replied was just to not leave this thread hanging with a > statement what can be read as the product being "not as secure" by default. :-) > > -- > Tibor Karaszi, SQL Server MVP > http://www.karaszi.com/sqlserver/default.asp > http://sqlblog.com/blogs/tibor_karaszi > > > "Tonagon" <tony.roberts@marriott.com> wrote in message > news:aedb14e4-8b3a-4d62-89f1-95fae5eaf3ee@p73g2000hsd.googlegroups.com... > On Mar 14, 2:37 pm, "Tibor Karaszi" > <tibor_please.no.email_kara...@hotmail.nomail.co m> wrote: > > <<OH! Something to look out for though. If you deny login access to the > > Windows Admin group then the SQL Agent service will stop running and > > say it cannot connect. By default it will be connecting using a local > > Windows Admin account. >> > > > > Agent do not run under an Admin account by default. It will run using the account you specify in > > setup, and can also change later on using SAQL Server Configuration Manager. The handling of > > service > > account is done the same way and tools for SQL Server service as SQL Server Agent service. > > > > -- > > Tibor Karaszi, SQL Server > > MVPhttp://www.karaszi.com/sqlserver/default.asphttp://sqlblog.com/blogs/tibor_karaszi > > > > "Tonagon" <tony.robe...@marriott.com> wrote in message > > > > news:8329df77-325f-4595-b1e1-85e8830dd0c3@y77g2000hsy.googlegroups.com... > > On Mar 13, 9:13 am, Tonagon <tony.robe...@marriott.com> wrote: > > > > > > > > > > > > > On Mar 12, 7:29 am, "Spin" <S...@spin.com> wrote: > > > > > > "Zarko Jovanovic" <mind_lessIsHsAsTsEsSsPsA...@inet.hr> wrote in message > > > > > >news:fr8dkh$olp$4@sunce.iskon.hr... > > > > > > > simple: YES ! > > > > > > How can I stop this behavior? > > > > > It just so happens that I had to figure out how to disable this myself > > > just last week. I worked on SQL 2000, but hopefully this will work on > > > 2005 as well. > > > I put this into a .sql file and called it using osql, in this way I > > > was able to scipt this change and execute it on our hundreds of > > > different servers very quickly. > > > However, you could just drop this into query analyzer (built into EM > > > in 2005 I recall) and run it: > > > > > exec sp_denylogin [BUILTIN\administrators] > > > > > That is it, that will deby local admin access to MSSQL. I also > > > scripted the changing of the sa password if you need that it is: > > > exec sp_Password 'OriginalPasswordHere', 'New_passwordHere1', 'sa' > > > > > Hope that s! > > > > OH! Something to look out for though. If you deny login access to the > > Windows Admin group then the SQL Agent service will stop running and > > say it cannot connect. By default it will be connecting using a local > > Windows Admin account. That will have to be changed (you can right > > click it in EM and go to properties and change it). > > I found a script for that as well, but it is rather long and I don't > > even understand the whole thing. It works though! If you need that as > > well I can put it in here.- Hide quoted text - > > > > - Show quoted text - > > Thanks for the clarification Tibor! I thought it was by default > simply because I see it that way on all our systems, but since they > were all installed the same way that only means it is by default for > me, not for the actual software. I guess he wasn't concerned about > that though since there was no response. > Then againk, I am more then a little slow to check things myself. >

27/03/2008, 14h48	#2
Cory Messages: n/a Hébergeur:	Re: Do local administrators on a system with SQL Server 2005 insta err groups. I meant groups instead of accounts. "Cory" wrote: > I haven't seen anyone mention those pesky default local accounts that set > themselves up as sysadmin. > > %servername%\SQLServer2005SQLAgentUser$%servername %$MSSQLSERVER > %servername%\SQLServer2005MSSQLUser$%servername%$M SSQLSERVER > > It seems that the default setup puts the service account into the later. All > anyone with enough power would have to do is drop an account into one of > these and presto! What are all of the implications of taking these roles out > of the picture (or at least out of admin)? Where is the best documentation > for fixing this? > > > "Tibor Karaszi" wrote: > > > << Thanks for the clarification Tibor! I thought it was by default > > simply because I see it that way on all our systems, but since they > > were all installed the same way that only means it is by default for > > me, not for the actual software. >> > > > > that is what I thought. The main reason I replied was just to not leave this thread hanging with a > > statement what can be read as the product being "not as secure" by default. :-) > > > > -- > > Tibor Karaszi, SQL Server MVP > > http://www.karaszi.com/sqlserver/default.asp > > http://sqlblog.com/blogs/tibor_karaszi > > > > > > "Tonagon" <tony.roberts@marriott.com> wrote in message > > news:aedb14e4-8b3a-4d62-89f1-95fae5eaf3ee@p73g2000hsd.googlegroups.com... > > On Mar 14, 2:37 pm, "Tibor Karaszi" > > <tibor_please.no.email_kara...@hotmail.nomail.co m> wrote: > > > <<OH! Something to look out for though. If you deny login access to the > > > Windows Admin group then the SQL Agent service will stop running and > > > say it cannot connect. By default it will be connecting using a local > > > Windows Admin account. >> > > > > > > Agent do not run under an Admin account by default. It will run using the account you specify in > > > setup, and can also change later on using SAQL Server Configuration Manager. The handling of > > > service > > > account is done the same way and tools for SQL Server service as SQL Server Agent service. > > > > > > -- > > > Tibor Karaszi, SQL Server > > > MVPhttp://www.karaszi.com/sqlserver/default.asphttp://sqlblog.com/blogs/tibor_karaszi > > > > > > "Tonagon" <tony.robe...@marriott.com> wrote in message > > > > > > news:8329df77-325f-4595-b1e1-85e8830dd0c3@y77g2000hsy.googlegroups.com... > > > On Mar 13, 9:13 am, Tonagon <tony.robe...@marriott.com> wrote: > > > > > > > > > > > > > > > > > > > On Mar 12, 7:29 am, "Spin" <S...@spin.com> wrote: > > > > > > > > "Zarko Jovanovic" <mind_lessIsHsAsTsEsSsPsA...@inet.hr> wrote in message > > > > > > > >news:fr8dkh$olp$4@sunce.iskon.hr... > > > > > > > > > simple: YES ! > > > > > > > > How can I stop this behavior? > > > > > > > It just so happens that I had to figure out how to disable this myself > > > > just last week. I worked on SQL 2000, but hopefully this will work on > > > > 2005 as well. > > > > I put this into a .sql file and called it using osql, in this way I > > > > was able to scipt this change and execute it on our hundreds of > > > > different servers very quickly. > > > > However, you could just drop this into query analyzer (built into EM > > > > in 2005 I recall) and run it: > > > > > > > exec sp_denylogin [BUILTIN\administrators] > > > > > > > That is it, that will deby local admin access to MSSQL. I also > > > > scripted the changing of the sa password if you need that it is: > > > > exec sp_Password 'OriginalPasswordHere', 'New_passwordHere1', 'sa' > > > > > > > Hope that s! > > > > > > OH! Something to look out for though. If you deny login access to the > > > Windows Admin group then the SQL Agent service will stop running and > > > say it cannot connect. By default it will be connecting using a local > > > Windows Admin account. That will have to be changed (you can right > > > click it in EM and go to properties and change it). > > > I found a script for that as well, but it is rather long and I don't > > > even understand the whole thing. It works though! If you need that as > > > well I can put it in here.- Hide quoted text - > > > > > > - Show quoted text - > > > > Thanks for the clarification Tibor! I thought it was by default > > simply because I see it that way on all our systems, but since they > > were all installed the same way that only means it is by default for > > me, not for the actual software. I guess he wasn't concerned about > > that though since there was no response. > > Then againk, I am more then a little slow to check things myself. > >

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email