I recently installed SQL Server 2005 and setup a database for one of the systems that I support as a DBA. After installation and the system, which has remote developers, was tested successfully, our security group performed a security scan on the SQL server. The scan revealed a few potential vulnerabilities. Below are the questionable items that the scan identified within the Windows User Rights Assignment. I believe the SQL Server installation assigns these system privileges to the SQLServer and SQLServerAgent accounts by default. I'd like to know how many, if any of these privileges, are necessary.
1) SQLServer and SQLServerAgent accounts have "Bypass Traverse Setting" privilege within Windows User Rights Assignment
2) SQLServer and SQLServerAgent accounts have "Log on as Batch Job" privilege within Windows User Rights Assignment. I realize I need this to schedule SQL Server jobs which run batch jobs and such, but any other reason to keep this privilege.
3) SQLServer and SQLServerAgent accounts have "Memory Quota" privilege within Windows User Rights Assignment
4) SQLServer and SQLServerAgent accounts have "Replace Process Token" privilege within Windows User Rights Assignment
Any guidance on this would be greatly appreciated.
After installing SQL Server 2005, a security scan was performed on the SQL server. Below are a few items that the scan identified within the Windows User Rights Assignment as potential vulnerabilities; it is worthy to note in Microsoft's defense that we lock things down pretty tightly in our IT shop. I suspect the SQL Server install assigns these OS privileges to the SQLServer and SQLServerAgent accounts by default. I have not heard of the 1st, 3rd and 4th below and suspect that they are not essential to the normal operation of SQL Server, but would like to know if anyone out there knows for sure. We are considering eliminating some or all of these privieleges for the SQLServer and SQLServerAgent system accounts at the OS level.
1) SQLServer and SQLServerAgent accounts have "Bypass Traverse Setting" privilege within Windows User Rights Assignment
2) SQLServer and SQLServerAgent accounts have "Log on as Batch Job" privilege within Windows User Rights Assignment. I realize I need this to schedule SQL Server jobs which run batch jobs and such, but any other reason to keep this privilege.
3) SQLServer and SQLServerAgent accounts have "Memory Quota" privilege within Windows User Rights Assignment
4) SQLServer and SQLServerAgent accounts have "Replace Process Token" privilege within Windows User Rights Assignment
Any guidance on this would be greatly appreciated.
SQL Server in on a ‘member’ server in my company domain (We took the ‘stand-alone’ option when installing NT on this server).
I have set up an NT domain account for SQL ServerAgent ‘Service startup account’ which is a different account than the NT domain account listed in the SQL Server Properties, Security tab, ‘Startup service account’.
I log on to this server with the login in the latter.
Replication is working OK, but my application log keeps filling up with the message “SQLServerAgent security context does not have server autorestart privileges”.
Hi there,BOL notes that in order for replication agents to run properly, theSQLServerAgent must run as a domain account which has privledges to loginto the other machines involved in replication (under "SecurityConsiderations" and elsewhere). This makes sense; however, I waswondering if there were any repercussions to using duplicate localaccounts to establish replication where a domain was not available.Anotherwords, create a local windows account "johndoe" on both machines(with the same password), grant that account access to SQL Server onboth machines, and then have SQL Server Agent run as "johndoe" on bothmachines. I do not feel this is an ideal solution but I havecircumstances under which I may not have a domain available; mypreliminary tests seem to work.Also, are there any similar considerations regarding the MSSQLSERVERservice, or can I always leave that as local system?Dave
When I using Create Publication Wizard for database 'MY DATABASE', and setup 'MY SERVER' as the Distributor, then I get a message:
SQLServer Agent on 'MY SERVER' current uses a system acount, which cause replication between servers to fail. In the following dialog, specify a domain account for the Service startup account.
I don't understand this message (current in SQL Server Agent properties, tab Service startup account using System account)? Anyone can explain to me?
I'm trying to install SQL Server Management studio 2012 on my Windows 7 (x64) standalone laptop. When I click "New SQL stand-alone installation..." it runs a Setup Support Rules check and always fails "Setup Account Privileges". I've looked into the error and I keep getting that I need to change security rules but I don't have that option in window 7. How do I get around this without having to resort to a computer running Windows Server?
I have Visual Studio 2013 premium installed along with Localdb v11. I just want to connect and manage my database engine through SSMS when developing any application.
Bummer. I can't remember the SA password. I had setup a user account, but I can't change anything or add any new accounts using this login. I can't get in using the windows authentication method no matter how I am logged into this machine.
Any suggestions? I have never been able to use Windows Authentication. There must be something I'm missing here. I have spent hours and hours trying to get into this machine. I just want to replicate a database. This is very frustrating.
During install of SQL Server 2005, we can of course use a domain account or the built-in system account for running the services. I lean toward domain for obvious reaons but would like to know a +/- to each option and why I'd choose one over the other and what consequences or limitations one may encounter if I choose one over the other.
I have been running a script in SQL Server 2000 as sa also as a Active Directory user who has administrator rights (I tested both approaches SQL Server then Windows Authentication) in Query Analyser which grants execute rights to the stored procedures within the database instance and Query Analyser does not give any errors when I run the script. I have made sure that each transaction has a go after it. I then return to Enterprise Manager, check the rights (I apply them to roles so that when we create another SQL Server user we just grant him/her rights to the role) and discover that the role has not been granted the rights. I seems to be occurring only with 2 of the procedures. Is there a known bug that might be causing this?
I have several DTS jobs that runs well as a job with my nt login account for the SQL agent service startup account, but if I use the System account they fail with this error. " Error opening datafile: Access is denied. Error source: Microsoft Data Transformation Services Flat File Rowset Provider"
The data has change access to the System account under the NT security.
Basically a dts package has been setup that pulls in data from another companies server, this data requires to be on-demand i.e individual users can pull in updates of the data when they require it.
I am using xp_cmdshell and dtsrun to pull in the data. This obviouly works fine for me as i am a member of sysadmin.
Books online quotes " SQL Server Agent proxy accounts allow SQL Server users who do not belong to the sysadmin fixed server role to execute xp_cmdshell"
So i went to the SQL Server Agent Properties 'Job System' tab and unchecked 'Non-sysadmin job step proxy account' and entered a proxy account.
The proxy account has been setup as a Windows user with local administrator privilages and even a member of the sysadmin server role - just in case.
Now when i log onto the db with my test account - a non-sysadmin - and attempt to run the stored proc to import the data i recieved the message 'EXECUTE permission denied on object 'xp_cmdshell', database 'master', owner 'dbo' '
hmm... so basically i have either misunderstood BoL or there is something not quite right in my setup.
I have search the net for a few days now and yet i can find no solution.
I have a situation that I have discovered in our QA database that I need to resolve. When I looked at the Activity Monitor for our server, I discovered that a process is running under a domain user account for one of our .Net applications. The problem is that that domain user account has not been created as a SQL login account on the server. I am trying to figure out how someone can log in to the database server with a domain user account that has not been added to SQL Server as a login account.
Does anyone have any insight on this? I don't like the idea of someone being able to create domain account that can access the database without me granting them specific access.
What would cause this message to display or what does this mean?? "Could not start the SQLServerAgent Service, error 2186, the service is not responding to the control function"
I can't start the SQLSERVERAGENT for my sql 2k under win 2003 sp1.
SQLServerAgent could not be started (reason: SQLServerAgent cannot start because the instance of the server (MSSQLSERV) is not the expected instance (MSSQLSERVER)).
I can't find any useful information regarding this error. Any one can help?
I was told that a user with DBO privileges is able to alter their own database. A conversation of course began to where I was in disagreement with him. The ultimate test of course would be setup the scenario. To my surpise he was right!
I checked the BOL documentation and my concerns were verified.
I have checked permissions on the user I created as well as on a user that previously exists on the MSSQL Server. Only DBO permissions were given to the tested users.
I thought maybe this had something to do with the autogrow setting which is a setting we would enable on a dedicated MSSQL Server but not on a shared MSSQL Server. I toggled this option and the DBO was still able to make size changes to their database.
This is very upsetting as we charge for additional reserved database space. Aside from that, we wouldn't want to have a user with unlimited resources to the server. I could easily fill up a hard drive if I were to update the autogrow setting of the database as DBO and run an infinite loop that would insert data into tables.
I then tested the ability for a user to restore a backup and to my surprise it worked without error for the DBO only privileged user. The DBO user was also able to restore previously dated databases assuming that they knew the file name which would not be hard to guess since it is appended with a date stamp (My_Database_20042905.BAK).
Why is this? Is there a way to correct this and prevent the DBO user to only have access to their database but not the above mentioned type privileges?
When my system re-boots SQLServerAgent will no longer start. The following message is sent to the NT Event Log:
(Event ID 103) "SQLServerAgent could not be started (reason: Unable to connect to server; SQLServerAgent cannot start)."
Following this message are two messages from MSSQLServer that read:
(Event ID 19020) "RPC Net-Library listening on: ncalrpc:USBGRSYSTST1[WMSG0000009A.00000001]."
So is this a timing issues? Is MSSQLServer taking too long to completely start before SQLServerAgent is started? If so, is there a way (without hacking through the registry) to make the SQLServerAgent service dependant on the MSSQLServer service?
This startup issue did not exist until an application was installed on the machine that also has several services that auto-start. I noticed that many of these new services are starting at the same time the MSSQLServer service is starting.
We're running sql 7.0 sp1 and both the sqlserver service and sqlserveragent service are running under local system account. For some reason, the sqlserveragent service started failed with "error 2140" - windows nt internal error From event viewer, it saids it has some connection problem.
The sqlserver service has no problem. All knowledge base material related to 6.5 resolution. Would rebuilding the registry entry help ? I tested and rebuilding the registry did not regrant any registry permission, should it ?
wanted to start the sql server agent and i got this error : An Error 1069 - (The service did not start due to logon faliure ) occured wile performing this service operation on SQLServerAgent servcice.
I am getting the following warning message in the event viewer. I have only one schedule in sql. there is no other schedules in task scheduler or database management.
Event Type:Warning Event Source:SQLSERVERAGENT Event Category:Job Engine Event ID:208 Description: SQL Server Scheduled Job 'Transaction Log Backup Job for DB Maintenance Plan 'DB Maintenance Plan1'' (0xD25A4CDDD1C59E48B4D28F61F0A411B8) - Status: Failed - Invoked on: 2004-08-16 02:30:00 - Message: The job failed. The Job was invoked by Schedule 2 (Schedule 1). The last step to run was step 1 (Step 1).
please i need your help on that sudenly me SQLserveragent stopped and when i try to start it again it give me that error: Event Type:Error Event Source:SQLSERVERAGENT Event Category:Service Control Event ID:103 Date:2/27/2006 Time:11:00:19 AM User:N/A Computer:EGDC2 Description: SQLServerAgent could not be started (reason: Unable to connect to server '(local)'; SQLServerAgent cannot start).
This may be more of an IT question, but I hope someone here will have the answer.
I am trying to change the "Log on as" for SQLSERVERAGENT NT Service through Windows Registry. I am able to find HKLMSYSTEMCurrentControlSetServicesSQLSERVERAGENTObjectName and change it but I dont know how to specify a password to go with it. If I simply change it to .Administrator (from Local System) it errors out.
Ideally I would like to script this so I can change the logon without having to go though the Services Control Panel or SQL Management Studio.
I have a maintenance plan on SQL2000, that is backing up the database.
It is under Management/SQL Server Agent. When I try to start the job, I got an error, saying: Error 22022 SQLServerAgent is not currently running so it cannot be notified of this action.
But, when I try to start the SQL Server Agent (in Services), it stops directly with the following information: The SQLAgent$Sharepoint service on Local Computer started and then stopped. Some services stop automatically if they have no work to do, for example, the Performance Logs and Alerts service.
When I try to start it from the SQL Server Service Manager: no reaction at all!
I have successfully installed SQL 2005 on W2K3 Cluster. The problem is that SQL Server Agent won't start. Below are the lines from SQLAGENT.OUT:
2007-03-15 09:40:02 - ! [298] SQLServer Error: 2, Named Pipes Provider: Could not open a connection to SQL Server [2]. [SQLSTATE 08001] 2007-03-15 09:40:02 - ! [165] ODBC Error: 0, Login timeout expired [SQLSTATE HYT00] 2007-03-15 09:40:02 - ! [298] SQLServer Error: 2, An error has occurred while establishing a connection to the server. When connecting to SQL Server 2005, this failure may be caused by the fact that under the default settings SQL Server does not allow remote connections. [SQLSTATE 08001] 2007-03-15 09:40:02 - ! [000] Unable to connect to server '(local)'; SQLServerAgent cannot start 2007-03-15 09:40:07 - ! [298] SQLServer Error: 2, Named Pipes Provider: Could not open a connection to SQL Server [2]. [SQLSTATE 08001] 2007-03-15 09:40:07 - ! [165] ODBC Error: 0, Login timeout expired [SQLSTATE HYT00] 2007-03-15 09:40:07 - ! [298] SQLServer Error: 2, An error has occurred while establishing a connection to the server. When connecting to SQL Server 2005, this failure may be caused by the fact that under the default settings SQL Server does not allow remote connections. [SQLSTATE 08001] 2007-03-15 09:40:07 - ! [382] Logon to server '(local)' failed (DisableAgentXPs) 2007-03-15 09:40:08 - ? [098] SQLServerAgent terminated (normally)
I have tried starting Agent with Domain Admin account. No luck. SQL Server is started.
I have a maintenance plan on SQL2000, that is backing up the database.
It is under Management/SQL Server Agent. When I try to start the job, I got an error, saying: Error 22022 SQLServerAgent is not currently running so it cannot be notified of this action.
But, when I try to start the SQL Server Agent (in Services), it stops directly with the following information: The SQLAgent$Sharepoint service on Local Computer started and then stopped. Some services stop automatically if they have no work to do, for example, the Performance Logs and Alerts service.
When I try to start it from the SQL Server Service Manager: no reaction at all!
I was able to connect to SQL Server 2005 as a localhost by starting SQLSERVERAGENT in the Windows Services page. I was not able to attach the sample databases for the tutorials because of a compatibility issue with SQL Server 2000. I had both SQL Server 2000 and 2005 uninstalled and had SQL Server 2005 reinstalled to resolve this issue. SQLSERVERAGENT is no longer listed as a Windows service after 2005 was reinstalled. Any ideas what happened to SQLSERVERAGENT?
Basically to defend against SQL injection I want to be able to stop basic users or admins from being able to drop tables or doing other damaging activities. I'm using ms sql express, how can I do this? A friend mentioned that he uses MySql and user privileges can be set up in this way.
Is there a way to alias a table such that a particular user with privileges on that table (created by another user - not 'dbo') does not have to qualify it with the owner name? I am seeking a database level solution. Thanks.
