| Author |
Topic |
|
AskSQLTeam
Ask SQLTeam Question
0 Posts |
|
|
harborcaptain
Starting Member
2 Posts |
Posted - 2002-05-29 : 13:03:12
|
| USDA Guarunteed Grade A Prime Aged 21 Day Yak, to be specific. |
 |
|
|
Page47
Master Smack Fu Yak Hacker
2878 Posts |
Posted - 2002-05-29 : 14:30:42
|
| What should the results of this poll reveal to me? I'm missing the point.<O> |
|
|
|
chrissy
Starting Member
17 Posts |
Posted - 2002-05-29 : 16:31:01
|
| the most important choice is missing.. domain account in local admin group ;) |
|
|
|
graz
Chief SQLTeam Crack Dealer
4149 Posts |
Posted - 2002-05-29 : 19:43:37
|
quote:
What should the results of this poll reveal to me? I'm missing the point.
I have no idea. I was just curious to know the answer. I've mostly run SQL Server under an admin account. I was curious if it's popular to run it under a non-admin account.quote:
domain account in local admin group
I didn't think of that. Is that a popular choice among the group?===============================================Creating tomorrow's legacy systems today.One crisis at a time. |
|
|
|
M.E.
Aged Yak Warrior
539 Posts |
Posted - 2002-05-30 : 10:41:41
|
| I get the strange feeling 'aged yak' will probably have one of the highest voted for percentages ;) |
|
|
|
RobWafle
Starting Member
38 Posts |
Posted - 2002-05-30 : 12:27:13
|
| Wow, the results of this poll could easily be abused.. If I knew where 30 sql servers were running with admin privledges were... What could I do? |
|
|
|
chrissy
Starting Member
17 Posts |
Posted - 2002-05-30 : 14:29:09
|
quote:
Wow, the results of this poll could easily be abused.. If I knew where 30 sql servers were running with admin privledges were... What could I do?
Most sql servers do run with admin privs. If you don't have them, you could run into problems. There's probably more, but i see one of the few things would be exploiting xp_cmdshell. Thing is, you have to login as sa or an administrator to use it w/o using the proxy account. This is one of the biggest (of thousands) of reasons not to leave the sa password blank.quote:
(Adding domain account to local admin group) I didn't think of that. Is that a popular choice among the group?
Doing this is recommended by Microsoft when you have multiple SQL Servers and/or a domain. here is a direct quote from their SQL Admin Training Kit<blockquote>However, in most client/SQL Server 2000 production environments, you will create and use a dedicated domain user account for the SQL Server and SQL Server Agent services. Selecting a dedicated domain user account allows these SQL Server 2000 services to communicate with other SQL Server installations, access Microsoft Exchange Server, and access network resources (such as file shares) on other computers in your domain environment. In addition, you should generally use the same domain user account for all SQL Server installations that will need to communicate with each other. This will simplify the administration of all SQL Server 2000 computers in your domain. </blockquote> MCSE Training Kit: Microsoft SQL Server 2000 System Administration / Carl Rabeler. Copyright 2001.It goes on to say that you dont need admin privs, but you need special privs. If you dont select admin, you will have to grant the privs manually. In many other sources, I've read to add the account to the local admin group. Also, if you want to change the user after you've installed SQL Server, you should use Enterprise Manager to accomplish this task. If you use a non-administrator account, you will be prompted for an admin username and pass. This is because Enterprise Manager changes NTFS permissions and protected registry information during the startup account change.Microsoft SQL Admin Companion mentions a domain admin account and Inside SQL Server recommends it. The book even goes as far as saying "The [domain] account must be in the local Administrators group if you're installing SQL Server on Windows NT or Windows 2000."The SQL Server Resource Kit also states "To provide maximum functionality to SQL Server 2000, it is recommended that the domain user account be a member of the Administrators local group."The book also has a table called "Configuring local user accounts" thats pretty cool.Sorry for the wordy post. It was fun researching :) |
|
|
|
burtonk
Starting Member
2 Posts |
Posted - 2002-06-10 : 11:46:41
|
| Maybe I'm missing the point but it seems within the foggy recesses of my mind that sql needs to run as either local system (which has full 'admin' privs to the box) or as an admin because the sql server service needs an admin to startup the service. |
|
|
|
chadmat
The Chadinator
1974 Posts |
Posted - 2002-06-26 : 00:41:28
|
| Not required Burton. But the account does need that privlege, doesn't have to be admin to get it though.-Chad |
|
|
|
srf
Starting Member
42 Posts |
Posted - 2003-03-02 : 13:29:35
|
| We've run MSSQLServer and SQLServerAgent as a domain user and without local admin privs, MSSQLServer didn't have any problems and so far it looks like the only thing SQLServerAgent complains about is access to the log directory. Having one domain account with admin privs on dozens of servers is begging for problems; if one server is compromised they all are. |
|
|
|
|
Poll: My SQL Server service runs as a ...