 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
SQL Server Forum / General / Security / October 2005Securing SQL Server after administration installation
Hello all, I have just installed SQL Server using the administrator account and mixed mode (I did not know any better). Baseline analyser subsequently told me to sort myself out and use a domain user account for both the SQL Server and SQL Server agent services. I followed the instructions (or tried to) by creating a user called SQLservice via computer manager and adding them to the groups domain and users (you'll have to excuse me but I did know not what a domain user account was). I then used enterprise manager to switch the SQL server and agent login to the SQL service user, which seemed to work fine in principle. Now, when I try to change certain options such as "auto start SQL Server agent", I get a registry access error. I have read numerous articles on the Web which tell you to create a domain user account and give it access to registry options/directory paths etc, but I do not know how to do this? Could somebody please help? In hindsight, would creating the SQL service user before installation and using that instead of administrator have helped? (For example, I have read SQL Server would have created the required permissions for this user). If so, can I uninstall and reinstall? Or is there any easier solution. Basically, I would avoid going back to using administrator as the login but need to be 110% sure that SQL Server will run correctly before I spend the time installing all the required databases, as there will be no going back on that point in terms of effort spent. Somebody's help would be very much appreciate, Best regards, Matthew Hi Matthew, After you changed the service account, did you restart the SQL Server and SQL Agent services? You changed them in the correct place by doing it in Enterprise Manager. Also, look up services accounts in SQL Server books online - two topics will pop up. Setting up Windows Services Accounts and Services Accounts. Both of these articles have more information on the service accounts and how to change them after it's already been setup. But the other topic to read before restarting and resetting the accounts is: Changing Passwords and User Accounts That explains more of what will go on with the required rights and permissions. When you change the accounts through Enterprise Manager, the permissions and right will be handled for you. Having the account create before you install is probably a bit easier - you just enter it in when you are installing. But it's not usual to have to make changes so doing the changes through Enterprise Manager is the way you would want to do this. Also, for the domain account you want to make sure it's set so that the password never expires, user cannot change password and make sure the option for User must change password at next login is not enabled/checked. -Sue >Hello all, > [quoted text clipped - 35 lines] > >Matthew Hello sue, Thank you for your advice, I have read the articles you have pointed to which definitely help clarify some issues. On the face of it, my changes in enterprise manager have propagated to the services correctly, I have even manually restarted them as you suggested. Nevertheless, I'm still struggling to make changes/getting registry restriction errors as discussed previously. One thing that was confusing me is whether you need to add your SQL service user to the administrators group to get things running smoothly? (The account is correctly showing in the system administrators on the enterprise manager itself) Does this not defeat the object? Or is it the fact you have changed the name from administrator that is the main security mechanism? If not, I'm pretty sure I'm stuck. Do you temporarily assigned to make changes? I'm worried this is a half baked solution. Thanks for your help, Matthew You don't always have to have the account in the local admins group and more people are moving away from adding the service accounts to the local administrators group as security gets tighter at most companies but probably most places still follow the standard of having it in the local admins group. In terms of the actual permissions the service account needs, you can find them all outlined in the following article: HOW TO: Change the SQL Server or SQL Server Agent Service Account Without Using SQL Enterprise Manager in SQL Server 2000 http://support.microsoft.com/?id=283811 You can use the Local Security Policy snap in to view the rights. From the run command from the start button, type in secpol.msc For registry permissions, use Regedt32.exe if SQL Server is on Windows 2000. Use Regedit.exe if on Windows 2003. You can use Regedt32 on Windows 2003 but it just runs regedit. -Sue >Hello sue, > [quoted text clipped - 20 lines] > >Matthew |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2009 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.