SQL Server Service Account Privileges


By:   |   Updated: 2007-02-20   |   Comments (1)   |   Related: 1 | 2 | 3 | 4 | More > Security

Problem
SQL Server 2005 Books Online indicates that the SQL Server service account requires permission to start the following related services (among many other requirements): SQL Server Active Directory Helper and SQL Server VSS Writer services. How can I verify service-related permissions for the SQL Server service account?

Solution
Obviously, the service really would not NEED permissions to start these services if you were not going to make use of them.  Let's assume for the moment that we are going to do so, and that you want to determine first of all if the SQL Server service account has these permissions and/or what permissions the account has to services on the machine in question.

A tool called "AccessChk" will allow you to see this type of information, along with lots of other access-related information for given accounts. You can find information on the tool at the following link - http://www.microsoft.com/technet/sysinternals/utilities/AccessChk.mspx.

As an example, the following command line will give you effective permissions to all services on the local machine for an account named "LTCBOYDMS\sqlService":

accesschk "LTCBOYDMS\sqlService" -vc *

To determine service-related permissions, the -c option must be used. Without it, you get by default ACL information for files/folders/shares and other information, which is also handy in many situations. If you specify the wildcard character (i.e. *), you will get permission related information for the given account against ALL services on the machine.  If you are looking for only a specific service information, you can replace the wildcard with the appropriate service name.  For example, to get effective permissions to only the SQLWriter.exe service (the executable called for the SQL Server VSS Writer service), you could use the following command:

accesschk "LTCBOYDMS\sqlService" -vc "SQLWriter"

An example command for the Active Directory Helper service, would be something like the following:
 

accesschk "LTCBOYDMS\sqlService" -vc "MSSQLServerADHelper"

The output from the command should look similar to the following:

C:\Projects\Toolbox\accessCheck>accesschk.exe "DUMMYDOMAIN\svcSqlService" -vc *

AccessChk v2.0 - Check account access of files, registry keys or services
Copyright (C) 2006 Mark Russinovich
Sysinternals - www.sysinternals.com
 

RW Alerter
SERVICE_ALL_ACCESS
 

RW ALG
SERVICE_ALL_ACCESS
 

RW MSSQL$SQL2000
SERVICE_ALL_ACCESS
 

RW MSSQL$SQL2005
SERVICE_ALL_ACCESS
 

RW MSSQL$SQL2005B
SERVICE_ALL_ACCESS
 

RW MSSQL$SQLEXPRESS
SERVICE_ALL_ACCESS
 

RW MSSQLServerADHelper
SERVICE_ALL_ACCESS

<<<Results abbreviated>>>

R Pml Driver HPZ12
SERVICE_QUERY_STATUS
SERVICE_QUERY_CONFIG
SERVICE_INTERROGATE
SERVICE_ENUMERATE_DEPENDENTS
SERVICE_PAUSE_CONTINUE
SERVICE_START
SERVICE_STOP
SERVICE_USER_DEFINED_CONTROL
READ_CONTROL


<<<Results abbreviated>>>
 

RW SQLBrowser
SERVICE_ALL_ACCESS
 

RW SQLWriter
SERVICE_ALL_ACCESS
 

<<<Results abbreviated>>>

C:\Projects\Toolbox\accessCheck>

 

In the output, the "RW" designators at the beginning of each line indicate Read/Write privileges (if present), then the service name, then using the -v option will provide you the additional output shown below each service above. The SERVICE_ALL_ACCESS implies all access, if you don't have that, you should see individual service related privileges like in the line above for the "Pml Driver HPZ12" service.

Next Steps



Last Updated: 2007-02-20


get scripts

next tip button



About the author





Comments For This Article




Thursday, April 19, 2012 - 9:15:48 AM - Jim Back To Top

accesschk link is http://technet.microsoft.com/en-us/sysinternals/bb664922



download


Recommended Reading

Using the Services applet to Administer SQL Server Services Remotely

Running SQL Server Agent with a least privilege service account

Why System Account is a bad idea for SQL Server Service Account

Register a SPN for SQL Server Authentication with Kerberos

Storing passwords in SQL Server things to know to keep the data secure





get free sql tips
agree to terms


Learn more about SQL Server tools