SQL Server Service Account Privileges
By: Chad Boyd | Comments (1) | Related: 1 | 2 | 3 | 4 | > Security
SQL Server 2005 Books Online indicates that the SQL Server service account requires permission to start the following related services (among many other requirements): SQL Server Active Directory Helper and SQL Server VSS Writer services. How can I verify service-related permissions for the SQL Server service account?
Obviously, the service really would not NEED permissions to start these services if you were not going to make use of them. Let's assume for the moment that we are going to do so, and that you want to determine first of all if the SQL Server service account has these permissions and/or what permissions the account has to services on the machine in question.
A tool called "AccessChk" will allow you to see this type of information, along with lots of other access-related information for given accounts. You can find information on the tool at the following link - http://www.microsoft.com/technet/sysinternals/utilities/AccessChk.mspx.
As an example, the following command line will give you effective permissions to all services on the local machine for an account named "LTCBOYDMS\sqlService":
|accesschk "LTCBOYDMS\sqlService" -vc *|
To determine service-related permissions, the -c option must be used. Without it, you get by default ACL information for files/folders/shares and other information, which is also handy in many situations. If you specify the wildcard character (i.e. *), you will get permission related information for the given account against ALL services on the machine. If you are looking for only a specific service information, you can replace the wildcard with the appropriate service name. For example, to get effective permissions to only the SQLWriter.exe service (the executable called for the SQL Server VSS Writer service), you could use the following command:
|accesschk "LTCBOYDMS\sqlService" -vc "SQLWriter"|
An example command for the Active Directory Helper service, would be something like the following:
|accesschk "LTCBOYDMS\sqlService" -vc "MSSQLServerADHelper"|
The output from the command should look similar to the following:
|C:\Projects\Toolbox\accessCheck>accesschk.exe "DUMMYDOMAIN\svcSqlService" -vc *|
AccessChk v2.0 - Check account access of files, registry keys or services
Copyright (C) 2006 Mark Russinovich
Sysinternals - www.sysinternals.com
R Pml Driver HPZ12
In the output, the "RW" designators at the beginning of each line indicate Read/Write privileges (if present), then the service name, then using the -v option will provide you the additional output shown below each service above. The SERVICE_ALL_ACCESS implies all access, if you don't have that, you should see individual service related privileges like in the line above for the "Pml Driver HPZ12" service.
- The Access Check application provides a means to have a good understanding of the privileges assigned to the SQL Server service accounts at a Windows Service level. On servers with sensitive data, it is important to check items like this to ensure that the appropriate rights are assigned.
- Consider the Access Check application as a tool in your tool box for assessing and troubleshooting your overall SQL Server security.
- As the SQL Server service accounts change in your environment, keep this tool in mind to validate that the correct account and privileges are setup.
- Check out the following related MSSQLTips:
- Special thanks to Chad Boyd of my MSSQLTips.com community for this tip.
About the author
View all my tips