My SQL Server Windows service is set to use the NETWORK SERVICE account.
The server is installed to C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL.
However looking at the permissions on that folder, NETWORK SERVICE does not have any permissions. The groups which are allowed access to that folder are...
CREATOR OWNER - who is this?
SYSTEM - sounds fine - so that Windows can access the folder I presume?
SQLServerMSSQLUser$Computer_Name$MSSQLSERVER - this is the interesting one - what is this?
Administrators
Users
If NETWORK SERVICE is a user with minimal permissions on the system and looks to the O/S as someone connecting from a network how does it have permissions to access any files in the SQL Server install folder?
Thanks.
See Setting Up Windows Service Accounts in the SQL Server documentation:
SQL Server uses a security group to set resource ACLs rather than using the service account directly, so changing the service account can be done without having to repeat the resource ACL process. The security group can be a local security group, a domain security group or a service SID.
During SQL Server installation, SQL Server Setup creates a service group for each SQL Server component. These groups simplify granting the permissions that are required to run SQL Server services and other executables, and help secure SQL Server files.
Depending on the service configuration, the service account for a service or service SID is added as a member of the service group during install or upgrade.
That's what SQLServerMSSQLUser$Computer_Name$MSSQLSERVER is.
About NetworkService Account:
The NetworkService account is a predefined local account used by the service control manager.
...
A service that runs in the context of the NetworkService account presents the computer's credentials to remote servers.
NOT, as you put it:
looks to the O/S as someone connecting from a network
Related
I have a PHP web app (Snipe-IT) that was previously working.
We went through a security review, and the recommendation was made to enable service endpoints (Microsoft.Sql) on the application subnet so that web apps connect to databases over the Azure backbone. Everything is working fine for the other MSSQL apps, except for our Snipe-IT application, which connects to a GP_Gen5_2 MySQL instance.
The error message says:
D'oh! Looks like we can't connect to your database. Please update your database settings in your .env file. Your database says:
SQLSTATE[HY000] [9009] Client connections to Basic tier servers through Virtual Network Service Endpoints are not supported. Virtual Network Service Endpoints are supported for General Purpose and Memory Optimized severs. (SQL: select 2 + 2)
This error message doesn't match the environment configuration because the database in question is a General Purpose, 2 vCore(s), 50 GB database.
There is no networking tab on the MySQL server, but in the Connection security tab we have tried enabling access to Azure resources, allowing the full public internet (0.0.0.0 - 255.255.255.255), enabling and disabling forced SSL, but nothing changes the result.
Azure won't let us create a Private Endpoint on the MySQL database because 'the subnet contains external resources'
I am hoping there is a way to resolve this without having to rebuild both the app and database in a different App Service Environment and subnet.
Thanks
I'm trying to access the Reporting Services 2005 Report Manager locally on a Windows Server 2003 server and I'm getting the following error:
Access to the temp directory is denied. Identity 'DOMAIN\login'
under which XmlSerializer is running does not have sufficient
permission to access the temp directory. CodeDom will use the user
account the process is using to do the compilation, so if the user
doesnt have access to system temp directory, you will not be able to
compile. Use Path.GetTempPath() API to find out the temp directory
location.
The DOMAIN\login given in the error message is my user login account. The Reports virtual directory in the Default Web Site is configured to use the DefaultAppPool which is configured to run as the Network Service identity. The SQL Server Reporting Services windows service is configured to use a separate domain service account.
Grant the NETWORK SERVICE account read/write/modify access to the C:\WINDOWS\Temp directory.
i'm trying to install vmware view connection server but is ask me that the computer does not belong to a domain.
what do i do now? this is a home server and i do have a static ip address with my isp. the aim would be to connect from outside my home network remotely.
do i need to add a dns server in windows server 2008?
Have you tried LogMeIn? The free edition works beautifully for this sort of thing, without the headaches of firewalls, DNS, and IP addresses.
Yes, you need a AD domain to install vmware view connection server.
Please refer to pre-req of view:vmware view install guide
Preparing Active Directory
View uses your existing Microsoft Active Directory infrastructure for user authentication and management. You must perform certain tasks to prepare Active Directory for use with View.
I'm installing Windows Server AppFabric in a Windows 2008 R2 SP1 that is part of my domain. On the Configure Hosting Service, I would like to configure each AppFabric service on a separate Domain account. I've created the 3 necessary databases on a separate database server that is also part of my domain, and 3 domain users, and I've given each domain user db_owner privilege on it's respective database.
When I'm installing Windows Server AppFabric, and I try to set the monitoring configuration, and on the AppFabric Event Collection service account, I'm trying to use the domain user, but it keeps giving me Logon Failure: Unknown username or bad password, but the user and password are valid! On the same server, if I do a runas with the same domain user and password, I open any application I want.
Is there a restriction on using domain accounts for this? I've placed all 3 accounts as local admin and on AS_Administrators, to see if it helped, but it's no good.
After a LOT of troubleshooting, I found out how to configure it. Before the Windows Server AppFabric Configuration Wizard is opened, go to the Services, and configure the 3 services (AppFabricCachingService, AppFabricEventCollectionService and AppFabricWorkflowManagementService) with the domain users you want. Then, you open the Wizard, and the correct domain users will already be configured, and all you need to do is configure the database.
The post https://stackoverflow.com/questions/4733348/configuring-appfabric-with-remote-database also helped, along with the article http://msdn.microsoft.com/en-us/library/ff637739.aspx
I have an SQL Express 2008 R2 instance running under the "Local System" account. I have written a windows service that also runs under the "Local System" account. The windows service uses the following connection string to connect to the sql server.
Data Source=.\sqlexpress;Initial Catalog=mydatabase;Integrated Security=True
When the application is installed I create the database with a simple SQL script which does not set any permissions or roles...it just creates the database and tables.
How does my windows service running as "Local System" manage to access the database? What rights is it getting in the SQL database? How is it getting these rights?
Andrew
If you expand the tree on the left (Object Explorer) in SSMS to Security, then Logins, you will see "NT AUTHORITY\SYSTEM". By default provisioning after installing SQL Server 2008 R2 Express, this account is added to the sysadmin role.
FYI - Your service running as Local System + Integrated Security means it is authenticating with SQL Server as the Windows account NT AUTHORITY\SYSTEM.
http://msdn.microsoft.com/en-us/library/ms188659.aspx
sysadmin
Members of the sysadmin fixed server role can perform any activity in the server.
Some of the rights granted to the Local System account are determined by the roles it has been assigned to.
If you login through Microsoft SQL Server Management Studio, expand Security folder, right click on NT AUTHORITY\SYSTEM, and select Properties, you should be able to see the roles assigned to the Local System user in the Server Roles section.
You can read more about each role at, Server-Level Roles document by Microsoft.
Hope this helps!