Network Service Business relationship

Administration and Agile Directory Integration

In Designing SQL Server 2000 Databases, 2001

Summary

Active Directory provides a directory service that stores information about users, computers, groups, applications and other network services, accounts, and resources. SQL Server 2000 integrates with Active Directory, not only using it for Windows NT authentication but besides being able to register its own information within Active Directory for use by cease users and applications that are Agile Directory-enlightened.

Before listing any other objects in Active Directory, the administrator must begin by registering the SQL Server within it. This creates in Agile Directory a new object describing the SQL Server. Next, the administrator can register SQL Server databases, SQL Server publications, and SQL Server Assay Services in Active Directory. A user or an application can and then conduct a search for a SQL Server component using information virtually the component. The user or the application is non required to know the SQL Server instance on which the component resides. This means that an administrator can annals SQL Server components, then move them physically around the network without having to modify the information in multiple client applications.

There are many means to administer various SQL Server elements. Because SQL Server tin can utilize Windows NT hallmark, a SQL Server administrator might be required to create users within Active Directory. This is washed using the Active Directory Users and Computers console. In add-on, the administrator might want to manage the information listed in Active Directory. This can be done using the ADSI Edit or LDP tools, both of which are available in the Back up\Tools directory on the Windows 2000 Server CD-ROM.

Much of the administration for SQL Server is handled in the Enterprise Director application; however, Assay Services are administered in the Assay Manager application. Both of these consoles and all the Agile Directory consoles are Microsoft Direction Panel (MMC) utilities. The MMC is a common framework from which to run snap-in utilities; it provides a consistent interface for an administrator.

Moving and copying databases can be accomplished in many ways. Traditionally, DBAs utilise a backup and restore method between servers. Nonetheless, inside Enterprise Director is also a Re-create Database Sorcerer that tin can simplify this process as well equally execute while the database is online. Moves are easily managed through the process of detaching a database from one server, conducting a file move procedure, and then attaching the database to the destination server.

One of the strengths of SQL Server is the ability to use Object Linking and Embedding (OLE) to query information existing in non-SQL Server data repositories. When OLE is used, a linked server is created. And so distributed queries are executed confronting the linked server. The information inside the linked server is considered a rowset and provided in tabular format.

Maintenance and administration of the SQL Server can be conducted using automated methods. An ambassador can execute the Database Maintenance Plan Sorcerer to select the types of maintenance to be executed and the schedule on which to execute them. The administrator can as well configure SQL Server Amanuensis alerts, jobs, and operators. Once configured, a SQL Server can run into an error that triggers an alert. The alert volition trigger a job and ship a notification through SQL Mail to an operator.

Read full chapter

URL:

https://www.sciencedirect.com/science/commodity/pii/B9781928994190500099

Hallmark and Granular Access

In The All-time Damn Exchange, SQL and IIS Volume Period, 2007

SQL Server Service Business relationship

The first matter to make up one's mind is the service business relationship under which SQL Server is running. In order for Kerberos to exist supported, SQL Server must either be running under a domain user business relationship or the Local Arrangement or Network Service account. If a domain user business relationship is being used, the SPNs must be configured under information technology. Otherwise, the SPNs must be configured nether the computer account in the Active Directory domain. The easiest way to decide this is via SQL Server Configuration Director:

1.

In the left pane, expand SQL Server Configuration Manager (Local).

ii.

In the left pane, click SQL Server 2005 Services.

3.

In the right pane, notation the value for the Log On As cavalcade for the SQL Server case.

Best Practices Co-ordinate to Microsoft

Microsoft recommends against the employ of either the local System account or the Network Service account. In the instance of the local System business relationship, this account has more rights than SQL Server needs. As to the Network Service account, Microsoft doesn't requite a specific recommendation as to why to avert it, citing that local or domain user accounts are preferred. The most secure connection is to use a local user business relationship that does not have administrative rights. However, doing so will prevent Kerberos authentication from working. In gild for Kerberos authentication to office, SQL Server must be running nether a domain account. That domain business relationship can be the computer account (which is why the local Organisation account would piece of work).

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9781597492195000224

Installation of the Citrix Provisioning Server

Gareth R. James , in Citrix XenDesktop Implementation, 2010

Prerequisites

Of import considerations:

1.

The user business relationship performing the installation must be a local administrator on the provisioning server.

2.

An Agile Directory Service Account for Citrix Provisioning Server. For proof of concept/pilot type implementations, the local Network Service Account can be used rather than an Active Directory user account.

3.

Windows Server 2003 SP2 and Windows Server 2008 and Windows Server 2008 R2 (32 or 64 chip) – all editions are supported for the provisioning server.

The Installation Guide states "all versions." For a product environment, Windows Server 2008 (64 fleck) would be the all-time selection in terms of performance and scalability. Windows Server 2008 R2 is currently supported in version 5.6.

SQL Express database is sufficient for a proof of concept. A pilot or production surround should make use of an Enterprise database, which can be hands backed upwards and restored every bit required.

4.

Requires Microsoft SQL 2005 or Microsoft SQL 2008. Express editions included. Please meet Appendix.

Tip

As with the Desktop Commitment Controller, inquire the database administrator in your organization to create a database for you.

five.

Have a separate logical or concrete drive location available for virtual disks. SAN (Storage Area Network) storage is recommended if available.

6.

The .NET Framework three.five.1 is required. This is installed on Windows Server 2003, but on Windows Server 2008 R2, you add it as a "Feature" under Server Manager.

Read full chapter

URL:

https://world wide web.sciencedirect.com/science/commodity/pii/B9781597495820000063

Server Rights

Denny Ruby-red , in Securing SQL Server (Tertiary Edition), 2015

Changing the Service Account

Setting the service account can be done during installation or information technology tin can be changed later on installation past using the SQL Server Configuration Manager. To make the change in the SQL Server Configuration Managing director open up the SQL Server Configuration Manager from the Windows First Bill of fare. Open information technology opens select "SQL Server Services" from the menu on the left and then double click on the specific SQL Server service from the carte du jour as shown in Figure 13.2.

Effigy 13.2. SQL Server Configuration Manager.

From the SQL Server Service properties page which opens select the "Log On" tab. To employ the Local Organisation Account, the Local Service Account or the Network Service account select the "Built-in account" radio button and select the needed choice from the dropdown menu as shown in Figure thirteen.three. To use a local or domain account, select the "This account" radio button and specify a Windows account and the password for this business relationship.

Figure thirteen.3. SQL Server service properties dialog.

When using a local organization account, network service account or local service account (a clarification of these 3 accounts can be found in Tabular array thirteen.one) the business relationship will be shown in the Account Proper noun field as shown in the disabled Account Proper name field in Figure 13.three. This can await incorrect when you outset open up the service properties, simply this is normal as it displays the service specific proper name instead of displaying a generic option from the dropdown menus. There is no need to change the radio button to "Built In" from "This Business relationship" if a network service, local service or local system account is specified.

Table 13.1. Local Accounts

Account Name Description
Local system The SQL Server Service runs nether the account of the computer. The SQL Server Service just has admission to resources on the local server.
Network service The SQL Server Service runs under the account of the calculator. The SQL Server Service has admission to network resources, but under the context of the computer account non nether its own account.
Local service The SQL Server Service runs nether the a service specific account called NT Service\MSSQLSERVER.

After changing the start up service account to and from any of the available options the SQL Service must be restarted in society for the changes to accept outcome. To make the changes take issue click the Apply push, then "Yes" on the dialog box which appears which informs you that the SQL Service needs to be restarted as shown in Figure thirteen.4. Clicking "No" on the dialog box shown in Effigy 13.4 will preclude the changes to the service configuration from being saved.

Effigy 13.iv. Confirm business relationship change dialog box.

Read full affiliate

URL:

https://www.sciencedirect.com/science/commodity/pii/B9780128012758000130

Server Rights

Denny Ruby-red , in Securing SQL Server (2d Edition), 2013

Using Local Service Accounts for Running SQL Server Services

Another option which is used much more frequently than it should be is to use the local system accounts to run the SQL Server services. While on newer versions of Windows such every bit Windows 2008 and higher this is less of a problem, on older versions of Windows this is typically an unacceptable security gamble. There are two local arrangement accounts which the SQL Server installer will allow you option during the installation procedure. I is the local service account and the other is the network service account. On older versions of Windows Server (Windows Server 2003 and earlier) these accounts were effectively members of the local administrators group on the server which gave the SQL Service more than rights than it needed.

Annotation

Give a Guy a Pause Already

Yes, yes. I'm aware that the really old versions of SQL Server like SQL Server 6.5 and SQL Server 7 required that the account that was running exist a member of the local administrators group. Only this isn't the 1990s then nosotros shouldn't be setting upward our servers like that anymore unless nosotros really need to. And past really need to I hateful considering some third-party application vendor doesn't know how to properly write an awarding causing massively elevated permissions to exist required.

This becomes less of an outcome on the newer versions of the Microsoft Windows operating system (OS), specifically Windows 2008 and newer, considering when services are run nether these accounts they aren't actually run nether these accounts. New pseudo-account is created called "NT SERVICE⧹MSSQLSERVER" or "NT SERVICE⧹SQLSERVERAGENT," basically the account is "NT SERVICE" for the domain name followed by the name of the service. This allows each service to function within its own security context and not have admission to the resources of another service. It also allows for the granting of Windows security rights at a much more granular level such as the logon as a service right shown in Effigy 12.1.

Figure 12.i. Showing Diverse "NT SERVICE" Being Granted Individual Rights Under Windows 2008 R2

Granting boosted rights to these service-specific "NT SERVICE" accounts requires knowing the specific account which you lot want to grant rights to. This is due to the fact that these are special system accounts, which don't technically exist and so y'all tin can't search for them in the normal account search dialog boxes in Windows Local Security Policy editor or SQL Server Direction Studio. As you lot tin can't search for these accounts you lot must type the names in manually when granting them rights.

Story Time

And so This One Time While Writing This Book…

Then when I was writing this book, specifically Chapter half dozen titled "Assay Services," I ran beyond some of the bug which I've talked near in this section of this chapter (guess where I got the idea for this section for). While working with SQL Server Analysis Services I was trying to get the screenshots for all the objects like those shown in Figure vi.eight and I keep getting errors while processing the cube. This is considering in my haste to become the SQL Server services installed on my machine I had prepare the services to first up under the local service account instead of under a single domain account similar my SQL Server did. Because of this when the SQL Server Assay Services service attempted to log into the locally installed SQL Server database, information technology couldn't because I needed to specifically grant the "NT SERVICE⧹MSOLAP$SSAS" service rights to the SQL Server instance (as I noted in Chapter 6 the SQL Server Analysis Service and Reporting Service services were installed as a named instance chosen SSAS giving u.s. the stranger than normal account name).

And yes I did almost name this side bar "So this one fourth dimension at ring army camp…" but that simply led to images of a trumpet going somewhere that trumpets should just never go, and I didn't really need that while sitting on an airplane. If you lot don't catch that reference go cheque out the American Pie movies and become back to me. You're welcome for that mental image. I now render you to your regularly scheduled book reading.

The upside to using these service-specific accounts is that in that location are no passwords to change every bit you lot don't have access to these passwords. Another upside to these services is that if the service which the account is running becomes compromised, the attacker won't accept access outside of that service, unless that service account has been granted specific rights.

Like anything that has an upside at that place is a downside or two likewise. These downsides include not beingness able to change the password of the account if it was to become compromised, and the inability to hands grant rights across servers. When running the SQL Server services under the network service business relationship, the SQL Server can access rights outside of itself. And this works great, until you sympathise how the domain authentication procedure works when accessing these remote resources.

For an example let's say that we accept a SQL Server called SQL1.contoso.local and a file server called files.contoso.local. The SQL Server service and the SQL Server Agent service are both configured to run under the local network service on their machine. There is a chore which runs a T-SQL batch which includes the Bulk INSERT statement which is used to load upwards a text file from the file server. In guild to grant the SQL Server the right to access the network share and read the file on the file server, we accept to grant the computer account for SQL1.contoso.local rights to the network share. This is done by granting the Active Directory account CONTOSO⧹SQL1$ rights to the network share. And so far so adept. Just nosotros now discover out that any procedure which is running under the network service account on SQL1.contoso.local now has rights to the network share and can read the file (or write to the file depending on how the rights to the network share are configured). This of a sudden becomes a problem as whatever user who is logged into SQL1.contoso.local at present also has the same rights to that network share that the SQL Service has. From a security perspective this is a pretty bad idea.

Note

Selecting the Right Approach

Hopefully by the fourth dimension you lot've gotten to this part of this affiliate you've been thinking about your own visitor and which of these approaches volition fit best into your store. Obviously changing from one of these approaches to another requires a LOT of work and isn't a project that should exist taken lightly. In larger shops a project like this could take months or years.

While I would dear to be able to tell you which of these approaches would work all-time in your specific shop, that but isn't possible to exercise in the abstract similar this. At that place are several factors to consider before selecting which of these approaches should exist used including the size of your shop, the number of database administrators in the shop (in this context anyone who has the passwords that the SQL Server runs under is counted as a database ambassador), and how complex the application pattern is, and how frequently yous plan on changing service account passwords. If after thinking through all these items and thinking nigh your specific visitor, if you practice make up one's mind to change the approach that you lot are going to use to run your SQL Server databases don't rush the project. For about applications and servers there volition be a LOT of discovery which needs to be done to ensure that the account changes don't adversely impact the stability of the environment and the uptime of the applications.

Afterward all, while nosotros may not like it, the best security practices have to be tempered against system manageability. If they didn't nosotros would still be in the stone ages as the only truly secure server is one that is powered off and stored in a physical room with no doors or windows.

Read full affiliate

URL:

https://world wide web.sciencedirect.com/science/article/pii/B9781597499477000125