Discussion:
Security question regarding MOM 2005 and SQL 2000
(too old to reply)
FCB DSS
2007-05-01 22:17:00 UTC
Permalink
I would like to hear from as many of you as possible how you are managing a
SQL Server 2000 environment using MOM? For those of you where the DBA and
server administration is on seperate teams how do your DBA's feel about the
NT Authority\System account needing access in order to monitor and collect
data through the SQL Managment Pack? Were there security issues when this
was brought up? Has anyone found a workound other than simply not monitoring
SQL Server? We here have this delima where our DBA's will not allow the NT
Authority\System account access within SQL Server to run the SQL Management
Pack because of security risks. The perception is it is a Systems
Administration account which essentially allows anyone with Local Admin
privalges full access to all data with a database. If anyone has any
links/information to pass along that explains exactly what the NT
Authority\System account is and what's roles/permissiosn are that would be
wonderful. Thanks for your help from a very FRUSTRATED server engineer!!!!
Anders Bengtsson
2007-05-02 04:21:04 UTC
Permalink
Hi

The alternativ would be a low level domain account as action account on your
SQL machines. What do your SQL Admins say about that?
--
--
Regards
Anders Bengtsson [MCSE:Security, MCSA:Messaging] | http://www.contoso.se
Post by FCB DSS
I would like to hear from as many of you as possible how you are managing a
SQL Server 2000 environment using MOM? For those of you where the DBA and
server administration is on seperate teams how do your DBA's feel about the
NT Authority\System account needing access in order to monitor and collect
data through the SQL Managment Pack? Were there security issues when this
was brought up? Has anyone found a workound other than simply not monitoring
SQL Server? We here have this delima where our DBA's will not allow the NT
Authority\System account access within SQL Server to run the SQL Management
Pack because of security risks. The perception is it is a Systems
Administration account which essentially allows anyone with Local Admin
privalges full access to all data with a database. If anyone has any
links/information to pass along that explains exactly what the NT
Authority\System account is and what's roles/permissiosn are that would be
wonderful. Thanks for your help from a very FRUSTRATED server
engineer!!!!
FCB DSS
2007-05-02 12:11:03 UTC
Permalink
Our SQL admins say the NT\Authority/System account is a user account without
a password and would allow anyone with admin rights to the server to have
full access to the SQL data.
Post by Anders Bengtsson
Hi
The alternativ would be a low level domain account as action account on your
SQL machines. What do your SQL Admins say about that?
--
--
Regards
Anders Bengtsson [MCSE:Security, MCSA:Messaging] | http://www.contoso.se
Post by FCB DSS
I would like to hear from as many of you as possible how you are managing a
SQL Server 2000 environment using MOM? For those of you where the DBA and
server administration is on seperate teams how do your DBA's feel about the
NT Authority\System account needing access in order to monitor and collect
data through the SQL Managment Pack? Were there security issues when this
was brought up? Has anyone found a workound other than simply not monitoring
SQL Server? We here have this delima where our DBA's will not allow the NT
Authority\System account access within SQL Server to run the SQL Management
Pack because of security risks. The perception is it is a Systems
Administration account which essentially allows anyone with Local Admin
privalges full access to all data with a database. If anyone has any
links/information to pass along that explains exactly what the NT
Authority\System account is and what's roles/permissiosn are that would be
wonderful. Thanks for your help from a very FRUSTRATED server engineer!!!!
Anders Bengtsson
2007-05-02 12:38:33 UTC
Permalink
Hi FCB,

Everyone with admin account on the server can thinker with SQL if they want
to.
You can also use a down-level domain account, what to your SQL Admins think
about that?

---
Regards
Anders Bengtsson, MCSE:Security
http://www.contoso.se

FD> Our SQL admins say the NT\Authority/System account is a user account
FD> without a password and would allow anyone with admin rights to the
FD> server to have full access to the SQL data.
FD>
FD> "Anders Bengtsson" wrote:
FD>
Post by Anders Bengtsson
Hi
The alternativ would be a low level domain account as action account
on your SQL machines. What do your SQL Admins say about that?
-- --
Regards
Anders Bengtsson [MCSE:Security, MCSA:Messaging] |
http://www.contoso.se
Post by FCB DSS
I would like to hear from as many of you as possible how you are managing a
SQL Server 2000 environment using MOM? For those of you where the DBA and
server administration is on seperate teams how do your DBA's feel
about
the
NT Authority\System account needing access in order to monitor and collect
data through the SQL Managment Pack? Were there security issues when this
was brought up? Has anyone found a workound other than simply not monitoring
SQL Server? We here have this delima where our DBA's will not allow
the
NT
Authority\System account access within SQL Server to run the SQL Management
Pack because of security risks. The perception is it is a Systems
Administration account which essentially allows anyone with Local Admin
privalges full access to all data with a database. If anyone has any
links/information to pass along that explains exactly what the NT
Authority\System account is and what's roles/permissiosn are that would be
wonderful. Thanks for your help from a very FRUSTRATED server engineer!!!!
FCB DSS
2007-05-02 12:47:02 UTC
Permalink
Believe me the server engineers are aware of that. When you say we can use a
down-level account what do you mean? We investigated using an account other
than NT Authority\System but couldn't find a way to change it. How can that
be done if so? That might be the answer right there.
Post by Anders Bengtsson
Hi FCB,
Everyone with admin account on the server can thinker with SQL if they want
to.
You can also use a down-level domain account, what to your SQL Admins think
about that?
---
Regards
Anders Bengtsson, MCSE:Security
http://www.contoso.se
FD> Our SQL admins say the NT\Authority/System account is a user account
FD> without a password and would allow anyone with admin rights to the
FD> server to have full access to the SQL data.
FD>
FD>
Post by Anders Bengtsson
Hi
The alternativ would be a low level domain account as action account
on your SQL machines. What do your SQL Admins say about that?
-- --
Regards
Anders Bengtsson [MCSE:Security, MCSA:Messaging] |
http://www.contoso.se
Post by FCB DSS
I would like to hear from as many of you as possible how you are managing a
SQL Server 2000 environment using MOM? For those of you where the DBA and
server administration is on seperate teams how do your DBA's feel
about
the
NT Authority\System account needing access in order to monitor and collect
data through the SQL Managment Pack? Were there security issues when this
was brought up? Has anyone found a workound other than simply not monitoring
SQL Server? We here have this delima where our DBA's will not allow
the
NT
Authority\System account access within SQL Server to run the SQL Management
Pack because of security risks. The perception is it is a Systems
Administration account which essentially allows anyone with Local Admin
privalges full access to all data with a database. If anyone has any
links/information to pass along that explains exactly what the NT
Authority\System account is and what's roles/permissiosn are that would be
wonderful. Thanks for your help from a very FRUSTRATED server engineer!!!!
Anders Bengtsson
2007-05-02 13:53:09 UTC
Permalink
Hi FCB,

Take a look in the SQL MP guide, I think there is a chapter about using a
domain account with non-admin permissions.

---
Regards
Anders Bengtsson, MCSE:Security
http://www.contoso.se

FD> Believe me the server engineers are aware of that. When you say we
FD> can use a down-level account what do you mean? We investigated
FD> using an account other than NT Authority\System but couldn't find a
FD> way to change it. How can that be done if so? That might be the
FD> answer right there.
FD>
FD> "Anders Bengtsson" wrote:
FD>
Post by Anders Bengtsson
Hi FCB,
Everyone with admin account on the server can thinker with SQL if
they want to. You can also use a down-level domain account, what to
your SQL Admins think about that?
---
Regards
Anders Bengtsson, MCSE:Security
http://www.contoso.se
FD> Our SQL admins say the NT\Authority/System account is a user account
FD> without a password and would allow anyone with admin rights to the
FD> server to have full access to the SQL data.
FD>
FD>
Post by Anders Bengtsson
Hi
The alternativ would be a low level domain account as action
account on your SQL machines. What do your SQL Admins say about
that?
-- --
Regards
Anders Bengtsson [MCSE:Security, MCSA:Messaging] |
http://www.contoso.se
Post by FCB DSS
I would like to hear from as many of you as possible how you are managing a
SQL Server 2000 environment using MOM? For those of you where the DBA and
server administration is on seperate teams how do your DBA's feel
about
the
NT Authority\System account needing access in order to monitor and collect
data through the SQL Managment Pack? Were there security issues when this
was brought up? Has anyone found a workound other than simply not monitoring
SQL Server? We here have this delima where our DBA's will not allow
the
NT
Authority\System account access within SQL Server to run the SQL Management
Pack because of security risks. The perception is it is a Systems
Administration account which essentially allows anyone with Local Admin
privalges full access to all data with a database. If anyone has any
links/information to pass along that explains exactly what the NT
Authority\System account is and what's roles/permissiosn are that would be
wonderful. Thanks for your help from a very FRUSTRATED server engineer!!!!
FCB DSS
2007-05-02 14:18:03 UTC
Permalink
How would SQL Server need to be configured if the Builtin Administratos group
has been removed and we would still want to use the SQL Management Pack?
Post by Anders Bengtsson
Hi FCB,
Take a look in the SQL MP guide, I think there is a chapter about using a
domain account with non-admin permissions.
---
Regards
Anders Bengtsson, MCSE:Security
http://www.contoso.se
FD> Believe me the server engineers are aware of that. When you say we
FD> can use a down-level account what do you mean? We investigated
FD> using an account other than NT Authority\System but couldn't find a
FD> way to change it. How can that be done if so? That might be the
FD> answer right there.
FD>
FD>
Post by Anders Bengtsson
Hi FCB,
Everyone with admin account on the server can thinker with SQL if
they want to. You can also use a down-level domain account, what to
your SQL Admins think about that?
---
Regards
Anders Bengtsson, MCSE:Security
http://www.contoso.se
FD> Our SQL admins say the NT\Authority/System account is a user account
FD> without a password and would allow anyone with admin rights to the
FD> server to have full access to the SQL data.
FD>
FD>
Post by Anders Bengtsson
Hi
The alternativ would be a low level domain account as action
account on your SQL machines. What do your SQL Admins say about
that?
-- --
Regards
Anders Bengtsson [MCSE:Security, MCSA:Messaging] |
http://www.contoso.se
Post by FCB DSS
I would like to hear from as many of you as possible how you are managing a
SQL Server 2000 environment using MOM? For those of you where the DBA and
server administration is on seperate teams how do your DBA's feel
about
the
NT Authority\System account needing access in order to monitor and collect
data through the SQL Managment Pack? Were there security issues when this
was brought up? Has anyone found a workound other than simply not monitoring
SQL Server? We here have this delima where our DBA's will not allow
the
NT
Authority\System account access within SQL Server to run the SQL Management
Pack because of security risks. The perception is it is a Systems
Administration account which essentially allows anyone with Local Admin
privalges full access to all data with a database. If anyone has any
links/information to pass along that explains exactly what the NT
Authority\System account is and what's roles/permissiosn are that would be
wonderful. Thanks for your help from a very FRUSTRATED server engineer!!!!
Anders Bengtsson
2007-05-02 19:27:32 UTC
Permalink
Hi FCB,

You can download the management pack guide here, and read about it
http://www.microsoft.com/downloads/details.aspx?familyid=653D9FB9-B1C6-4702-A152-99852DCB2772&displaylang=en



---
Regards
Anders Bengtsson, MCSE:Security
http://www.contoso.se

FD> How would SQL Server need to be configured if the Builtin
FD> Administratos group has been removed and we would still want to use
FD> the SQL Management Pack?
FD>
FD> "Anders Bengtsson" wrote:
FD>
Post by Anders Bengtsson
Hi FCB,
Take a look in the SQL MP guide, I think there is a chapter about
using a domain account with non-admin permissions.
---
Regards
Anders Bengtsson, MCSE:Security
http://www.contoso.se
FD> Believe me the server engineers are aware of that. When you say we
FD> can use a down-level account what do you mean? We investigated
FD> using an account other than NT Authority\System but couldn't find a
FD> way to change it. How can that be done if so? That might be the
FD> answer right there.
FD>
FD>
Post by Anders Bengtsson
Hi FCB,
Everyone with admin account on the server can thinker with SQL if
they want to. You can also use a down-level domain account, what to
your SQL Admins think about that?
---
Regards
Anders Bengtsson, MCSE:Security
http://www.contoso.se
FD> Our SQL admins say the NT\Authority/System account is a user account
FD> without a password and would allow anyone with admin rights to the
FD> server to have full access to the SQL data.
FD>
FD>
Post by Anders Bengtsson
Hi
The alternativ would be a low level domain account as action
account on your SQL machines. What do your SQL Admins say about
that?
-- --
Regards
Anders Bengtsson [MCSE:Security, MCSA:Messaging] |
http://www.contoso.se
Post by FCB DSS
I would like to hear from as many of you as possible how you are managing a
SQL Server 2000 environment using MOM? For those of you where
the
DBA and
server administration is on seperate teams how do your DBA's feel
about
the
NT Authority\System account needing access in order to monitor
and
collect
data through the SQL Managment Pack? Were there security issues when this
was brought up? Has anyone found a workound other than simply
not
monitoring
SQL Server? We here have this delima where our DBA's will not allow
the
NT
Authority\System account access within SQL Server to run the SQL Management
Pack because of security risks. The perception is it is a Systems
Administration account which essentially allows anyone with
Local
Admin
privalges full access to all data with a database. If anyone
has
any
links/information to pass along that explains exactly what the NT
Authority\System account is and what's roles/permissiosn are
that
would be
wonderful. Thanks for your help from a very FRUSTRATED server engineer!!!!
Loading...