mssql folder permissions possible security issue security analyzer

I have been doing some risk assessment work on some MSSQL Servers. I have run the basic MBSA (baseline security analyser tool) over the Systems, and it always flags up issues with the folder permissions. I.e. in one example it lists BUILTIN\Users has some degree of access to the BINN folder.

Can I ask what would typically be in the BINN and DATA folder, and what is the risk if an unauthorised user had access to the BINN folder. And what is the risk if an unauthorised user had access to the DATA folder?

Secondly, if the BINN and DATA folders are within an administrative share – is this a false positive, as I thought if a folder was within an ADMIN share, its only ever admins who have access to it, so I don’t quite understand how it can list BUILTIN\Users, unless it isn’t considering both share and directory permissions.
LVL 4
pma111Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

XGISCommented:
Hello PMA111,

The DATA folder is where your databases live. Even as an Admin you are generally not able to delete, backup or even copy these files unless you have DETACHED a Database through SQL Server Management Studio, which requires 1, Installation and 2. Access as an Authorised Windows User. I have not tested access through a standard user compared to an admin user.

The BINN folder is an unlikely spot for users to access and is adjacent to the SQL DATA folder. The "Standard" user would require no access to this folder unless they were running SQL components.  

Plan A

Test access and risks by creating a standard user. Login and try to do some damage eg delete files or databases in those folders.  You will probably find you need admin permission to do these things.

Plan B

Unless they are required to use SQL or SSMSE then you should have no issues removing existing ALLOW access and apply DENY.  

These permissions are easy to reset through folder properties | security if you identify that users did need access.  To test this create a test standard user account and login to see what access you have to those folders, or run SQL related applications and resources to check if the new permissions have limited their access to required resources in any way.

Hope this helps!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pma111Author Commented:
Thanks.

Are there any types of files in the BINN folder?

I didnt know if you had a view on my admin share question? i.e. if its an admin share regardless of whether the directory ACL says BUILTIN\users have access to that folder, if its an admin share they just wont actually have access, will they?
0
XGISCommented:
Pls note that Builtin\users are all the users that the OS creates when installing the OS including local accounts (e.g. guest, ASP.NET or IUSR_hostname). It also includes all the users created in the domain whereas Authenticated users are all users that belong to the domain and have credentials.

MBSA is a two edged sword for many admins. It reports too many holes for large systems causing significant downtime chasing false positives...which are still better than false negatives, but at what time cost.

For SQL Server Express you cannot actually start the agent service which I think is one of the key files in the BINN folder.  If you DENY access, in a folder such as this you may end up with issues as with most MS based folders. You need to make a screen capture of users and permissions ie the local and network service and local system..just in case.  The last thing you want is a reinstall of sql.    

Maybe for the admin share reducing the permissions to read and list may be the best solution for both folders as it eliminates the deny issues whose permissions are best suited for your own custom folders.

A safe test to run at least for the DATA folder is a copy or zip of any files within that folder. ie DB's.  

Back to MBSA..one of its downfalls are the fact that the permissions are constantly changed from OS to OS and may be referencing something that is out of date...

pls check this link similar issue

some of the binn folder files...most notably sqlserver.exe

b1
Binn Files..that last 20%

b2
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft SQL Server

From novice to tech pro — start learning today.