Solved

SQL 2012 NT_Authority|System, sysadmin is not checked by default

Posted on 2014-04-02
11
2,055 Views
Last Modified: 2014-04-08
I have an application from a 3rd party that requires a different setting on my SQL 2012.  I'm not real familiar with MS SQL, but can follow instructions through the Microsoft SQL Server Management Studio and I have a couple of databases already setup and working.  The vendor for the application is stating the following (see below), but I'm not real sure what needs to be done.  Can someone give me the steps necessary to get this configured correctly?  

Here is what they are telling me:

The service runs under the Local System (NT AUTHORITY\System) account. In SQL 2012 this Local System (NT AUTHORITY\SYSTEM) account is not automatically provisioned in the sysadmin fixed server role.
0
Comment
Question by:ontheborder
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +1
11 Comments
 
LVL 34

Assisted Solution

by:Brian Crowe
Brian Crowe earned 300 total points
ID: 39973678
Within SSMS open Security under the database in question.  Double-click on the "NT AUTHORITY\SYSTEM" user.  Select "Server Roles".  Check "sysadmin"

Done
0
 
LVL 40

Expert Comment

by:Kyle Abrahams
ID: 39973680
What they want you to do is grant SA to the local system account.  I would push back on that.  The most that I would ever grant to a third party is DBO on their own database.

Ask them if the service can run under another application account (eg: 3rdPartyService), and if DBO is sufficient for their purposes on their database(s).
0
 
LVL 69

Assisted Solution

by:Scott Pletcher
Scott Pletcher earned 100 total points
ID: 39973710
I agree with Kyle.  Indeed, I'd be concerned that their app seems to have admin authority on the server itself.

I suspect they don't need sysadmin.  They might need dbcreator (at least until their db(s) are created), and a few specific other roles/permissions, but they should not need sysadmin.

Make it clear to your management that if they give sysadmin to the app, you cannot guarantee performance for the instance.
0
Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

 

Author Comment

by:ontheborder
ID: 39973714
The 3rd party is a trusted vendor and we have security agreements with them, so it should be okay to allow this type of access.  

BriCrowe - I believe you're on track.   When I check the Database > XXXX > Security    I don't see "NT AUTHORITY\SYSTEM" as an option.   I opened both the Users folder and the Roles folder, and don't see it listed as an option.
0
 
LVL 34

Assisted Solution

by:Brian Crowe
Brian Crowe earned 300 total points
ID: 39973719
It may be that 2012 doesn't even add the user.  In that case you need to add the login as you would any other user either via the UI or by script.

CREATE LOGIN [NT AUTHORITY\SYSTEM] FROM WINDOWS;
GO

Open in new window

0
 

Author Comment

by:ontheborder
ID: 39973749
Thanks, BriCrowe.  From what I can tell the NT AUTHORITY\SYSTEM account isn't installed automatically on MS SQL 2012.  I'll give your suggestion a try later today and see if that works.
0
 

Author Comment

by:ontheborder
ID: 39973889
After executing

CREATE LOGIN [NT AUTHORITY\SYSTEM] FROM WINDOWS;


I received the following message.

The server principal 'NT AUTHORITY\SYSTEM' already exists.
0
 
LVL 40

Assisted Solution

by:Kyle Abrahams
Kyle Abrahams earned 100 total points
ID: 39973989
you have to look at logins on the server level, NOT the database level.

I would recommend NOT giving sa role to this account as the 3rd party will have access to do whatever they want on that server.  (Including seeing data to other DBs you have in there).  If that's the only thing on that server than by all means go ahead.
0
 

Accepted Solution

by:
ontheborder earned 0 total points
ID: 39976616
After further review we've decided that due to questions about security, we are not going to pursue this configuration change.  I haven't been able to get assurance from the vendor that this wouldn't compromise our security.  We didn't attempt to provisioned the sysadmin as a fixed server role any further.  Unless someone has any other information and feels like this is safe, we're going to move to a completely different option that the vendor is offering through their application.
0
 
LVL 40

Expert Comment

by:Kyle Abrahams
ID: 39976784
granting SA is giving the keys to the kingdom for the database server in question.

If the vendor has another option I would go with it.
0
 

Author Closing Comment

by:ontheborder
ID: 39985543
Thanks.  All answers were helpful.  Moving to a less risky "Plan B".
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
export sql server dbs 2 23
SQL syntax for max(date) 3 35
What are the recommended security measures to put in place? 19 85
Search Text in Views 2 24
The Delta outage: 650 cancelled flights, more than 1200 delayed flights, thousands of frustrated customers, tens of millions of dollars in damages – plus untold reputational damage to one of the world’s most trusted airlines. All due to a catastroph…
In the first part of this tutorial we will cover the prerequisites for installing SQL Server vNext on Linux.
Using examples as well as descriptions, and references to Books Online, show the different Recovery Models available in SQL Server and explain, as well as show how full, differential and transaction log backups are performed
Via a live example, show how to extract insert data into a SQL Server database table using the Import/Export option and Bulk Insert.

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question