I cannot seem to find a definitive answer to this question.
The problem: I am using Octopus Deploy to run an executable that will run my database migration scripts. An error occurs as the Octopus "Tentacle" Windows service runs as localsystem which translates to NT AUTHORITY\System.
One solution is to change the SQL server security settings and grant an appropriate role to the NT AUTHORITY\System user which allows a process running as the localsystem user to create the database.
What are the security implications of making this change? It would allow any process running as localsystem to perform operations on the database but is this a bad thing given that I control what gets installed onto the server?
It would appear there was a change made circa SQL Server 2012 where by the localsystem account was previously by default a sysadmin but that got changed. One thing I saw was that this change prevents server administrators having access to the server but I can't see how this is possible given that you cannot log in as localsystem anyway.
What am I missing?
References:
https://support.microsoft.com/en-us/help/932881/how-to-make-unwanted-access-to-sql-server-2005-by-an-operating-system
https://dba.stackexchange.com/questions/142166/grant-sysadmin-permissions-to-nt-authority-system
https://serverfault.com/questions/130958/implications-and-benefits-of-removing-nt-authority-system-from-sysadmin-role
I answer to this one:
One thing I saw was that this change prevents server administrators
having access to the server but I can't see how this is possible given
that you cannot log in as localsystem anyway.
Local Windows administrator can access the server anyway, launching SQL Server in single user mode he will have a full control over it: Connect to SQL Server When System Administrators Are Locked Out
But this requires the server to be restarted.
Another option to access server as sysadmin without any restart is to use PsExec (-s) : you can log in as localsystem even through SSMS. And if this login is a sysadmin, you have a full control over the server
If someone is able to compromise your instance of Octopus Deploy the SA role provides enough access to drop every database on your server.
I imagine creating the initial database is a blue moon event. A safer option is to manually create the database and grant NT Authority the least amount of privileges to run your migration scripts.
We took this approach and worked back from SA, to db_owner, to a custom role with
[db_datareader]
[db_datawriter]
[db_ddladmin]
The NT AUTHORITY\SYSTEM account used to be sysadmin by default but not anymore because it's considered a "shared" account. It's not that it's a huge security issue, but when the time comes to point a finger at someone when something goes wrong, it's impossible to do so because using SYSTEM allows actions to be perfomed "anonymously". That's why SYSTEM is no longer recommended to be sysadmin.
"Any user with enough access to the server can execute a task that
will be run as NT AUTHORITY\SYSTEM either using task scheduler or
other tools. At this point, NT AUTHORITY\SYSTEM essentially becomes a
shared account because the operating system and SQL Server are unable
to determine who created the process. Prior to SQL Server 2012, NT
AUTHORITY\SYSTEM was a member of the sysadmin role by default. This
allowed jobs/tasks to be executed in SQL Server without the approval
or knowledge of the DBA because it looked like operating system
activity." (https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79129)
Related
I have an Octopus server setup using defaults in most configuraiton options; for example, it runs under the LOCAL SYSTEM account, and has created its own database on the local SQL server instance.
For reasons related to the deployment process of one of our projects, I need to switch the account under which the Octopus service runs, but when I do, it looses access to the database. When I try to use the own account to add the required permissions, I too am denied access.
The only two logins defined on the server are BUILTIN\Users and sa; I've made my domain account a member of the former group, but that's apparently not enough, and I don't have the password to sa.
Is there any way I can gain access to this database without completely re-installing Octopus?
As administrator on the local machine, you will be administrator on the SQL Server installation. But you will need to start Management Studio with "Run as administrator".
How on earth do you reset the sa password? I know how to go into the dialogs and reset a password. That's now what I'm asking about. It runs a little deeper than just click, click, new password, done!
I have no idea what the SA password is. Nor does the previous user of this machine. The previous user says he never had SQL Express ever running on this machine.
This journey started when I tried to create a new database and was told I didn't have permissions to do so. Okay, I decided to just give myself the appropriate permissions. Nope, I can't give myself nor anyone else permissions.
I tried changing the password using SSMS. I get a message saying I don't have permissions to change it.
I tried using the following SQL script. Again, no permissions.
GO
ALTER LOGIN [sa] WITH DEFAULT_DATABASE=[master]
GO
USE [master]
GO
ALTER LOGIN [sa] WITH PASSWORD=N'NewPassword' MUST_CHANGE
GO
The database is SQL Server 2008 Express (10.0.2531.0).
SQL Server Management Studio is SSMS 2008.
OS is Windows 7 Enterprise
I'm a local admin, and a domain user. I created a local admin account for logging into SSMS
Machine is on a domain.
I have no problems connecting to our network database servers.
Any suggestions? This could be a simple fix. Thanks...
This should help: start SQL Server in single-user mode. This will allow local administrators to connect as a sysadmin fixed server role. A detailed description of how to do this can be found here.
people also can try to change password this way by the below SP
EXEC sp_password NULL, 'yourpassword', 'sa'
hope may help other. thanks
You could use: Reset-DbaAdmin Powershell cmdlet from https://dbatools.io.
This function allows administrators to regain access to local or remote SQL Servers by either resetting the sa password, adding sysadmin role to existing login, or adding a new login (SQL or Windows) and granting it sysadmin privileges.
This is accomplished by stopping the SQL services or SQL Clustered Resource Group, then restarting SQL via the command-line using the /mReset-DbaAdmin paramter which starts the server in Single-User mode, and only allows this script to connect.
Using Reset-DbaAdmin will restart your SQL Server.
Reset-DbaAdmin -SqlServer sqlcluster
The simplest method I've found so far is to run SQL Server Management Studio / SQL Express under the SYSTEM context with Sysinternals PSEXEC app. After installing (copying psexec.exe to your computer, running it and accepting the EULA), you can type the following to invoke a system-context instance:
psexec -s -i <path to ssms.exe/sqlservr.exe>
You can use the GUI and don't require single-user mode to effect changes. I had problems with an unknown client tying up the snigle-user connection and this saved me.
I am having quite a problem with SQL Server.
When I installed it, my account was not an administrator, now it is. Apparently, since it was not an administrator of the machine, it is not an administrator of SQL Server, as a consequence I cannot create databases on my machine.
Now, I am on Windows 8, so it seems like SQL Server Configuration Manager is not as accesible as it was before, I managed to run it (I THINK!) from the MMC by running the following command: sqlservermanager10.msc.
Now, can anyone help me configure my current user as an SQL Server admin so I can create databases properly?
Thank you!
if I understand you correctly, you want your account to have sysadmin rights on SQL Server. You can either do this via SQL Server Management studio, or the SQLCMD command line utility. You don't use the SQL Server Configuration Manager.
You need to login as an existing SA (or whichever the identity has the sysadmin role).
Using TSQL via SQLCMD
Run the following command (replacing domain\user with your details)
USE [master]
GO
CREATE LOGIN [domain\user] FROM WINDOWS WITH DEFAULT_DATABASE=[master]
GO
ALTER SERVER ROLE [sysadmin] ADD MEMBER [domain\user]
GO
Via the UI
In SQL Server Management Studio
Navigate to the Security node of the server, and R-Click & Select New Login
In the New Login dialog enter your domain user into the Window Authentication box
Then on the Right side select Server Roles and then make sure SysAdmin is selected
Then Ok that dialog and the windows account will have SA rights. This means then you can full administer the SQL Server.
It's not clear at all what's going on here, but it sounds to me like you haven't got any sysadmins if #Preet isn't correct.
The local Administrators group is not a member of the sysadmin role on recent versions of SQL Server (2005+, IIRC), and if I recall the installer complains if you try to configure it that way. Instead, when you install the instance you specify the users or groups who will be granted the sysadmin role on the instance.
If you did not do this (I think it adds the account doing the installation by default) or used an account or group which was later deleted, had the SID changed, or some similar event, then you have an instance with no sysadmin logins that can authenticate. You may be able to add one by switching the server to single user mode or minimal configuration mode (-f instead of -m).
If none of that works, then you'll have to save your database files, nuke the instance, install the instance again, re-attach your database files, and go from there.
The only other thing I can think that it might be is that the instance is somehow running as a user account that doesn't have permissions to create files in the default database or log directory, but that seems highly unlikely.
I've a user account on a development SQL express on a remote server. This account has all privileges granted to it but when I use SQL express remotely then I'm not able to make changes to tables. If I log into the virtual machine and sign in with same user I can make changes.
It says I'm not database owner or system administrator. I think I may need to use ownership chaining or somehow designate my user account as administrator?
Thanks.
This is what I'm seeing:
http://fogcreek.com/FogBugz/kb/errors/SysAdminRole.html
I'm using SQL Server Authentication but I'm not the owner but have 'grant' all rights.
Got it! This explains how I can add my user to the appropriate role and that fixes the problem.
https://web.archive.org/web/1/http://articles.techrepublic%2ecom%2ecom/5100-10878_11-1061781.html?tag=mantle_skin
This is rather embarrassing, but I accidentally deleted my Windows account from the list of SQL Server 2008 users and I cannot for the life of me figure out how to re-add myself now that I don't have login privileges.
The server is running on my machine and the only other Windows users with access are IUSR, NETWORK SERVICE and SYSTEM. Is there anything I can do short of re-installing?
I also recently deleted my windows account from my local development 2008 server. I was able to use SQL server's Single User Mode to recreate my login and add it to the sysadmin role. It took just a few minutes, and I didn't have to admit my terrible error to anyone.
From MSDN:
Starting SQL Server in single-user mode enables any member of the
computer's local Administrators group to connect to the instance of SQL
Server as a member of the sysadmin fixed server role.
Here's how I reinstated myself:
Exit out of SSMS
Stop any SQL related services. I had to stop Reporting Services. Other SQL services such as SQL Agent will also use up your one, valuable connection.
Stop the SQL service
Start the SQL service with the extra parameter -m. This will put the SQL into Single User Mode. This means that SQL will only accept one connection.
Use sqlcmd to connect to your server with the -E trusted connection option. SQL will accept you into the sysadmin role if you're a local administrator.
In the interactive session, create your login and add to the sysadmins role.
USE master
GO
CREATE LOGIN [domain\username] FROM WINDOWS WITH DEFAULT_DATABASE=[Master]
GO
EXEC sp_addsrvrolemember #loginame=N'domain\username', #rolename=N'sysadmin'
GO
Stop the SQL service, remove the -m parameter and restart the service. You should now be able to go back into SSMS and continue using the server normally.
If you get the message:
Login failed for user 'domain\username'. Reason: Server is in single user
mode. Only one administrator can connect at this time.
Then there is something using your single connection. You'll need to find that service or connection and stop it before you can log in. Check SQL Agent, SQL Reporting Services, SQL Analysis Services etc.
Luckily, this wasn't too hard to fix (not that it should have been hard...)!
This blog post explains the steps for starting SQL Server in Single User Mode, which (for some reason) allowed me to login as my Windows administrator account, add the account to the user list (with CREATE LOGIN), enable the SA user and set its password to something I actually knew, and finally login as SA and give the Windows account sysadmin privileges.
Edit 07/05/13: Try this link instead.
Often SQL Server is installed so that any any local administrator is a SQL Server sysadmin.
If this is your case you can run Management Studio as administrator and then add any other windows user as a login in the Security section.
This solution worked for me.