[25189] in bugtraq
Re: Microsoft Security Bulletin - MS02-020
daemon@ATHENA.MIT.EDU (Bronek Kozicki)
Sat Apr 20 14:59:05 2002
Message-ID: <003e01c1e7d2$5a743c40$7507b33e@luscinia>
From: "Bronek Kozicki" <brok@rubikon.pl>
To: "Michael Devlin" <Michael.Devlin@figleaves.com>
Cc: <bugtraq@securityfocus.com>
Date: Fri, 19 Apr 2002 20:45:18 +0200
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
> As a work around to the problem you point out you could deny the account
> you run the service under "Set Value" on this key only
> (HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSSQLServer).
> There is no value in this key that the account would need to modify once
> setup....
>
> You should do the SQLAgent service if you are running that under the
> same or other non-priv account.
Good point. I received reports that SQL Server actually do not need write
access to its service configuration - after its setup, everything works
somoothly with read-only access (thanks, Craig). I guess that full access is
necessary so 'sa' may change service account from within mmc.exe (SQL
Enterprise Manager). It's clear example of functionality going before
security (or maybe backward compatibility killing security ?) . Microsoft
SQL team have this issue on desk, I hope they will act upon it.
Regards
B.Kozicki
