Bugtraq mailing list archives
Re: Microsoft Security Bulletin - MS02-020
From: "Bronek Kozicki" <brok () rubikon pl>
Date: Fri, 19 Apr 2002 20:45:18 +0200
As a work around to the problem you point out you could deny the account you run the service under "Set Value" on this key only (HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSSQLServer). There is no value in this key that the account would need to modify once setup.... You should do the SQLAgent service if you are running that under the same or other non-priv account.
Good point. I received reports that SQL Server actually do not need write access to its service configuration - after its setup, everything works somoothly with read-only access (thanks, Craig). I guess that full access is necessary so 'sa' may change service account from within mmc.exe (SQL Enterprise Manager). It's clear example of functionality going before security (or maybe backward compatibility killing security ?) . Microsoft SQL team have this issue on desk, I hope they will act upon it. Regards B.Kozicki
Current thread:
- Re: Microsoft Security Bulletin - MS02-020 Bronek Kozicki (Apr 18)
- Re: Microsoft Security Bulletin - MS02-020 Chip Andrews (Apr 19)
- <Possible follow-ups>
- Re: Microsoft Security Bulletin - MS02-020 Bronek Kozicki (Apr 20)