Chapter1SecuringYourServerandNetwork(1):选择SQLServer运行账
原文出处:http://blog.csdn.net/dba_huangzj/article/details/37924127 ,专题目录:http://blog.csdn.net/dba_huangzj/article/details/37906349 未经作者同意,任何人不得以原创形式发布,也不得已用于商业用途,本人不负责任何法律责任。 前言: SQL Serv
原文出处:http://blog.csdn.net/dba_huangzj/article/details/37924127 ,专题目录:http://blog.csdn.net/dba_huangzj/article/details/37906349未经作者同意,任何人不得以“原创”形式发布,也不得已用于商业用途,本人不负责任何法律责任。
前言:
SQL Server是一个Windows 服务,以某个Windows用户或系统用户权限运行在Windows操作系统上。选择合适的帐号运行SQL Server是非常重要的,本系列文章只关注安全性方面。
选择合适的帐号之所以非常重要,其中一个原因是如果权限不恰当,用户(客户端)可以通过SQL Server对Windows OS或其他资源进行非预期使用。
实现:
首次选择帐号发生在安装过程中,但是在安装过后可以更改,如何安装SQL Server超出本文范围,所以这里跳过安装过程中选择帐号部分。在安装完毕之后,可以根据下面步骤实现。
实现步骤:
1. 在命令行输入:services.msc 打开服务管理器。找到SQL Server服务,如图:
3. 打开SQL Server 配置管理器,找到SQL Server对应实例名的选项,本人机上有两个实例,一个是2008R2,一个是2012,2012为命名实例,所以选择SQL Server(SQL2012)这个服务,并右键选择【属性】,如图:
4. 打开【属性】页之后,选择【登录】页,如图:
5. 选择【内置帐户】,下拉框中有三种可选项,后续部分将介绍这些帐号:
6. 当修改了帐号之后,点击【确定】按钮,会提示需要重启SQL Server服务,点击【是】,然后重启服务,由于修改运行帐号必须重启服务,所以如果在正式环境下,需要谨慎,并且计划性地修改。
7. 至此,我们演示了如何修改SQL Server的运行帐号。接下来将介绍一些原理及注意事项。
原理:
SQL Server服务继承了底层操作系统(即Windows OS)上Windows帐号的权限。它并不一定需要有所在机器上的管理员权限。只需要有对数据文件/事务日志文件、错误日志文件、备份文件所在目录的权限和少量系统权限即可。
如果在安装SQL Server之后修改服务帐号,强烈建议使用SQL Server配置管理器实现,而不要用Windows 服务控制管理器,因为后者并不能很好地进行权限管控。
在Windows Server 2008 R2中,在安装SQL Server过程中默认使用虚拟帐号(Virtual Account,将在后续文章介绍)作为启动帐号。如果在步骤5中选择了【内置帐号】,不需要提供密码,这些密码由操作系统管理和预设。下面简要介绍一下步骤5中的两类帐号:
Local System:这是一个拥有所在计算机上管理员权限的Windows 系统帐号,在网络中显示为(你可以选择一个已经创建的Windows或域帐号,以全名形式((
作为实践,建议使用实际Windows 帐号替代内置帐号,因为内置帐号被多种服务所共享,权限管控不如实际WIndows 帐号。比如攻击者可以使用管理员权限登录SQL Server,并用xp_cmdshell等外部存储过程进行操作系统级别的攻击。使用实际Windows帐号能减少这种情况的发生机会。
更多信息:
要允许一个Windows帐号能用于运行一个服务(不是所有帐号都能运行服务),需要授予【Log on as a service right】(中文为【信任计算机和用户帐户可以执行委派】)权限,步骤如下:
1. 在本机上,打开管理工具,并选择【Local Security Policy】,中文为【本地安全策略】,Win8 系统可以控制面板→【系统和安全】中找到【Log on as a service right】(中文为【信任计算机和用户帐户可以执行委派】):
2.添加所需帐号,如图:
如果使用WIndows Server Core版本,由于没有GUI可以修改,也有可能你不能直接登录目标服务器用GUI操作(非core版本)时,可以在另外一些机器上实现配置:
步骤:
1. 打开计算机管理器(compmgmt.msc)右键根目录,选择【连接到另一台计算机】,输入服务器地址,如图:
成功连接之后会变成下图,注意【计算机管理(本地)】 已经变成了【计算机管理(SQL-A)】:
2.在【服务和应用程序】节点可以找到SQL Server配置管理器,然后就可以进行前面所说的配置了。
创建域用户作为服务帐号:
如果在域环境下,可以在活动目录服务器(Active Directory Server)上通过【Active Directory 管理中心】(Active Directory Administrative Center)上的【Active Directory 用户和计算机】(Active Directory Users and Computers )工具添加用户到域环境的机器上。如图:
在创建时,用户选项只勾选下图即可,除非特殊需要,否则不建议勾选【用户下次登录须更改密码】:
如果希望用于服务帐号的密码超时,建议使用Windows Server 2008出现的【托管服务帐号】(managed service accounts),这部分在后续文章介绍。
扩展阅读:
配置 Windows 服务帐户和权限(http://msdn.microsoft.com/zh-cn/library/ms143504.aspx)
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
When might a full table scan be faster than using an index in MySQL?
Apr 09, 2025 am 12:05 AM
Full table scanning may be faster in MySQL than using indexes. Specific cases include: 1) the data volume is small; 2) when the query returns a large amount of data; 3) when the index column is not highly selective; 4) when the complex query. By analyzing query plans, optimizing indexes, avoiding over-index and regularly maintaining tables, you can make the best choices in practical applications.
Can I install mysql on Windows 7
Apr 08, 2025 pm 03:21 PM
Yes, MySQL can be installed on Windows 7, and although Microsoft has stopped supporting Windows 7, MySQL is still compatible with it. However, the following points should be noted during the installation process: Download the MySQL installer for Windows. Select the appropriate version of MySQL (community or enterprise). Select the appropriate installation directory and character set during the installation process. Set the root user password and keep it properly. Connect to the database for testing. Note the compatibility and security issues on Windows 7, and it is recommended to upgrade to a supported operating system.
Explain InnoDB Full-Text Search capabilities.
Apr 02, 2025 pm 06:09 PM
InnoDB's full-text search capabilities are very powerful, which can significantly improve database query efficiency and ability to process large amounts of text data. 1) InnoDB implements full-text search through inverted indexing, supporting basic and advanced search queries. 2) Use MATCH and AGAINST keywords to search, support Boolean mode and phrase search. 3) Optimization methods include using word segmentation technology, periodic rebuilding of indexes and adjusting cache size to improve performance and accuracy.
Difference between clustered index and non-clustered index (secondary index) in InnoDB.
Apr 02, 2025 pm 06:25 PM
The difference between clustered index and non-clustered index is: 1. Clustered index stores data rows in the index structure, which is suitable for querying by primary key and range. 2. The non-clustered index stores index key values and pointers to data rows, and is suitable for non-primary key column queries.
MySQL: Simple Concepts for Easy Learning
Apr 10, 2025 am 09:29 AM
MySQL is an open source relational database management system. 1) Create database and tables: Use the CREATEDATABASE and CREATETABLE commands. 2) Basic operations: INSERT, UPDATE, DELETE and SELECT. 3) Advanced operations: JOIN, subquery and transaction processing. 4) Debugging skills: Check syntax, data type and permissions. 5) Optimization suggestions: Use indexes, avoid SELECT* and use transactions.
The relationship between mysql user and database
Apr 08, 2025 pm 07:15 PM
In MySQL database, the relationship between the user and the database is defined by permissions and tables. The user has a username and password to access the database. Permissions are granted through the GRANT command, while the table is created by the CREATE TABLE command. To establish a relationship between a user and a database, you need to create a database, create a user, and then grant permissions.
Explain different types of MySQL indexes (B-Tree, Hash, Full-text, Spatial).
Apr 02, 2025 pm 07:05 PM
MySQL supports four index types: B-Tree, Hash, Full-text, and Spatial. 1.B-Tree index is suitable for equal value search, range query and sorting. 2. Hash index is suitable for equal value searches, but does not support range query and sorting. 3. Full-text index is used for full-text search and is suitable for processing large amounts of text data. 4. Spatial index is used for geospatial data query and is suitable for GIS applications.
Can mysql and mariadb coexist
Apr 08, 2025 pm 02:27 PM
MySQL and MariaDB can coexist, but need to be configured with caution. The key is to allocate different port numbers and data directories to each database, and adjust parameters such as memory allocation and cache size. Connection pooling, application configuration, and version differences also need to be considered and need to be carefully tested and planned to avoid pitfalls. Running two databases simultaneously can cause performance problems in situations where resources are limited.
