SQL2005 Default accounts

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Laurence Breeze
    #1

    SQL2005 Default accounts

    I've just been looking at a new 2005 install and found 3 logins:

    SERV1\SQLServer 2005SQLAgentUse r$SERV1$MSSQLSE RVER
    SERV1\SQLServer 2005MSSQLUser$S ERV1$MSSQLSERVE R
    SERV1\SQLServer 2005MSFTEUser$S ERV1$MSSQLSERVE R

    Are these logins created during the install of SQLServer2005 by default
    and what are they used for ? Can they be deleted safely ? If they are
    required, can the names be set during install to something else ?

    TIA

    Laurence Breeze

    Tags: None
    • Tony Rogerson
      #2
      Re: SQL2005 Default accounts

      Where are you seeing those Laurence?

      Permissioning for SQL Server 2005 is done through groups; are you sure these
      aren't actual AD groups?

      --
      Tony Rogerson
      SQL Server MVP
      http://sqlblogcasts.com/blogs/tonyrogerson - technical commentary from a SQL
      Server Consultant
      http://sqlserverfaq.com - free video tutorials


      "Laurence Breeze" <i.l.breeze@ope n.ac.ukwrote in message
      news:457EBEEE.3 060905@open.ac. uk...
      I've just been looking at a new 2005 install and found 3 logins:
      >
      SERV1\SQLServer 2005SQLAgentUse r$SERV1$MSSQLSE RVER
      SERV1\SQLServer 2005MSSQLUser$S ERV1$MSSQLSERVE R
      SERV1\SQLServer 2005MSFTEUser$S ERV1$MSSQLSERVE R
      >
      Are these logins created during the install of SQLServer2005 by default
      and what are they used for ? Can they be deleted safely ? If they are
      required, can the names be set during install to something else ?
      >
      TIA
      >
      Laurence Breeze
      >

        Comment

        • Erland Sommarskog
          #3
          Re: SQL2005 Default accounts

          Tony Rogerson (tonyrogerson@s qlserverfaq.com ) writes:
          Where are you seeing those Laurence?
          >
          Permissioning for SQL Server 2005 is done through groups; are you sure
          these aren't actual AD groups?
          I got the corresponding on my server (in sys.server_prin cipals). And are
          definitely not any AD groups, as this is a workgroup machine.

          But they are indeed groups.

          I would not drop them. That could end in tears.


          --
          Erland Sommarskog, SQL Server MVP, esquel@sommarsk og.se

          Books Online for SQL Server 2005 at
          http://www.microsoft.com/technet/prodtechnol/sql/2005/downloads/books.mspx

          Books Online for SQL Server 2000 at
          http://www.microsoft.com/sql/prodinfo/previousversions/books.mspx

            Comment

            • Laurence Breeze
              #4
              Re: SQL2005 Default accounts

              Thanks for your advice. I first noticed the logins in Management
              Studio. I've done a bit more digging around and found some other
              unexpected security objects.

              Running sp_helplogins gives the 3 logins previously mentioned and 4
              others I wasn't expecting:

              ##MS_AgentSigni ngCertificate##
              ##MS_SQLAuthent icatorCertifica te##
              ##MS_SQLReplica tionSigningCert ificate##
              ##MS_SQLResourc eSigningCertifi cate##

              These also appear in the sys.server_prin ciples catalog.

              I'm comfortable with leaving these as they are, but I guess I always
              like to "know" what unexpected database objects are for, how they work
              etc. In addition, I have a centralised security system that records
              DBMS server and DB permissions for multiple DBMS types. This is used by
              my batch process that manages DBMS/database security each day. At the
              moment for this one SQLServer 2005 server it thinks it should remove
              these logins, which is a nuisence. I'll have to alter the batch job to
              take account of these logins.

              Thanks again.

              Laurence Breeze,
              DBA Team Leader,
              The Open University.
              UK


              Erland Sommarskog wrote:
              Tony Rogerson (tonyrogerson@s qlserverfaq.com ) writes:
              >
              >>Where are you seeing those Laurence?
              >>
              >>Permissioni ng for SQL Server 2005 is done through groups; are you sure
              >>these aren't actual AD groups?
              >
              >
              I got the corresponding on my server (in sys.server_prin cipals). And are
              definitely not any AD groups, as this is a workgroup machine.
              >
              But they are indeed groups.
              >
              I would not drop them. That could end in tears.
              >
              >

                Comment

                • Erland Sommarskog
                  #5
                  Re: SQL2005 Default accounts

                  Laurence Breeze (i.l.breeze@ope n.ac.uk) writes:
                  Running sp_helplogins gives the 3 logins previously mentioned and 4
                  others I wasn't expecting:
                  >
                  ##MS_AgentSigni ngCertificate##
                  ##MS_SQLAuthent icatorCertifica te##
                  ##MS_SQLReplica tionSigningCert ificate##
                  ##MS_SQLResourc eSigningCertifi cate##
                  >
                  These also appear in the sys.server_prin ciples catalog.
                  It would a bad idea to delete these. These logins are mapped to
                  certificates and it is not possible to log in as these. (You see this
                  in the type_desc column.)

                  Certificates mapped to logins are used in scheme which makes it possible
                  to grant permissions to users through an SQL module. Exactly what these
                  four predefined login are used for I don't know, but dropping them
                  could cause problems the day you would have needed them.

                  Overall, there is a lot of new stuff around security in SQL 2005.

                  --
                  Erland Sommarskog, SQL Server MVP, esquel@sommarsk og.se

                  Books Online for SQL Server 2005 at
                  http://www.microsoft.com/technet/prodtechnol/sql/2005/downloads/books.mspx

                  Books Online for SQL Server 2000 at
                  http://www.microsoft.com/sql/prodinfo/previousversions/books.mspx

                    Comment

                    Previous template Next
                    Working...