Sign in
 
HomeLibraryLearnDownloadsTroubleshootingCommunityForums
SQL Server Developer Center >
Auditors requesting that we use MBSA to pass there security requirements

Answered Auditors requesting that we use MBSA to pass there security requirements

  • Wednesday, September 12, 2012 4:28 PM
     
     
    Sign In to Vote
    0

    We've been asked by our auditors to make sure our servers pass the MBSA tests to comply with there auditing requirements.

    I've made a start by completing the requests on the folder permissions...

    I removed (CFSMULTFS01\Users and I removed (CFSMULTFS01\SQLServerMSSQLUser$cfsmultfs01$MSSQLSERVER) .

    At his point I thought I'd test SQL to make sure all is well but it wouldn't start.

    Luckily I noted down (CFSMULTFS01\SQLServerMSSQLUser$cfsmultfs01$MSSQLSERVER)  and I was able to put it back in .

    I tried to start SQL again and it worked.

    I then removed (CREATOR OWNER)  and got the following error and another on Model and MSDB I think.

    and then an error about "Stopping the propogation of permission settings leads to and inconsistent state, in which some objects have the settings but others don't.  If you made the change by mistake, you should apply the correct change immediately to achieve a consistent state".

    and now SQL Agent doesn't seem to start.

    Why is MBSA highlighting the above as a security concerns but when I carry out what it asks, SQL fails to work.  Am I doing something wrong.

    Also what do I tell the auditors, I can't say that MBSA is wrong!

    Thanks,

    CJ


    • Edited by BigJeffIE Thursday, September 13, 2012 10:48 AM Name change for Security
    •  
     

All Replies

  • Wednesday, September 12, 2012 7:03 PM
     
     
    Sign In to Vote
    0

    What SQL Server release are you using?

    I know that MBSA supports up to SQL 2005.

    http://www.microsoft.com/en-us/download/details.aspx?id=7558

    Sebastian Sajaroff Senior DBA Pharmacies Jean Coutu

     
  • Wednesday, September 12, 2012 7:47 PM
     
     
    Sign In to Vote
    0

    1) MBSA gives you an overview but before applying to them you have analyze the things.

    2) I did not get any reason of removing a creator owner account. As not one can use this account to login the system or access the directory. Its a default account comes into folder security when some smae is created by by some applciation \ process.

    3) MBSA is also avilable for higher sql server versions.

    Possible solutions :-

    1) Add SQL service login account into folder security having sql server files with full access

    2) Try to use sql server ( restart the sql services after step 1, some time it will not come into picture with sql service restart)

    3) If thing not work fine, add CREATOR OWNER back into permissions

    4) Try to use sql server ( restart the sql services after step 1, some time it will not come into picture with sql service restart)

    Check & sahre the things.

    Please click the Mark as Answer or Vote As Helpful if a post solves your problem or is helpful!


     
  • Thursday, September 13, 2012 10:07 AM
     
     
    Sign In to Vote
    0

    Hi Sebastian,

    It's on a Windows 2008 R2 server and SQL is 2008 Standard.

    It does say that  that is supported but I get the impresssion that it's not been developed fully enough to work as well as with the older versions.  In another post I ask about SSIS roles and the fact that it's commmenting on DTS and not SSIS which seems to back up that theory.

    Thanks,


    CJ

    • Edited by BigJeffIE Thursday, September 13, 2012 10:48 AM Name change for Security
    •  
     
  • Thursday, September 13, 2012 10:23 AM
     
     
    Sign In to Vote
    0

    Thanks Rohit,

    I followed your train of thought and have got it all back working again with a very low priveledged account that's only local to the server, has logon as a server right and doesn't belong to any groups.  I then added that to the folders holding the files and it seems to work ok.

    Unfortunately MBSA is still complaining that this account has permissions on the folders.

    I'm happy with it but I'm concerned about what the auditors will say.  I have to do this with alot more servers so they're all going to be showing a big red alert next to them :(

    Thanks,

    CJ

    • Edited by BigJeffIE Thursday, September 13, 2012 10:49 AM Name change for Security
    •  
     
  • Thursday, September 13, 2012 6:21 PM
     
     Answered
    Sign In to Vote
    0

    Hi BigJeffiE

    As I said before, MBSA gives you an overview but before applying to them you have analyze the things.

    MBSA is working on best pratices as per that no user having access rights on SQL server data folder. But  In your case SQLServer & SQL Agent accounts is having permission, no other user except that. If I am not wrong both user are SQL server & SQL agent service login account. SO I do not think it will be a issue. Again as you mention, you have given low level access on folder.

    I know handling auditers a tuff task. But for each thing before auditers you need to have a clear, solid & transparent points.

    Please click the Mark as Answer or Vote As Helpful if a post solves your problem or is helpful!