none
Database Settings for SharePoint RRS feed

  • Question

  • Good Afternoon SharePoint Pros,

    Me again with a question regarding database settings. We ran a query to check on security settings in our SharePoint 2013 sql instances and we found the following things on or enabled:

    baseline_test

    baseline_desc

    audit_test

    audit_value

    expected_value

    2.8

    Scan For Startup Procs

    value_in_use

    1

    0

    2.9

    Set Trustworthy Option Off

    MySPEnvironment_SBMessageContainer

    Option Set to ON

    Option Set to OFF

    3.9

    Ensure Windows BUILTIN groups are not SQL Logins

    BUILTIN\Administrators

    GRANT

    CONNECT SQL

    Basically my question is, if I turn those off  or set them to defaults do you know if my SharePoint environment will fail? Or even better, do you know why they would be specifically turned on?

    1. Scan for Startup Procs - Should be set to 0 and it is 1
    2. Set Trustworthy Option Off - Should be OFF and it's on
    3. Ensure Windows Built-in Groups are not SQL Logins - Should be Connect SQL and it's setup to GRANT

    I have looked online but I can't find anything. Just thought I picked your brain to see anyone knows if these specific settings are a requirements for SharePOInt to run. Again my farm is a SharePoint 2013 patched up to the July 2019 CU.

    Thank you,
    OT


    OT


    Tuesday, July 16, 2019 7:26 PM

Answers

  • Hi Oliver,

    1) Run the below query to check if it has any relation with SharePoint Databases if it doesn't display 1 for SharePoint Databases then the settings doesn't matter. but by Default the Value is Set to 0.

    select *
    from sys.procedures
    where is_auto_executed = 1

    2) You can use the TRUSTWORTHY database setting to indicate whether the instance of Microsoft SQL Server trusts the database and the contents within the database. By default, this setting is set to OFF. However, you can set it to ON by using the ALTER DATABASE statement. Microsoft recommend that you leave this setting set to OFF to mitigate certain threats. Seems like the Database is a Service Bus Message Container which creates while configuring workflow farm.

    3) Built in Administrators no longer adds automatically after SQL 2008, Someone might have added or while configuring workflow manager someone might have specified this for managing the Service Bus farm.

    you can't remove directly because it might break the workflows for sharepoint. you have to set the service account to the service bus farm first then you can remove this is.

    Thanks & Regards,


    sharath aluri

    Tuesday, July 16, 2019 8:27 PM

All replies

  • Because these are generally undocumented from a SharePoint perspective, you should follow up with a Microsoft Support case as they will ask the product group directly. 3) should be safe, though.

    Trevor Seward

    Office Apps and Services MVP



    Author, Deploying SharePoint 2019

    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Tuesday, July 16, 2019 8:20 PM
    Moderator
  • Hi Oliver,

    1) Run the below query to check if it has any relation with SharePoint Databases if it doesn't display 1 for SharePoint Databases then the settings doesn't matter. but by Default the Value is Set to 0.

    select *
    from sys.procedures
    where is_auto_executed = 1

    2) You can use the TRUSTWORTHY database setting to indicate whether the instance of Microsoft SQL Server trusts the database and the contents within the database. By default, this setting is set to OFF. However, you can set it to ON by using the ALTER DATABASE statement. Microsoft recommend that you leave this setting set to OFF to mitigate certain threats. Seems like the Database is a Service Bus Message Container which creates while configuring workflow farm.

    3) Built in Administrators no longer adds automatically after SQL 2008, Someone might have added or while configuring workflow manager someone might have specified this for managing the Service Bus farm.

    you can't remove directly because it might break the workflows for sharepoint. you have to set the service account to the service bus farm first then you can remove this is.

    Thanks & Regards,


    sharath aluri

    Tuesday, July 16, 2019 8:27 PM

  • Hi Oliver_Tech, 

    Please remember to mark the helpful posts as answers.

    Thanks for your understanding. 

    Best Regards, 

    Lisa Chen 



    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    SharePoint Server 2019 has been released, you can click here to download it.
    Click here to learn new features. Visit the dedicated forum to share, explore and talk to experts about SharePoint Server 2019.

    Wednesday, July 17, 2019 2:49 AM
    Moderator
  • Thank you.

    OT

    Thursday, July 18, 2019 8:01 PM
  • I'll give this a try thanks.

    OT

    Thursday, July 18, 2019 8:01 PM
  • I'll try the suggestions and report back.

    OT


    OT

    Thursday, July 18, 2019 8:02 PM