locked
Folder Permissions RRS feed

  • Question

  • I ran Microsoft Baseline Security Analyzer on both SQL 2005 and 2008 servers and it's reporting to do the following. Is this valid or should I ignore?

    Permissions on the SQL Server and/or MSDE installation folders are not set properly.

    Folder
    c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn
    User
    BUILTIN\Performance Log Users

    Folder
    c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn
    User
    BUILTIN\Performance Monitor Users

    Folder
    c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn
    User
    BUILTIN\Users

    Folder
    c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn
    User
    <machine name>\SQLServer2005SQLAgentUser$<machine name>$MSSQLSERVER

    Folder
    c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn
    User
    <machine name>\SQLServer2005MSSQLUser$<machine name>$MSSQLSERVER

    Folder
    c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn
    User
    BUILTIN\CREATOR OWNER

    Folder
    c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data
    User
    <machine name>\SQLServer2005MSSQLUser$<machine name>$MSSQLSERVER

    Folder
    c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data
    User
    BUILTIN\CREATOR OWNER


    • Edited by eugeneyi Tuesday, October 18, 2011 10:25 PM
    Tuesday, October 18, 2011 10:23 PM

Answers

All replies

  • You need to examine what the security settings are for these folders before you know what to do.  Does the Baseline Security Advisor documentation have suggestions about the proper settings for these folders?

    In any case you can find documentation here for SQL Server:

    http://msdn.microsoft.com/en-us/library/ms143504.aspx

    RLF

    Tuesday, October 18, 2011 11:09 PM
  • A probable cause of the security warning is that too many accounts have rights to the folders outlined above.  For example, it could be that All Users has rights to what security thinks of as a private location only needed by certain services and the Administrators.

    RLF

     

    Wednesday, October 19, 2011 12:18 PM
  • Hi Mipporin,

    >> Permissions on the SQL Server and/or MSDE installation folders are not set properly.

    Be default, the full control permissions on data folder are granted to SQL Server service user group and local administrators. The Read and Execute permissions are granted to SQL Server service user group and full control permission are granted to local administrator group as Alex mentioned in this thread, which has the same scenario as yours. Please have a look the third reply as below: http://social.msdn.microsoft.com/Forums/en-US/sqlsecurity/thread/03e470dc-874d-476d-849b-c805acf5b24d

    So I think you could ignore the above error message.
    For more information, you can refer to http://msdn.microsoft.com/en-us/library/ms143504.aspx.
    Hope this helps.


    Regards, Amber zhang
    • Marked as answer by Stephanie Lv Tuesday, October 25, 2011 3:36 AM
    Thursday, October 20, 2011 8:13 AM