locked
Odd file permission on atxcore.dll RRS feed

  • Question

  • We're in the process of deploying SQL Server 2014 in our processing environment.  As part of that deployment, I've been performing a security audit on a fresh install of SQL Server.  One of the requirements of the audit is to validate the file permissions on all files that are part of the SQL installation.  To that end, I wrote a small Powershell script (Powershell is awesome!) that crawls all the files and folders, checking for any abnormal file permissions.  Almost all of the permissions were in line with what I expected (Full control for system/admins, read/execute for users, etc).  However, I ran across one entry that seems odd to me.

    On [Voume Letter]:\Program Files\Microsoft SQL Server\[Instance Name]\MSSQL\Binn\atxcore.dll, the SQL Server service account (In my case, NT Service\MSSQLServer) has permission to change permissions (i.e. Write DAC).

    While I could just remove the permissions, I'm a little hesitant to do so without any understanding of why it's there in the first place.  

    So, does anyone know why would the SQL Server service account need the ability to dynamically adjust the permissions of this file? Can anyone else confirm this is the case on their installation of SQL Server 2014?

    Thanks.

    Wednesday, August 24, 2016 3:18 PM

All replies

  • Hi Jon,

    As per my thing, those are SQL Server internal, If you need additional information - better to contact MS SQL Server Setup support team.

    I hope you cann't find much on googling as well.

    Thanks,


    Thanks, Satish Kumar. Please mark as this post as answered if my anser helps you to resolves your issue :)

    Wednesday, August 24, 2016 3:41 PM
  • Hi Jon Brewer,

    This dll file belongs to SQL Server Agent ActiveX subsystem so it’s normal SQL Server Service Account requires permission on it, there is nothing to worry about. Since ActiveX subsystem is deprecated in SQL Server 2016 you won’t see it in SQL Server 2016 installation folder.

    If you have any other questions, please let me know.

    Regards,
    Lin
    Thursday, August 25, 2016 5:42 AM
  • Hi Jon Brewer,

    This dll file belongs to SQL Server Agent ActiveX subsystem so it’s normal SQL Server Service Account requires permission on it, there is nothing to worry about. Since ActiveX subsystem is deprecated in SQL Server 2016 you won’t see it in SQL Server 2016 installation folder.

    If you have any other questions, please let me know.

    Regards,
    Lin

    Hi Lin,

    Thanks for the reply.

    I agree it is normal for the SQL Server account to have read/execute permissions on most everything in the SQL program files folder.  However, this is the only executable (exe/dll) I found, on which the SQL server account has permission to change permissions.  It seems strange to me that the SQL server process would ever need to modify permissions on (or potentionally give itsself write access to) one of its own program files.

    I'm part of one of those massive enterprise environments, so, unfortunately, I have to wait a couple of more years before they will allow us to deploy SQL 2016.

    Thursday, August 25, 2016 7:51 PM