none
SQL MBSA Question on Folder Permission RRS feed

  • Question

  • Hi,

    I am running Sql Server 2008 Enterprise on Windows Server 2008 Enterprise and checking the security status using MBSA 2.2. The SQL instance and agent services are running under a domain account.

    For the 'Folder Permissions' section in the MBSA output, I get the 'Permissions on the SQL Server and/or MSDE installation folders are not set properly. ' result for the below directories for the MSSQL10.TEST_DB instance.

    C:\Program Files\Microsoft SQL Server\MSSQL10.TEST_DB\MSSQL\Binn

    C:\Program Files\Microsoft SQL Server\MSSQL10.TEST_DB\MSSQL\Data

    With the user being something like 'HOST1\SQLServerMSSQLUser$HOST1$TEST_DB', which is the sql server group created for this instance. This windows group contains the permissions needed to startup the instance so obviously if I remove this group from the ACL for the above directories, the instance cannot startup, (but the MBSA scan will then pass).

    I have tried replacing the sql server group with the actual service account used to startup the services in the ACL for these directories, but the MBSA still flags this user with the 'Permissions on the SQL Server and/or MSDE installation folders are not set properly.' result. The service account used to startup the instance needs to have full access control to these directories, so why is MBSA reporting otherwise.

    It also seems to run the same checks on a 'TEST_DB' instance, with the Folder permissions result for this one being passed (green tick) but under the 'Folder' column it displays 'Internal error'.

    What is the difference between the instances, 'MSSQL10.TEST_DB' and 'TEST_DB' and why does it run the same checks on both of them when there is only one physical instance?

    Could someone please help to explain the above behaviour of the MBSA tool because it is very confusing..thks in advance,

    Monday, February 28, 2011 1:37 AM

Answers

  • Hi,

    >>What is the difference between the instances, 'MSSQL10.TEST_DB' and 'TEST_DB' and why does it run the same checks on both of them when there is only one physical instance?

    TEST_DB is the instance name of your SQL Server server instance, also it also the instance ID in your scenario which can be different from instance name. Therefore, the MSSQL10.TEST_DB is the instance ID for the SQL Server Database Engine of the instance, TEST_DB. For more information, please refer to Instance Configuration and File Locations for Default and Named Instances of SQL Server.

    Hope this helps.


    Best Regards,
    Chunsong Feng

    Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, March 1, 2011 3:19 AM
    Moderator
  • For the 'Folder Permissions' section in the MBSA output, I get the 'Permissions on the SQL Server and/or MSDE installation folders are not set properly. ' result for the below directories for the MSSQL10.TEST_DB instance.

    C:\Program Files\Microsoft SQL Server\MSSQL10.TEST_DB\MSSQL\Binn

    C:\Program Files\Microsoft SQL Server\MSSQL10.TEST_DB\MSSQL\Data

    With the user being something like 'HOST1\SQLServerMSSQLUser$HOST1$TEST_DB', which is the sql server group created for this instance. This windows group contains the permissions needed to startup the instance so obviously if I remove this group from the ACL for the above directories, the instance cannot startup, (but the MBSA scan will then pass).

    Hi Chan & Peter,

    I can reproduce this scenario according to my tests. Be default, the full control permisson on data folder are granted to SQL Server service user group and local administrators, and Read and Execute permissions are granted to SQL Server service user group and full control permission are granted to local administrator group. I think you could ignore the above 'Check Failed' error mesasge, for more information, you can refer to http://msdn.microsoft.com/en-us/library/ms143504.aspx.

    Hope this helps.


    Best Regards,
    Chunsong Feng

    Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, March 2, 2011 6:35 AM
    Moderator

All replies

  • Hi,

    I am running Sql Server 2008 Enterprise on Windows Server 2008 Enterprise and checking the security status using MBSA 2.2. The SQL instance and agent services are running under a domain account.

    For the 'Folder Permissions' section in the MBSA output, I get the 'Permissions on the SQL Server and/or MSDE installation folders are not set properly. ' result for the below directories for the MSSQL10.TEST_DB instance.

    C:\Program Files\Microsoft SQL Server\MSSQL10.TEST_DB\MSSQL\Binn

    C:\Program Files\Microsoft SQL Server\MSSQL10.TEST_DB\MSSQL\Data

    With the user being something like 'HOST1\SQLServerMSSQLUser$HOST1$TEST_DB', which is the sql server group created for this instance. This windows group contains the permissions needed to startup the instance so obviously if I remove this group from the ACL for the above directories, the instance cannot startup, (but the MBSA scan will then pass).

    I have tried replacing the sql server group with the actual service account used to startup the services in the ACL for these directories, but the MBSA still flags this user with the 'Permissions on the SQL Server and/or MSDE installation folders are not set properly.' result. The service account used to startup the instance needs to have full access control to these directories, so why is MBSA reporting otherwise.

    It also seems to run the same checks on a 'TEST_DB' instance, with the Folder permissions result for this one being passed (green tick) but under the 'Folder' column it displays 'Internal error'.

    What is the difference between the instances, 'MSSQL10.TEST_DB' and 'TEST_DB' and why does it run the same checks on both of them when there is only one physical instance?

    Could someone please help to explain the above behaviour of the MBSA tool because it is very confusing..thks in advance,

     

    Peter

     

     

     

     

     

    Thursday, February 24, 2011 8:45 AM
  • Hi,

    >>What is the difference between the instances, 'MSSQL10.TEST_DB' and 'TEST_DB' and why does it run the same checks on both of them when there is only one physical instance?

    TEST_DB is the instance name of your SQL Server server instance, also it also the instance ID in your scenario which can be different from instance name. Therefore, the MSSQL10.TEST_DB is the instance ID for the SQL Server Database Engine of the instance, TEST_DB. For more information, please refer to Instance Configuration and File Locations for Default and Named Instances of SQL Server.

    Hope this helps.


    Best Regards,
    Chunsong Feng

    Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, March 1, 2011 3:19 AM
    Moderator
  • For the 'Folder Permissions' section in the MBSA output, I get the 'Permissions on the SQL Server and/or MSDE installation folders are not set properly. ' result for the below directories for the MSSQL10.TEST_DB instance.

    C:\Program Files\Microsoft SQL Server\MSSQL10.TEST_DB\MSSQL\Binn

    C:\Program Files\Microsoft SQL Server\MSSQL10.TEST_DB\MSSQL\Data

    With the user being something like 'HOST1\SQLServerMSSQLUser$HOST1$TEST_DB', which is the sql server group created for this instance. This windows group contains the permissions needed to startup the instance so obviously if I remove this group from the ACL for the above directories, the instance cannot startup, (but the MBSA scan will then pass).

    Hi Chan & Peter,

    I can reproduce this scenario according to my tests. Be default, the full control permisson on data folder are granted to SQL Server service user group and local administrators, and Read and Execute permissions are granted to SQL Server service user group and full control permission are granted to local administrator group. I think you could ignore the above 'Check Failed' error mesasge, for more information, you can refer to http://msdn.microsoft.com/en-us/library/ms143504.aspx.

    Hope this helps.


    Best Regards,
    Chunsong Feng

    Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, March 2, 2011 6:35 AM
    Moderator