Built-in SQL Server 2005 logins, BUILTIN\Administrators, , NT AUTHORITY\SYSTEM, sa
Immediately after installing SQL Server 2005 in a container Logins a set of logins appears that are created automatically. Most likely, you will not use them to connect users. However, there are situations in which knowing the built-in logins can be useful (for example, if your administrative login is accidentally blocked).
q BUILTIN\Administrators
(or BUILTIN\Administrators, depending on the language of the operating system) - the login for this Windows group is automatically granted SQL Server system administrator rights. Please note that if the computer is part of a domain, the group automatically falls into this group DomainAdmins(Domain Admins), and thus Domain Admins have full rights to SQL Server by default. If this situation is undesirable, then this login can be deleted. But even in this case, it will be easy for domain administrators to access SQL Server data.
q Server_name
2005MSFTEUser$ Server_name$Instance_name
, Server_name
2005MSSQLUser$ Server_name$Instance_name
,Server_name
2005SQLAgentUser$ Server_name$Instance_name
- these three logins for Windows groups are used to connect the corresponding services to SQL Server 2005. At the SQL Server 2005 level, there is no need to perform any operations with them, since all the necessary rights are already granted. In rare situations, you may need to add accounts that run SQL Server services to these groups at the Windows level.
q NT AUTHORITY\NETWORK SERVICE
- ASP .NET applications run under this account in Windows Server 2003, including Reporting Services (in Windows 2000 the account is used for this purpose ASPNET). This Windows login is used to connect to SQL Server Reporting Services. He is automatically granted the necessary rights to the databases master, msdb and to databases used by Reporting Services.
q NT AUTHORITY\SYSTEM
is the local system account of the operating system. This login appears in situations where during installation you configured the SQL Server service to run under the local system account. We can say that with this login SQL Server accesses itself. Of course, this login has SQL Server system administrator rights.
q sa
(from SystemAdministrator) is the only SQL Server type login that is created by default. He has SQL Server system administrator rights, and these rights cannot be taken away from him. You won't be able to delete this login either. But it can be renamed or disabled. If SQL Server 2005 is configured to authenticate using Windows only, then you will not be able to use this login to connect to the server.
As part of one of the projects, I had to configure an application that was supposed to backup a database on a remote MS SQL server to a file storage on another server. To access the remote storage, an account is used under which MS SQL is running. In our case, MS SQL was launched under a local account Network Service(NT AUTHORITY\NetworkService). Naturally, this local account does not have any authority on the remote share. Of course, you could switch MS SQL to work under a domain account (or ), but you can configure remote access to the share under NT AUTHORITY\NetworkService.
How to allow access to other computers under the NetworkService account
If you need to provide access to several computers, the easiest way is to combine them into one group and provide access to the group. Create a new group in AD and add to it all computer accounts that should access the network resource with Network Service rights. In the folder properties, grant the required permissions to the group.
What about other local accounts?
When you grant access to a resource through a computer account, is access granted to all other local accounts? No – access will only be available for accounts System And Network Service. Any local accounts that need to be allowed access to a network resource will have to be granted access individually.
One only has to "Run as administrator" a program to see in the Task Manager that its user is oneself and not Administrator, and this miracle is achieved just by the modification of the access token, not by replacing the SID.
Second, NT-AUTHORITY and SYSTEM are neither accounts nor groups, in spite of what they say various other sources (even inside Microsoft). An SID usually has a name that is displayed whenever required. A user account will contribute its SID as principal SID to the access token, which will also determine the name displayed by various utilities. But the access token may contain additional SIDs, for example for all the groups to which belongs that user account. When checking permissions, Windows will look for any SID in the access token that has that permission.
Some well-known Windows SIDs will have names reported by Windows, although they do not really belong to any account.
The LocalSystem account is a predefined local account used by the service control manager. [...] Its token includes the NT AUTHORITY\SYSTEM and BUILTIN\Administrators SIDs; these accounts have access to most system objects.
One can already see in the above text the confusion that reigns even in Microsoft documentation as regarding system SIDs, which are not exactly accounts nor groups - which are just a set of permissions. This confusion further extends to other utilities and articles, so any returned information should be carefully examined.
The Microsoft article Well-known security identifiers in Windows operating systems details all system SIDs, some of whom I include below:
Conclusion: NT-AUTHORITY\SYSTEM is the name of a Security ID, which is neither a group nor an account. It is displayed in Task Manager as SYSTEM when it is the principal SID of a program. The most I would call it is "a pseudo account".
ATTENTION!!! ATTENTION!!! ATTENTION!!!
DANGEROUS WORM!!!Symptoms: When working on the network, a message suddenly pops up informing you that it is necessary to terminate all programs that save data because... after 60 sec. a reboot will occur.
Diagnosis: Network worm w32.Blaster.worm. The worm exploits a vulnerability found on July 16 in the RPC DCOM service, which is present in all operating systems of the Windows 2000, Windows XP and Windows 2003 families. This vulnerability is a buffer overflow, which is caused by a properly composed TCP/IP packet, arriving at port 135, 139 or 445 of the attacked computer. It allows, at a minimum, to carry out a DoS attack (DoS means “Denial of Service”, or “denial of service”; in this case, the attacked computer is rebooted), and, at a maximum, to execute any code in the memory of the attacked computer. When the new worm spreads, it attacks port 135 and, if successful, launches the TFTP.exe program, using which it downloads its executable file to the attacked computer. In this case, the user is given a message about stopping the RPC service and then rebooting. After a reboot, the worm automatically starts and begins scanning networks accessible from the computer for computers with open port 135. If any are detected, the worm launches an attack, and everything repeats all over again. Moreover, judging by the rate of spread at the moment, the worm will soon take first place in the lists of antivirus companies.
Medicine: There are three ways to protect yourself from the worm. First, the Microsoft bulletin contains links to patches for all vulnerable versions of Windows that close the RPC flaw (these patches were released on July 16, so those who regularly update their system should not worry). Secondly, if port 135 is closed by a firewall, the worm will not be able to penetrate the computer. Thirdly, disabling DCOM helps as a last resort (this procedure is described in detail in the Microsoft bulletin). Thus, if you have not yet been attacked by a worm, it is strongly recommended to download a patch for your OS from a Microsoft server as soon as possible (for example, use Windows Update services), or configure blocking of ports 135, 139 and 445 in the firewall. If your computer is already infected (and the appearance of an RPC error message clearly means that it is infected), then you need to turn off DCOM (otherwise each subsequent attack will cause a reboot), then download and install the patch. To destroy the worm, you need to remove the "windows auto update"="msblast.exe" entry from the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, then find and erase the file msblast.exe - this is the body of the worm. You can read more about the worm removal procedure on the Symantec website.
At the moment, not all antiviruses detect the worm; you can only hope for protection from them after updates are released.
If you haven’t received such a message yet, download patches from Uncle Bill:
Here are links to medicine for NT 4.0 and 2000, 2003 Server
Recently, more precisely a week ago, I grabbed a worm, and this has never happened in all my tea making! It’s night time - you can’t call a technician, and the money is only on the card - 200 rubles in the pocket. What to do, I desperately need a computer!
Through the phone I go into search engines and type in the name written in the topic title - my mother, what do I find out - this creature has been living on the Internet since 1993, and Microsoft Corporation knows about it, the creator informed them specifically. Today, when this worm gets into your computer, it acquires administrator rights and is capable of performing any tricks.
Having explored several dozen forums, having read hundreds of tips in a day, without knowing how to sleep, I climb into the depths of my system and, with shaking hands, begin to open the folders and files that I read about. With the tenacity of a hungry wolf, I am looking for the reason, but... I am too inexperienced for this. Again, through the phone, I go to our website and write to one of our moderators... The problem is very tricky and in order not to torment me, the person advises me to tear down the system and install a new one, but I have never done this myself! He tells me over the phone (sparing no expense on long-distance calls) how to do it step by step, and I sit and write it down. After that, he waits for the result, and I sit and understand that I am very sorry for the accumulated information... and I make a decision, if I demolish it, I will always have time, but now I will fight on my own.
In any case, I knew that our gurus were next to me and they would advise what to do and how. In the meantime, at my own peril and risk, I do the following:
1) The banner turns off the computer to reboot after 60 seconds - this means that this time needs to be increased, and on the advice of one forum member I I manage to set the clock back a year!
2) I’m already calmly and slowly looking through the entire registry and programs through AnvirTaskManager - he was the only one who asked about the appearance of a new program, but like a sucker I allowed it to pass.
3) not understanding anything there, I launch a full scan with AVAST, having previously installed all the extensions in the settings.
after 3.5 hours he gave me 6 infected files - here they are
win32 malware-gen(2 pieces)
Fakeinst-T (2pcs)
I simply remove these pests without even trying to treat them.
4)Then I go to Revo Unystailer and delete everything that I installed over the last few days, along with AnvirTaskManager and Reg Organizier.
5) I load AVZ and launch it.
And here a problem arises - my disk is divided into two C and N. C is scanned normally and does not find anything, as soon as it starts scanning N the whole computer goes into a stupor. I reboot - the banner no longer pops up and I calm down, the Internet works, but the mozilla does not open, I go through Google Chrome.
I check N in on-line mode. Purely! I open N, try to select a folder - again the computer freezes! After several attempts to open it, I scan it again with AVAST and, not finding anything, I decide to copy everything to C.
After copying to C, I clear all N and go into the copy - everything works!!!
An hour ago I downloaded and updated Mozilla and now I’m enjoying life. I checked everything and now I’ll update Dr. W curellt and put it on overnight - just to ease my conscience! So keep in mind, dear colleagues, not everything is so scary. For the safety of your computers, do as indicated in the attached file!!!
May our PCs be healthy!!!
With respect to all readers Alexey!
