locked
SQL Run As RRS feed

  • Question

  • I'm running most of my SQL monitoring without using the run as account. Some are using local system as SA and some aren't. Local system is of course a local admin on the server so it can do quite a bit already. My question is: what do you really gain by adding the SQL permissions to the SQL run as account? I see you gain some ability to run a few tasks. Say I don't even need those tasks, what do I gain then? From what I can tell it looks like you don't gain that much. Am I mistaken?

    I'm asking because if I can get away with not using it I would definately prefer to.

    Tuesday, January 18, 2011 6:08 PM

Answers

  • Hi

    The latest SQL MP changed the situations \ alerts that you would get. Previously, there were times that you didn't get an alert about Run As Account problems but didn't realise that monitoring wasn't taking place so this is an improvement.

    I don't know of a definitive list of what you  can't achieve if the Run As Account doesn't have SQL Sysadmin rights. Any rules \ monitors that require this level of access will fail which you are aware of but the only way I can suggest to get an idea of what will fail is to look in the operations manager event log on the SQL Server and note the events (warning \ critical) that you are getting. This is pretty much what you seem to have been doing and I'm sorry I can't suggest anything that would short cut working through this process.

    In environments where I work I tend to go with the following:

    - there is usually a SQL DBA team (windows security group) that has SQL Sysadmin rights on the SQL Servers and Windows local admin rights for those server.

    - I create a domain user account and make it a member of that group

    - I assign that user account as the Run As Account

    There are usually some servers that this won't apply to but as a general rule, it covers a lot of the Run As Issues that I come across.

    Cheers

    Graham

     


    View OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/
    • Marked as answer by jbn2050 Monday, January 24, 2011 8:34 PM
    Monday, January 24, 2011 7:41 PM

All replies

  • THis is of course your choice.  The DB SA account is a security risk and should always be disabled if you want to follow conventional security wisdom.  In a secure (locked down) database, localsystem cannot get to the data it needs so in secure environments, the run-as accounts are necessary.

    If you feel you don't need the tasks that don't work, you're good - the old "if it aint broke, and you haven't been hacked yet, wait till you've been hacked :)"

     


    Microsoft Corporation
    Tuesday, January 18, 2011 6:57 PM
  • I see a getdbspace.vbs will fail. So you lose db space monitoring if you don't use a run as or have privelages necessary in the doc?

    So monitoring with local system, if it is local admin (of course) but not SA, you will still get very good SQL monitoring, you just wont get the ability to run tasks, is that accurrate?

     

    maybe my question was not clear, i understand the security concerns, what i dont understand is what I gain by using higher privelages from the management pack itself. If it doesn't have the privelages, what monitoring do you lose? Like I said, it appears from the guid you only lose the ability to run tasks in which case, if you can do without the tasks, local administrator permissions are enough?

    Tuesday, January 18, 2011 9:09 PM
  • It's quite simple.  You gain the full functioning of the MP.  The localsystem permission is very restricted - it cannot do many things by default.

    What we cannot do, and leave as an excersise to the reader, is determine what doesn't work right if someone chooses to not follow the setup instructions :)


    Microsoft Corporation
    • Proposed as answer by Nicholas Li Friday, January 21, 2011 2:52 AM
    • Marked as answer by Nicholas Li Monday, January 24, 2011 1:43 AM
    • Unmarked as answer by jbn2050 Monday, January 24, 2011 7:20 PM
    Thursday, January 20, 2011 5:56 PM
  • Hi

    The latest SQL MP changed the situations \ alerts that you would get. Previously, there were times that you didn't get an alert about Run As Account problems but didn't realise that monitoring wasn't taking place so this is an improvement.

    I don't know of a definitive list of what you  can't achieve if the Run As Account doesn't have SQL Sysadmin rights. Any rules \ monitors that require this level of access will fail which you are aware of but the only way I can suggest to get an idea of what will fail is to look in the operations manager event log on the SQL Server and note the events (warning \ critical) that you are getting. This is pretty much what you seem to have been doing and I'm sorry I can't suggest anything that would short cut working through this process.

    In environments where I work I tend to go with the following:

    - there is usually a SQL DBA team (windows security group) that has SQL Sysadmin rights on the SQL Servers and Windows local admin rights for those server.

    - I create a domain user account and make it a member of that group

    - I assign that user account as the Run As Account

    There are usually some servers that this won't apply to but as a general rule, it covers a lot of the Run As Issues that I come across.

    Cheers

    Graham

     


    View OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/
    • Marked as answer by jbn2050 Monday, January 24, 2011 8:34 PM
    Monday, January 24, 2011 7:41 PM
  • i'm at a company that is very silo'd and not everyone wants to do things one way. I have some servers utilizing a domain user account with SA, some will only give it the minimum rights as defined in the guide, and some are ok just giving local system SA (which i think why not it's so easy to do).

    I have some that won't grant the rights to either service, which was the point of the question in the first place. They just refuse to do it. I can't change it so I'm trying to discover what they lose.

    Tuesday, January 25, 2011 3:55 PM