locked
WS2012 Member Server Security Compliance - SQL Server knock-on effect RRS feed

  • Question

  • We have implemented the WS2012 Member Server Security Compliance 1.0 policy into AD for our 2012 OU structure. What we have since found is that there are 3 policies in specific that were not previously defined in SCM WS2008R2 Member Server policies.

    Adjust memory quotas for a process:              NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators

    Create global objects:                                         NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\SERVICE, BUILTIN\Administrators

    Impersonate a client after authentication:     NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\SERVICE, BUILTIN\Administrators

    Our DBA advises that once SQL is installed, specific SQL system accounts unique to each server, are meant to be populated within these settings (as well as the above), however due to the WS2012 Member Server policy, these get overwritten to only the above.

    I see there is a SQL 2012 Beta set of policies for SCM, however these do not relate to any of the above Windows settings, but are SQL/Powershell script related.

    Any ideas on how to work around the above being enforced, short of duplicating the WS2012 Member Server policy, ripping these 3 settings out completely then linking in a new Custom WS2012 SQL Server policy, then blocking inheritance of the WS2012 Member Server policy?

    Cheers

    Thursday, October 10, 2013 12:17 AM