PRB: SQL Server and C2 Security

ID: Q148974

The information in this article applies to:

Microsoft SQL Server version 6.0

SYMPTOMS

Most of the SQL Server applications and utilities that use network access of some kind, for example Isql.exe, Isqlw.exe, Sqlew.exe, and Perfmon.exe, require access to the Windows NT \\Hkey_local_machine\Software\Description key. These applications will either access or create a subkey called Microsoft\RPC\UuidTemporaryData key with two values. The values that are created are NetworkAddress and NetworkAddressLocal.

The Windows NT Resource Kit contains a utility that was written to assist users in configuring C2 security on a particular Windows NT Server. There can be a significant problem if the C2 Security Manager is used to modify the Registry Security to make the Windows NT Registry secure. The utility is supposed to use the C2REGACL.INF file as a guide for modifying registry keys. When the change is made to the \\hkey_local_machine\software\description key by the application, the resulting permissions do not match what was specified in the CEREGACL.INF file. The most significant change is that the Administrator has Full Control prior to the change and only Read permission afterward. This change can prevent the Administrator from restoring permissions on the key and will prevent network access by applications executed on the console of the Windows NT Server. Other permissions that are lost are Creator Owner - Full Control, and Everyone - Special Access. The System account has full control, however, there is way to access this account from Winlogon and other applications.

RESOLUTION

In one attempt to workaround this problem, Regedt32 would allow the Administrator to make the changes on the key, however, the affect was limited because the changes were kept until the server was shutdown and restarted. When the server was rebooted, the permissions on the key reverted to Administrator - Read Only. The administrator is unable to make permanent changes to this key.

The alternative resolutions to this problem are:

Reinstall Windows NT, which will rebuild the registry.

Attempt to assign Full Control on the \\hkey_local_machine\software key to a specific user who is a member of both the Local and Domain Administrator's groups. This will allow this particular user to use the application's setup to be executed via the console. Note that this is a temporary resolution, because the registry will still have to be reinitialized at some point by reinstalling Windows NT.

Additional query words: security c2 winnt secure


Keywords          : kbinterop kbnetwork kbusage SSrvInst SSrvLAN 
Version           : 3.5x 6.x 6.0
Platform          : WINDOWS 
Issue type        : kbhowto

Last Reviewed: March 24, 1999