PRB: SQL Server and C2 SecurityID: Q148974
|
Most of the SQL Server applications and utilities that use network access
of some kind, for example Isql.exe, Isqlw.exe, Sqlew.exe, and Perfmon.exe,
require access to the Windows NT \\Hkey_local_machine\Software\Description
key. These applications will either access or create a subkey called
Microsoft\RPC\UuidTemporaryData key with two values. The values that are
created are NetworkAddress and NetworkAddressLocal.
The Windows NT Resource Kit contains a utility that was written to assist
users in configuring C2 security on a particular Windows NT Server. There
can be a significant problem if the C2 Security Manager is used to modify
the Registry Security to make the Windows NT Registry secure. The utility
is supposed to use the C2REGACL.INF file as a guide for modifying registry
keys. When the change is made to the
\\hkey_local_machine\software\description key by the application, the
resulting permissions do not match what was specified in the CEREGACL.INF
file. The most significant change is that the Administrator has Full
Control prior to the change and only Read permission afterward. This change
can prevent the Administrator from restoring permissions on the key and
will prevent network access by applications executed on the console of the
Windows NT Server. Other permissions that are lost are Creator Owner - Full
Control, and Everyone - Special Access. The System account has full
control, however, there is way to access this account from Winlogon and
other applications.
In one attempt to workaround this problem, Regedt32 would allow the
Administrator to make the changes on the key, however, the affect was
limited because the changes were kept until the server was shutdown and
restarted. When the server was rebooted, the permissions on the key
reverted to Administrator - Read Only. The administrator is unable to make
permanent changes to this key.
The alternative resolutions to this problem are:
Additional query words: security c2 winnt secure
Keywords : kbinterop kbnetwork kbusage SSrvInst SSrvLAN
Version : 3.5x 6.x 6.0
Platform : WINDOWS
Issue type : kbhowto
Last Reviewed: March 24, 1999