Many Installations of MSSQLSERVER.

  • Thread starter Thread starter The Poster
  • Start date Start date
T

The Poster

G/day forum,

I've got a problem where all my Development users have full installations of
MSSQLServer. I want to disable this (for obvious security and financial
reasons) and allow SQL Server on a few dedicated (managed) Development SQL
servers.

This is what I'm thinking:
1) Active Directory - Group Policy Object. The problem is I cant find a
relevant template that incorporates the SQL Services.
2) Through Registry file modification of the Start value -
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSSQLSERVER.

Either way I'll be deploying the change through Group Policy, and ideally I
would have a template that incorporated the SQL service, that way I wouldn't
have to directly go tampering with any registry files..

Your ideas and/or comments would be greatly appreciated.

Regards,
Steve.
 
If you try using services control from GPO, to disable the
SQL services, what you will likely find is that developers
are resouceful and will just install a named instance of
SQL as the main service is named for the instance name.
You could cripple the other services which are not named
in an instance sensitive way, but SQL itself would escape
your net.

Also, whether setting the service to disabled through the
services portion of GPO or through direct tweaking of the
start key in the reg, this does not prevent them from installing
and running it. As they can install, they are apparently admins,
and as admins they can change the service to manual or auto
long enough to start it. When policy reapplies and sets it back
to disabled it does not necessarily also stop it. Now, you
may be able to combine setting the service to disabled with
software restriction policy so that they cannot start it, but if
you cannot be sure of the service instance name to disable it
then they could get it started by the system at boot.

To answer your actual question, I am not aware of a template
for use in GPO to manage SQL or its internal state.

So, what to do?
First - make sure you understand why the devs have SQL
installed. If your environment has legal VStudio on their
machines, it is very possible that they legally have the
dev version of SQL installed. Also, what are they working
on? Perhaps these are MSDE version of SQL and will ship
out packaged with what they are building.
It might be more simple to just force those machines to
have their patch level up-to-date. It might be better to
provide them with the client tools for SQL but require
them to use MSDE (which can be made to speak only
machine-locally and be unresponsive over the wire).
It would seem to me that the last thing one would want
to do is make their job harder. I can imagine a number
of dev scenarios in which forcing them to share a remote
SQL could complicate their lives, but then I am the one
with SQL server alway installed on the laptop ! On the
other hand, making use of a SQL server remote from the
apps they dev/test might be of value for the quality of
what they will ship. It may be worth exploring whether
this is so and you could find support in your objective
from their project mgmt, as with their being admins it
will be hard to make it so without also having cooperation.
 
Thanks for your detailed post Roger.

Would you believe that I've got the DBA and Project Managers support on this
one? This motion is driven by the DBA group and the Project group so as far
as support is concerned I'm on a winner. Question: Do you think that Client
side 'full installations' of SQL Server are costly, dangerous (remember
slammer?), and system intensive? The bottom line is that I have to figure
out some way of disabling the MSSQLSERVER service and all named instances
(and in time remove it) - to facilitate compliance I will be conducting
regular SQLScan's, where non-compliance will be dealth with. I have made
provisions for Client Tools (Query Analyzer, Enterprise Manager, etc) on the
DEvelopers systems - I appreciate these are essential tools that are needed
to perform there day to day duties.

In the longer term, I'm planning on revoking Developers Admin level
priviledge on all systems. I've been reading alot of what Keith Brown has
been saying with regards to Security, and I (like our Software Architect)
have been converted to the Longhorn concept of Least Priviledged User
account - that is the most secure way to go. I can even use our own Chief
Software Architect as an example, he had his system rebuilt 6 months ago,
and since that day he has manged to do 99% of his development work as a
Standard user.

Regards,
Steve.
 
Hi Steve,

Many strands triggered in your reply.
It is great that you do have the buy-in to do things well,
and even better to hear that the LUA objectives of least
access have taken root.

First, one thing you mentioned was security of multiple
installs, if things were that way. You should be aware
that you can use the patch checking engine of the current
version of MBSA (MS Baseline Security Analyzer) to
check service pack and security patch level of SQL and
MSDE installs. From a machine where MBSA is installed
drop to a cmd prompt, cd to the MBSA install dir, and issue
mbsacli -hf -?
You can provide list of target machines in file, etc..
Now, this does not of course address the majority of SQL
install wellness issues like sane sa acct, accts/groups in
the SA server role, use of external procs, etc.. But, with
hfnetchk scan showing you 1) what machines did not let
you scan and 2) what machines have SQL and/or MSDE
instances you on staff DBA could no doubt come up with
a sproc that could interrogate those for the basic sanity
checklist of config items. Now, a last word on the use of
MBSA in this way. In addition to administrative rights on
the target machines, the hfnetchk scan will not work if the
targets are firewalled (doh - but for completeness mentioned),
if they do not have at least C$ shared (the admin shares, but
I have found that I really only need at least a temp C$ allowing
administrators even though the target has admin shares off, and
this one can turn on with remote script prior to the scan), or if
the remote registry service is shut off (again, can be started by
remote script prior to the scan).

Next, you made a mention of cost. I do not know whether your
shop is VStudio based, Delphi, or what. If VStudio it is now
pretty hard to not have license allowing dev version of SQL,
but you need to check what and how the dev shop is licensed.
Unless I am mistaken, as a holder of an SQL Server license
you are allowed client tools install without limit. I am no final
word on licensing matters. MSDE is of course free, and IIRC
the terms have loosened considerably from initial days.
I need to review whether the new mgmt interface tool MS has
released into beta is in the open beta, but that provides another
alternative relative to the client tools install.

It seems to me that a potentially compelling way to go would
be to look at central support of the main dev/test, but also
look at facilitating (temporary) dev local MSDE installs
(or better SQL Express - but that is a versioning issue no
doubt for the app release cycle). You could easily set up
such MSDE so that it gets a copy of a test suite DB loaded
into it with DTS from the dev/test SQL Server. Finally, if the
dev/test SQL Server is Enterprise version, it can accomodate
scenarios for devs in named SQL instances.
Anyway, it seems that there are a number of routes that are
cheap to free and within (what I understand of) licensing
(of course we did not mention CALs or per-proc lics).

So, other than periodic MBSA hfnetchk scans to know where
there is an SQL install (of course you could do that with a
script that just does some WMI poking into the registries of
the systems looking at the MSSQLServer keying - but MBSA
also gives basic health of the bits) how could you exert some
form of enforced control ? Like I said in initial post, about
the best idea I can come up with is to use software restriction
policies via GPO that impacts these dev machines. With it
you could prevent the users from running short list of key exes,
and of course you can have the GPO set the known / commonly
seen service instance names to disabled (it does not hurt to have
services named that are not on machines in scope of the GPO).
All this is totally circumventable while they are local admins.
However, it might just trigger enough of a hurdle to give them
pause to thing better of what they were about to try. With much
regret, the bottom line is that admins can, and that an example
semi-gently hung by the nails outside the coffee room has more
impact that all of the preparatory emails/notices of policy added
together. Getting them able to work as non-admins is IMHO
the key, both to your objectives here, and to the software
quality delivered (I have a total dislike of "well written",
and "well tested" apps which were however never tested by
a non-admin account !!).

Good luck Steve,
Roger
 
You can use Group Policy [for example, via Active Directory] to set
MSSQLSERVER service on Windows 2000, XP and 2003 systems to be disabled by
default. This is probably easier than using Group Policy Software
Restrictions Policy [though if they are local Administrators on their
computers, it might be less secure, I don't really know]. On a computer
running the MSSQLSERVER service, run MMC, add the Security Templates MMC,
create a new GP template where the only change is to the startup value of
the service and possibly the permissions of who can manage the service.
Save the template, apply the security template to the workstations in
question [e.g. use a batch file with the SECEDIT command to create a new
database and import and apply the template on each target workstation, OR
import the template into your active directory and apply that template to
target workstations by putting the workstations into an OU and/or
configuring ACL permissions on which workstations can read that GP. If you
use AD GP, be sure not to accidentally apply the policy to your legitimate
SQL servers.]

If these people's accounts are in the local Administrators or Power Users
group on the workstations, they can undo just about anything you do. Group
Policy will change their changes back, but I'm not sure this will stop the
SQL service once they start it. It's hard to prevent Administrators or
Power Users from doing what they want to do. There are some ways Power
Users can escalate their privileges to Administrator if they know how.

Unless something has changed in the latest version of MS SQL Server, SQL
Server cannot be installed on Windows workstations, only servers. AFAIK,
you can install MSDE on workstation, or if you install the SQL server CD, it
installs the SQL administrator tools and not the server itself.
 
Karl Levinson said:
You can use Group Policy [for example, via Active Directory] to set
MSSQLSERVER service on Windows 2000, XP and 2003 systems to be disabled by
default. This is probably easier than using Group Policy Software
Restrictions Policy [though if they are local Administrators on their
computers, it might be less secure, I don't really know]. On a computer
Click to expand...

We have pretty much beaten that avenue to death Karl.
The issue is that the registered name of the service is not
a predictable constant.
running the MSSQLSERVER service, run MMC, add the Security Templates MMC,
create a new GP template where the only change is to the startup value of
the service and possibly the permissions of who can manage the service.
Save the template, apply the security template to the workstations in
question [e.g. use a batch file with the SECEDIT command to create a new
database and import and apply the template on each target workstation, OR
import the template into your active directory and apply that template to
target workstations by putting the workstations into an OU and/or
configuring ACL permissions on which workstations can read that GP. If you
use AD GP, be sure not to accidentally apply the policy to your legitimate
SQL servers.]

If these people's accounts are in the local Administrators or Power Users
group on the workstations, they can undo just about anything you do. Group
Policy will change their changes back, but I'm not sure this will stop the
SQL service once they start it. It's hard to prevent Administrators or
Power Users from doing what they want to do. There are some ways Power
Users can escalate their privileges to Administrator if they know how.

Unless something has changed in the latest version of MS SQL Server, SQL
Server cannot be installed on Windows workstations, only servers. AFAIK,
you can install MSDE on workstation, or if you install the SQL server CD, it
installs the SQL administrator tools and not the server itself.
Click to expand...

One may install either on non-servers.
The "personal" install of SQL Server on a workstation is
effectively a full standard edition install with some minor
imposed limitations and some licensing differences.
 
Back
Top