Installing SQL Server in a High-Security Domain, Part II

Published Mar 23 2019 12:46 PM 134 Views
Microsoft
First published on TECHNET on Apr 04, 2012

In this article , I pointed out some of the most common permissions failures when installing SQL Server in an environment where security has been hardened, such as the removal of the Debug Programs permission. In my experience, "hardened" usually means some default permissions have been removed from various accounts.


Recently some colleagues had failures while attempting to install SQL Server 2008 R2 on a VMware virtual Windows cluster, even though they had ensured their installation account had the 3 privileges I covered in the previous article. One of the difficulties with these types of failures is that you don't get an error saying something clear like "Sorry, you don't have the Debug Privileges permission," so it can be a little troublesome to figure out exactly which permissions are missing, if any. In this case, my colleagues were able to successfully install SQL Server after adding the "Act as part of the operating system" and "Logon as a service" permissions to the installation account. I'm going to repeat myself to emphasize they added these permissions to the installation account (the account they were logged in as while running the installer). That difference allowed their install to succeed, but if you use this remedy, remember to remove those permissions from the installation account after you finish the install.


Did they need both of those are just one of them? We don't know, they didn't uninstall and reinstall with just one of them to narrow it down. If you gain any insight on what security settings cause this problem, and whether or not only one of these permissions is needed to succeed, please let me know.



%3CLINGO-SUB%20id%3D%22lingo-sub-384083%22%20slang%3D%22en-US%22%3EInstalling%20SQL%20Server%20in%20a%20High-Security%20Domain%2C%20Part%20II%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-384083%22%20slang%3D%22en-US%22%3E%0A%20%26lt%3Bmeta%20http-equiv%3D%22Content-Type%22%20content%3D%22text%2Fhtml%3B%20charset%3DUTF-8%22%20%2F%26gt%3B%3CSTRONG%3E%20First%20published%20on%20TECHNET%20on%20Apr%2004%2C%202012%20%3C%2FSTRONG%3E%20%3CBR%20%2F%3E%3CP%3EIn%20%3CA%20href%3D%22http%3A%2F%2Fblogs.technet.com%2Fb%2Ffort_sql%2Farchive%2F2009%2F12%2F17%2Finstalling-reporting-services-2008.aspx%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3E%20this%20article%20%3C%2FA%3E%20%2C%20I%20pointed%20out%20some%20of%20the%20most%20common%20permissions%20failures%20when%20installing%20SQL%20Server%20in%20an%20environment%20where%20security%20has%20been%20hardened%2C%20such%20as%20the%20removal%20of%20the%20Debug%20Programs%20permission.%20In%20my%20experience%2C%20%22hardened%22%20usually%20means%20some%20default%20permissions%20have%20been%20removed%20from%20various%20accounts.%3C%2FP%3E%3CBR%20%2F%3E%3CP%3ERecently%20some%20colleagues%20had%20failures%20while%20attempting%20to%20install%20SQL%20Server%202008%20R2%20on%20a%20VMware%20virtual%20Windows%20cluster%2C%20even%20though%20they%20had%20ensured%20their%20installation%20account%26nbsp%3Bhad%20the%203%20privileges%20I%20covered%20in%20the%20previous%20article.%20One%20of%20the%20difficulties%20with%20these%20types%20of%20failures%20is%20that%20you%20don't%20get%20an%20error%20saying%20something%20clear%20like%20%22Sorry%2C%20you%20don't%20have%20the%20Debug%20Privileges%20permission%2C%22%20so%20it%20can%20be%20a%20little%20troublesome%20to%20figure%20out%20exactly%20which%20permissions%26nbsp%3Bare%20missing%2C%20if%20any.%20In%20this%20case%2C%20my%20colleagues%20were%20able%20to%20successfully%20install%20SQL%20Server%20after%20adding%20the%20%22Act%20as%20part%20of%20the%20operating%20system%22%20and%20%22Logon%20as%20a%20service%22%20permissions%20to%20the%20installation%20account.%20I'm%20going%20to%20repeat%20myself%20to%20emphasize%20they%20added%20these%20permissions%20to%20the%20%3CSTRONG%3E%20installation%20account%20%3C%2FSTRONG%3E%20(the%20account%20they%20were%20logged%20in%20as%20while%20running%20the%20installer).%20That%20difference%26nbsp%3Ballowed%20their%20install%20to%20succeed%2C%20but%20if%20you%20use%20this%20remedy%2C%20remember%20to%20remove%20those%20permissions%20from%20the%20installation%20account%20after%20you%20finish%20the%20install.%3C%2FP%3E%3CBR%20%2F%3E%3CP%3EDid%20they%20need%20both%20of%20those%20are%20just%20one%20of%20them%3F%20We%20don't%20know%2C%20they%20didn't%20uninstall%20and%20reinstall%20with%20just%20one%20of%20them%20to%20narrow%20it%20down.%20If%20you%20gain%20any%20insight%20on%20what%20security%20settings%20cause%20this%20problem%2C%20and%20whether%20or%20not%20only%20one%20of%20these%20permissions%20is%20needed%20to%20succeed%2C%20please%20let%20me%20know.%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3C%2FP%3E%0A%20%0A%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-384083%22%20slang%3D%22en-US%22%3EFirst%20published%20on%20TECHNET%20on%20Apr%2004%2C%202012%20In%20this%20article%2C%20I%20pointed%20out%20some%20of%20the%20most%20common%20permissions%20failures%20when%20installing%20SQL%20Server%20in%20an%20environment%20where%20security%20has%20been%20hardened%2C%20such%20as%20the%20removal%20of%20the%20Debug%20Programs%20permission.%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-384083%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESQLServerSecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Version history
Last update:
‎Mar 23 2019 12:46 PM
Updated by: