Sql-server – How does a security group sid differ from a per service Sid

sql server

I am learning SQL and trying to understand the concept of a SID.

At the link below it states:

Microsoft SQL Server uses a security group to set resource access
control lists (ACLs) instead of using the service account directly.
Therefore, changing the service account can be done without having to
repeat the resource ACL process. The security group can be a local
security group, a domain security group, or a service security
identifier (SID)

and then goes on to say

For stand-alone instances of SQL Server on Windows Vista and on
Windows Server 2008 operating systems, service SIDs are added to the
service group, and the service SID for SQL Server Engine and SQL
Server Agent is added as a login to the sysadmin server role.

It uses service group and security group interchangeably. Are they the same? …and linked to this, if a service SID can be added to a security group (which can also be a SID), these 2 SIDs are different right?

I think so, but struggling with the Microsoft documentation.

thanks.

https://support.microsoft.com/en-us/kb/2620201

Best Answer

A SID is a mechanism that assigns privileges to the service itself, rather than to the account under which the service runs.

For Clustered installations:

It enables you to use a domain account with minimal privileges on the box, which also improves your security because people end up knowing the domain service account credentials.

For non-clustered installations:

Per-Service SID, it allows you to use Network Service as the service account, improving security by getting automatic password management, but without the traditional downside of having Network Service accumulate excessive privileges from multiple services.

Refer to :

Related Solutions

Sql-server – How to obtain SIDs of Sql Server installed NT Service Accounts

From the WMI documentation, I couldn't find any way to directly obtain a service SID, probably because as far as I've seen, service SIDs aren't physical directory objects, and thus couldn't be queried except where they appear as part of ACLs. This would also explain why the values aren't persisted in the registry.

Having said that, the service SIDs definitely do not appear in Win32_SystemAccount. Using PowerShell on a sample machine, you can verify this by running Get-WmiObject -Query "SELECT * FROM Win32_SystemAccount".

Luckily, however, there are alternatives:

Per this TechNet blog post, the non-well-known portion of a service SID is generated by taking a SHA1 hash of the uppercase service name, and then splitting apart the results into five unsigned 4-byte numbers. The following code performs this computation and returns the SID as displayed in Windows:

DECLARE @serviceName nvarchar(128) = 'MSSQL$SQL2008R2DEV';

SELECT
    'S-1-5-80' +
        '-' + CONVERT(varchar(20), CONVERT(bigint, CONVERT(varbinary(4), sys.fn_varbintohexsubstring(0, a.BinSid, 17, 4), 2))) +
        '-' + CONVERT(varchar(20), CONVERT(bigint, CONVERT(varbinary(4), sys.fn_varbintohexsubstring(0, a.BinSid, 13, 4), 2))) +
        '-' + CONVERT(varchar(20), CONVERT(bigint, CONVERT(varbinary(4), sys.fn_varbintohexsubstring(0, a.BinSid, 9, 4), 2))) +
        '-' + CONVERT(varchar(20), CONVERT(bigint, CONVERT(varbinary(4), sys.fn_varbintohexsubstring(0, a.BinSid, 5, 4), 2))) +
        '-' + CONVERT(varchar(20), CONVERT(bigint, CONVERT(varbinary(4), sys.fn_varbintohexsubstring(0, a.BinSid, 1, 4), 2)))
    FROM
    (
        SELECT
            CONVERT(varbinary(20), REVERSE(HASHBYTES('SHA1', UPPER(@serviceName)))) AS BinSid
    ) a;

The binary SID can also be obtained by using the SUSER_SID function (with some extra processing to handle the fixed portion) in lieu of HASHBYTES. (Note that the raw binary SID must have its endianness reversed before conversion and output. Also, the @serviceName variable being nvarchar is important.)

If you have .NET available, doing the hash calculation is trivial. Here's the C# code to do it:

using System.Security.Cryptography;

...

string serviceName = "MSSQL$SQL2008R2DEV";

HashAlgorithm ha = HashAlgorithm.Create("SHA1");
byte[] hash = ha.ComputeHash(serviceName.ToUpper().SelectMany(c => BitConverter.GetBytes(c)).ToArray());

string sid = "S-1-5-80";

for (int i = 0; i < 5; i++)
    sid += "-" + BitConverter.ToUInt32(hash, i * 4);

I suspect the SIDs could be found using classes in the .NET System.DirectoryServices namespace, either by inspecting group membership (fragile), or by some other method. Unfortunately, the methods I tested to directly translate a principal name into a SID failed, so I'm not sure how SQL Server does it (PInvoke?). In any event, computing the hash isn't a big deal if .NET is available (in fairness, the code will be longer without the use of LINQ).
Capture the relevant part of the output of the sc utility as used below, or run this manually if you don't care about being able to automate the solution:
```
sc showsid MSSQL$SQL2008R2DEV
```

Sql-server – Adding the domain account to a security group on the SQL Server computer that has sufficient privileges to log on as a service

To answer your questions directly:

2) In order to add a login to the sysadmin fixed server role you can utilize ALTER SERVER ROLE ... ADD MEMBER (2012) or sp_addsrvrolemember (pre-2012). Here would be an example:

exec sp_addsrvrolemember 'yourLoginName', 'sysadmin';

3) Without having to reiterate what's found in the following documentation, take a look at this MSDN reference on the service permissions for each SQL Server service.

Best Answer

Related Solutions

Sql-server – How to obtain SIDs of Sql Server installed NT Service Accounts

Sql-server – Adding the domain account to a security group on the SQL Server computer that has sufficient privileges to log on as a service

Related Question