Sql-server – the best practice for the msdb database owner

msdbownersql server

In the course of reading up on SQL Server security best practices, I learned that databases should generally be owned by a dedicated, low-privileged login (sometimes a separate one for each DB or each application), per these articles.

I've also learned that you can't change the owner of master, model, and tempdb, but you can change the owner of msdb. My question is: should you?

The main concern with high-privileged database owners is that the TRUSTWORTHY setting could be enabled for that DB, and msdb has to have TRUSTWORTHY enabled. It seems like that's a good argument for changing the owner of msdb to a low-privileged account, but I don't know if that could cause problems with instance functionality, and I haven't been able to find any articles or whitepapers even discussing the topic. The closest I've seen is this one, which stops short of making any recommendations.

Can anyone provide any insight as to the possible effects of changing the owner of msdb?

Best Answer

Brent Ozar's sp_blitz check on this sums it up well, I think:

...there’s no short answer for best practice.

And he does reference Andreas' article as well, acknowledging that is an ideal state. But often times ideal states are not feasible or reasonable in practice.

I don't know that taking the best practice approach (in this case) is indeed reasonable or feasible when looking at many enterprise scale deployments or when managing any large number of instances. I'm often satisfied enough to just use sa personally.

A lot of the community's best practice checks default to looking for sa as a database owner in general, because having a commonly used one does indeed help from an administrative perspective. For example, the popular PowerShell module dbatools's functon Test-DbaDbOwner defaults to looking for sa (citing Dan Guzman as the best practice source to do so) as the owner of all databases (though you can certainly specify a custom one if desired) just like Brent's scripts do.

I think in this case whether or not to do it comes down to personal opinion/choice based on circumstance. If you can handle the additional burden, then by all means it is ideal to do so. But most of the time in my experience, I think the extra work, complexity, and potential for time consuming problems outweighs the narrow benefits.

Finally, when you ask:

Can anyone provide any insight as to the possible effects of changing the owner of msdb?

I'm not sure what you mean, but I think Andreas covers the topic fairly well to show what the benefits/effects of changing the owner are.

Related Solutions

Sql-server – Moving MSDB database

In the comments you indicate that your SQL Service is running as the Network Service account.

http://msdn.microsoft.com/en-us/library/windows/desktop/ms684272(v=vs.85).aspx

The NetworkService account is a predefined local account used by the service control manager. This account is not recognized by the security subsystem, so you cannot specify its name in a call to the LookupAccountName function. It has minimum privileges on the local computer and acts as the computer on the network.

This is the default account for installations under Vista and Windows Server 2008. During installation this account was granted Full Control file system permissions to the SQL Server data directory as seen in the File System Permissions Granted to SQL Server Per-service SIDs or Local Windows Groups section of the following article.

http://msdn.microsoft.com/en-us/library/ms143504.aspx#Reviewing_ACLs

Since you have relocated some of your database file the SQL Server service account needs permissions to the new locations. In the comments @Marian provided instructions for granting Network Service the required permissions.

Right click the drive -> Properties -> Security -> Edit -> add the Network Service user -> give him full control. By default he hasn't. Or better, just create a specific folder and give him Full Control permissions there. And move the data files in that folder.

The advice to create a new folder and move the files there is excellent as well.

Any additional services that are running as the Network Service account will aslo have permissions to this folder. Ideally the SQL Services should each have their own separate account.

http://support.microsoft.com/kb/2160720

When choosing service accounts, consider the principle of least privilege. The service account should have exactly the privileges that it needs to do its job and no more privileges. You also need to consider account isolation; the service accounts should not only be different from one another, they should not be used by any other service on the same server. Do not grant additional permissions to the SQL Server service account or the service groups. Permissions will be granted through group membership or granted directly to a service SID, where a service SID is supported. For more details please refer to Books Online Topic Setting Up Windows Service Accounts

Sql-server – Accept null value on parent column in multipart relationship

Set [OwnerId] on OwnerID to allow nulls. Put a null value record in your Category table:

INSERT INTO Category (OwnerId,Title) SELECT NULL,'blah??'

I also added to your category table:

CONSTRAINT UC_OwnerID UNIQUE(OwnerID)

this is what I have working for you in SQL Fiddle http://sqlfiddle.com/#!3/ac720/2.

Best Answer

Related Solutions

Sql-server – Moving MSDB database

Sql-server – Accept null value on parent column in multipart relationship

Related Question