SA-8 Windows Service

#1

Hello. I am looking for advice. We started out running
ASA8's dbsrv8 as a Windows service running within the
so-called "Local System account." When a permission issue
emerged, rather than address it, we just began to advise
users to reconfigure the service to run within
<DOMAIN>/Administrator. Now some customers are concerned
about the security vulnerability of doing that so we need to
isolate the right solution. What account should the dbsrv8
service use? I can't even get the service to start using NT
AUTHORITY/NetworkService. THANKS IN ADVANCE FOR ANY ADVICE!

#2

LOCAL SYSTEM will allow an SQL Anywhere service to run under most
requirements. If your service won't start, there must be a specific
dependency in your implementation that requires a different account.

Are you referring to any network resources?
What do the event logs (application) indicate when the service fails to
start?

/ck

Eli wrote:

Quote:

Hello. I am looking for advice. We started out running
ASA8's dbsrv8 as a Windows service running within the
so-called "Local System account." When a permission issue
emerged, rather than address it, we just began to advise
users to reconfigure the service to run within
DOMAIN>/Administrator. Now some customers are concerned
about the security vulnerability of doing that so we need to
isolate the right solution. What account should the dbsrv8
service use? I can't even get the service to start using NT
AUTHORITY/NetworkService. THANKS IN ADVANCE FOR ANY ADVICE!

#3

I'm pretty certain that that failure we had while using
Local System resulted from our need to use xp_cmdshell
during the engine start event. For WIN2003 Server, our
field people claim they needed to run as a domain
administrator to get xp_cmdshell working. I would have
expected local admin privileges to be sufficient. Thanks in
advance for anything you can tell me about the privileges
required for xp_cmdshell. And thanks very much for
confirming that Local System should indeed work for the
service in general.

Eli

Quote:

LOCAL SYSTEM will allow an SQL Anywhere service to run
under most requirements. If your service won't start,
there must be a specific dependency in your
implementation that requires a different account.

Are you referring to any network resources?
What do the event logs (application) indicate when the
service fails to start?

/ck

Eli wrote:
Hello. I am looking for advice. We started out running
ASA8's dbsrv8 as a Windows service running within the
so-called "Local System account." When a permission
issue emerged, rather than address it, we just began to
advise users to reconfigure the service to run within
DOMAIN>/Administrator. Now some customers are
concerned about the security vulnerability of doing that
so we need to isolate the right solution. What account
should the dbsrv8 service use? I can't even get the
service to start using NT AUTHORITY/NetworkService.
THANKS IN ADVANCE FOR ANY ADVICE!

#4

In article <472b0faf.2324.1681692777 (AT) sybase (DOT) com>, Eli says...

Quote:

I'm pretty certain that that failure we had while using
Local System resulted from our need to use xp_cmdshell
during the engine start event. For WIN2003 Server, our
field people claim they needed to run as a domain
administrator to get xp_cmdshell working. I would have
expected local admin privileges to be sufficient. Thanks in
advance for anything you can tell me about the privileges
required for xp_cmdshell. And thanks very much for
confirming that Local System should indeed work for the
service in general.

Is that db server also the domain controller? If so, then there is no
such thing as a local admin, and you must use the domain admin user to
get admin privileges. I learned that one the hard way...

.....

--
Remove the ns_ from if replying by e-mail (but keep posts in the
newsgroups if possible).

#5

Eli,

if you have to use xp_cmdshell to use external resources (e.g. files on a
net share), LocalSystem is not permitted to do so.
However, it should be possible to make the following:
* Have the service run on the LocalSystem account.
* Inside your event handler, use a different domain login with appropriate
(but still minimal) network rights to connect to the net resource (something
like NET USE ...).
* Run xp_cmdshell
* Disconnect the domain login

IMHO, that would be much better (i.e. much more secure) than to use a
service with DomainAdmin rights.

We use events in a similar manner to copy backup files to net shares.

HTH
Volker

<Eli> wrote in news:472b0faf.2324.1681692777 (AT) sybase (DOT) com...

Quote:

I'm pretty certain that that failure we had while using
Local System resulted from our need to use xp_cmdshell
during the engine start event. For WIN2003 Server, our
field people claim they needed to run as a domain
administrator to get xp_cmdshell working. I would have
expected local admin privileges to be sufficient. Thanks in
advance for anything you can tell me about the privileges
required for xp_cmdshell. And thanks very much for
confirming that Local System should indeed work for the
service in general.

Eli

LOCAL SYSTEM will allow an SQL Anywhere service to run
under most requirements. If your service won't start,
there must be a specific dependency in your
implementation that requires a different account.

Are you referring to any network resources?
What do the event logs (application) indicate when the
service fails to start?

/ck

Eli wrote:
Hello. I am looking for advice. We started out running
ASA8's dbsrv8 as a Windows service running within the
so-called "Local System account." When a permission
issue emerged, rather than address it, we just began to
advise users to reconfigure the service to run within
DOMAIN>/Administrator. Now some customers are
concerned about the security vulnerability of doing that
so we need to isolate the right solution. What account
should the dbsrv8 service use? I can't even get the
service to start using NT AUTHORITY/NetworkService.
THANKS IN ADVANCE FOR ANY ADVICE!

#6

see below pls.

Quote:

In article <472b0faf.2324.1681692777 (AT) sybase (DOT) com>, Eli
says... I'm pretty certain that that failure we had
while using Local System resulted from our need to use
xp_cmdshell during the engine start event. For WIN2003
Server, our field people claim they needed to run as a
domain administrator to get xp_cmdshell working. I
would have expected local admin privileges to be
sufficient. Thanks in advance for anything you can tell
me about the privileges required for xp_cmdshell. And
thanks very much for confirming that Local System should
indeed work for the service in general.

Is that db server also the domain controller? If so, then
there is no such thing as a local admin, and you must use
the domain admin user to get admin privileges. I learned
that one the hard way...

....

--
Remove the ns_ from if replying by e-mail (but keep posts
in the newsgroups if possible).

Thanks. I'm sure at least some of our sites run the engine
on the domain controller. I have decided to get rid of our
dependence on xp_cmdshell and advise users to use Local
System for the engine. I truly appreciate your help
enabling me to make an informed decision.

Eli

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

SA-8 Windows Service

sybase.public.sqlanywhere.general sybase.public.sqlanywhere.general

SA-8 Windows Service - 11-01-2007 , 12:56 PM

Re: SA-8 Windows Service - 11-01-2007 , 08:29 PM

Re: SA-8 Windows Service - 11-02-2007 , 05:53 AM

Re: SA-8 Windows Service - 11-02-2007 , 06:27 AM

Re: SA-8 Windows Service - 11-02-2007 , 06:58 AM

Re: SA-8 Windows Service - 11-03-2007 , 11:49 AM