> As a work around to the problem you point out you could deny the account > you run the service under "Set Value" on this key only > (HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSSQLServer). > There is no value in this key that the account would need to modify once > setup.... > > You should do the SQLAgent service if you are running that under the > same or other non-priv account. Good point. I received reports that SQL Server actually do not need write access to its service configuration - after its setup, everything works somoothly with read-only access (thanks, Craig). I guess that full access is necessary so 'sa' may change service account from within mmc.exe (SQL Enterprise Manager). It's clear example of functionality going before security (or maybe backward compatibility killing security ?) . Microsoft SQL team have this issue on desk, I hope they will act upon it. Regards B.Kozicki
This archive was generated by hypermail 2b30 : Sat Apr 20 2002 - 11:53:29 PDT