Configure Database Owner Account
FineBuild can configure a User Database Owner Account as part of the SQL Server install process.
A SQL Server login is created that should be used as the owner account for User databases.
In the past, it was considered best practice for all databases to be owned by the
sa account. However, if the user database is owned by the sa account and has ownership chaining enabled, then users in the
db_dbowner role in the user database will gain elevated privileges in the system databases. To avoid this, it is now considered best practice for all user databases to be owned by a low privilege account.
Additionally, if a set of user databases have ownership chaining enabled then they should be owned by a different account to other user databases, in order to prevent users in the chained databases from gaining privileges in the unchained databases.
In order to identify which account should be used as the standard user database owner account, a credential is created to hold this metadata. When the account is created, it is linked to the credential.
FineBuild Configure Database Owner Account
Starting with FineBuild v3.2.0 beta 2, the Database Owner Account configuration relates to Process Id
5CF. Prior to this it was part of
Configure Standard Accounts. It is controlled by the parameters below:
||SQL 2008 R2
FineBuild also uses the following parameters to help Configure Database Owner Account:
||Name of DB Owner account
||Password for sa account
FineBuild will automatically:
- Create a Credential for the user database owner account
- Create the user database owner account login
- Mark the account as Disabled to prevent people logging on with the account
- Change the ownership of all user databases that are owned by an account with
Sysadmin rights so they are owned by the user database owner account
Manual Configure Database Owner Account
The following steps show what you would have to do for manual Database Owner Account configuration. FineBuild does all of this work for you automatically.
1) Within a query window enter the following command to create the Credential.
CREATE CREDENTIAL StandardDBOwner WITH IDENTITY='DBOwnerAccount'
2) Enter the following command to create the user database owner account.
CREATE LOGIN [DBOwnerAccount] WITH PASSWORD='SAPwd', CHECK_POLICY=ON, CHECK_EXPIRATION=OFF, CREDENTIAL=StandardDBOwner
3) Enter the following commands to ensure no-one can exploit the database ownership privileges that will be assigned to this account.
REVOKE CONNECT SQL TO [DBOwnerAccount]
ALTER LOGIN [DBOwnerAccount] DISABLE
Copyright © 2011 - 2013 Edward Vassie.
License and Acknowledgements
|Previous Configure xp_Cmdshell Proxy
||Configure Report Services Accounts Next