Previous Configure xp_Cmdshell Proxy Manual Configuration Configure Report Services Accounts Next

Configure Database Owner Account

FineBuild can configure a User Database Owner Account as part of the SQL Server install process.

A SQL Server login is created that should be used as the owner account for User databases.

In the past, it was considered best practice for all databases to be owned by the sa account. However, if the user database is owned by the sa account and has ownership chaining enabled, then users in the db_dbowner role in the user database will gain elevated privileges in the system databases. To avoid this, it is now considered best practice for all user databases to be owned by a low privilege account.

Additionally, if a set of user databases have ownership chaining enabled then they should be owned by a different account to other user databases, in order to prevent users in the chained databases from gaining privileges in the unchained databases.

In order to identify which account should be used as the standard user database owner account, a credential is created to hold this metadata. When the account is created, it is linked to the credential.

FineBuild Configure Database Owner Account

Starting with FineBuild v3.2.0 beta 2, the Database Owner Account configuration relates to Process Id 5CF. Prior to this it was part of Configure Standard Accounts. It is controlled by the parameters below:

Parameter Build SQL 2005 SQL 2008 SQL 2008 R2 SQL 2012
ConfigStdAccounts FULL Yes Yes Yes Yes
ConfigStdAccounts WORKSTATION Yes Yes Yes Yes
ConfigStdAccounts CLIENT N/A N/A N/A N/A


FineBuild also uses the following parameters to help Configure Database Owner Account:

Prameter Default Value Description
DBOwnerAccount DBOwner Name of DB Owner account
SAPwd none Password for sa account


FineBuild will automatically:

  • Create a Credential for the user database owner account
  • Create the user database owner account login
  • Mark the account as Disabled to prevent people logging on with the account
  • Change the ownership of all user databases that are owned by an account with Sysadmin rights so they are owned by the user database owner account

Top


Manual Configure Database Owner Account

The following steps show what you would have to do for manual Database Owner Account configuration. FineBuild does all of this work for you automatically.

1) Within a query window enter the following command to create the Credential.

CREATE CREDENTIAL StandardDBOwner WITH IDENTITY='DBOwnerAccount'


2) Enter the following command to create the user database owner account.

CREATE LOGIN [DBOwnerAccount] WITH PASSWORD='SAPwd', CHECK_POLICY=ON, CHECK_EXPIRATION=OFF, CREDENTIAL=StandardDBOwner


3) Enter the following commands to ensure no-one can exploit the database ownership privileges that will be assigned to this account.

REVOKE CONNECT SQL TO [DBOwnerAccount]
ALTER LOGIN [DBOwnerAccount] DISABLE



Copyright © 2011 - 2013 Edward Vassie. License and Acknowledgements

Previous Configure xp_Cmdshell Proxy Top Configure Report Services Accounts Next

Last edited Apr 12, 2013 at 9:19 AM by EdVassie, version 7

Comments

No comments yet.