This project has moved. For the latest updates, please go here.

Previous Setup SPNs Manual Install Setup Drive Labels Next

Setup No Windows Global Access

FineBuild can disable unrestricted access by Windows accounts to the Server.

When a server is joined to a Domain, certain rights are granted to all users in the Domain. Additionally, depending on the version of Windows, wide-ranging access rights are granted to local users. These rights represent a security weakness by allowing access to users who have no business need to access the server. The ability to access a server can be the first step in discovering restricted data or mounting an attack on the server.

The Setup No Windows Global Access seeks to remove access to all accounts except those who have a business need to access the server. This processing will also ensure the Windows Guest account is disabled.

Security Compliance

No Windows Global Access configuration helps to prevent unwanted accountsfrom accessing the SQL Server host server. If you setup Security Compliance then No Windows Global Access configuration will always be implemented.

FineBuild Setup No Windows Global Access Processing

Processing of Setup No Windows Global Access relates to Process Id 1EE in the FineBuild1Preparation script, and is controlled by the parameter below:

Parameter Build SQL2005 SQL2008 SQL2008 R2 SQL2012 SQL2014 SQL2016 SQL2017
SetupNoWinGlobal FULL Yes Yes Yes Yes Yes Yes Yes
SetupNoWinGlobal WORKSTATION No No No No No No No
SetupNoWinGlobal CLIENT Yes Yes Yes Yes Yes Yes Yes

The FineBuild processing for Setup No Windows Global Access includes the following: Top

Manual Setup No Windows Global Access Processing

The following steps show what you would have to do to Setup No Windows Global Access manually. FineBuild does all of this work for you automatically.

This processing is split in to two steps:

Remove Global Access to Server

The following accounts should be removed from the local Users group on the server. This is done by using the following command and substituting the appropriate account name. Depending on the version of Windows, some of these accounts may not be in the Users group or may not exist.

If you are installing on a non-English edition of Windows, some of these account names will have a local language name.
NET LOCALGROUP "Users" "account" /DELETE

Account Name
Everyone
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Anonymous
NT AUTHORITY\Authenticated Users
NT AUTHORITY\Terminal Service Users
Guest
domain\Guest
domain\Domain Users
domain\Domain Guests

Disable Windows Guest Account

The Windows Guest account should be disabled. The account should not be deleted as it is built in to Windows. Disabling this account will prevent anonymous access to the server.

Use the following command to disable the Windows Guest account:
NET USER guest /ACTIVE:NO

Copyright FineBuild Team © 2015 - 2017. License and Acknowledgements
Previous Setup SPNs Top Setup Drive Labels Next

Last edited Mar 18 at 12:39 PM by EdVassie, version 3