-
Notifications
You must be signed in to change notification settings - Fork 10
Setup No Windows Global Access
| Previous Setup Kerberos | Manual Install | Setup Volume Labels Next |
|---|
FineBuild can disable unrestricted access by Windows accounts to the Server.
When a server is joined to a Domain, certain rights are granted to all users in the Domain. Additionally, depending on the version of Windows, wide-ranging access rights are granted to local users. These rights represent a security weakness by allowing access to users who have no business need to access the server. The ability to access a server can be the first step in discovering restricted data or mounting an attack on the server.
The Setup No Windows Global Access seeks to remove access to all accounts except those who have a business need to access the server. This processing will also ensure the Windows Guest account is disabled.
No Windows Global Access configuration helps to prevent unwanted accountsfrom accessing the SQL Server host server. If you setup Security Compliance then No Windows Global Access configuration will always be implemented.
The Setup No Windows Global Access Configuration can be enforced by Group Policy Management.
Processing of Setup No Windows Global Access relates to Process Id 1EE in the FineBuild1Preparation script, and is controlled by the parameter below:
| SQL Version | Parameter | FULL Build | WORKSTATION Build | CLIENT Build |
|---|---|---|---|---|
| SQL2019 | /SetupNoWinGlobal: | Yes | No | Yes |
| SQL2017 | /SetupNoWinGlobal: | Yes | No | Yes |
| SQL2016 | /SetupNoWinGlobal: | Yes | No | Yes |
| SQL2014 | /SetupNoWinGlobal: | Yes | No | Yes |
| SQL2012 | /SetupNoWinGlobal: | Yes | No | Yes |
| SQL2008R2 | /SetupNoWinGlobal: | Yes | No | Yes |
| SQL2008 | /SetupNoWinGlobal: | Yes | No | Yes |
| SQL2005 | /SetupNoWinGlobal: | Yes | No | Yes |
The FineBuild processing for Setup No Windows Global Access includes the following:
The following steps show what you would have to do to Setup No Windows Global Access manually. FineBuild does all of this work for you automatically.
This processing is split in to two steps:
The following accounts should be removed from the local Users group on the server. This is done by using the following command and substituting the appropriate account name. Depending on the version of Windows, some of these accounts may not be in the Users group or may not exist.
If you are installing on a non-English edition of Windows, some of these account names will have a local language name.
NET LOCALGROUP "Users" "account" /DELETE
| Account Name |
|---|
| Everyone |
| NT AUTHORITY\INTERACTIVE |
| NT AUTHORITY\Anonymous |
| NT AUTHORITY\Terminal Service Users |
| Guest |
| domain\Guest |
| domain\Domain Users |
| domain\Domain Guests |
The Windows Guest account should be disabled. The account should not be deleted as it is built in to Windows. Disabling this account will prevent anonymous access to the server.
Use the following command to disable the Windows Guest account:
NET USER guest /ACTIVE:NO
Copyright FineBuild Team © 2015 - 2021. License and Acknowledgements
| Previous Setup Kerberos | Top | Setup Volume Labels Next |
|---|
Key SQL FineBuild Links:
SQL FineBuild supports:
- All SQL Server versions from SQL 2019 through to SQL 2005
- Clustered, Non-Clustered and Core implementations of server operating systems
- Availability and Distributed Availability Groups
- 64-bit and (where relevant) 32-bit versions of Windows
The following Windows versions are supported:
- Windows 2022
- Windows 11
- Windows 2019
- Windows 2016
- Windows 10
- Windows 2012 R2
- Windows 8.1
- Windows 2012
- Windows 8
- Windows 2008 R2
- Windows 7
- Windows 2008
- Windows Vista
- Windows 2003
- Windows XP