Whay does the SQL Server Service account has the “”Impersonate a client after authentication" Right?

dba.stackexchange https://dba.stackexchange.com/questions/112803

  •  29-09-2020
  •  | 
  •  

Domanda

Our database is running on SQL Server 2008 hosted on a Windows 2008 Server. We have found that the security policy “impersonate a Client after authentication” is enabled for the SQL Server service account. Will removing “impersonate a Client after authentication” cause any issues? is this URA required for SQL to function correctly. The database hosted on this instance is a client-server application.

È stato utile?

Soluzione

The documented Windows Privileges and Rights for the database engine service account are:

  • Log on as a service (SeServiceLogonRight)
  • Replace a process-level token (SeAssignPrimaryTokenPrivilege)
  • Bypass traverse checking (SeChangeNotifyPrivilege)
  • Adjust memory quotas for a process (SeIncreaseQuotaPrivilege)
  • Permission to start SQL Writer
  • Permission to read the Event Log service
  • Permission to read the Remote Procedure Call service

The SeImpersonatePrivilege is only documented as required for the SSIS service.

That being said, I will say that the SeImpersonatePrivilege privilege is required for the database engine. Windows Authenticated client connections impersonate the client when accessing OS resources like SSPI linked servers and network shares (think db attach, backups etc).

Autorizzato sotto: CC-BY-SA insieme a attribuzione
Non affiliato a dba.stackexchange
scroll top