Windows privileges needed for user to run SQLA service

2
1

I am have some trouble setting up a v16 database service to run under a user account other than "local system account"

I presume I need:

  1. Full rights to the folders where database / log & temp files are located
  2. Log On As A Service privilege (mentioned in the docs)

but although the service then starts I run into odd problems, like not being able to edit the service settings in SQL Central (although I am logged on a local administrator) - works fine if I change the service back to local system account.

Is there a list of the minimum set of privileges required available anywhere?

Thanks

UPDATE 19 Apr

The user I'm trying to use is a domain user.

By granting my user the same rights in Local Security Policy | Local Policies | User Rights Assignments that are already allocated to LOCAL SERVICE, and setting the Log On As user in the Windows Services manager I can get the SQLA service to run properly. BUT if I now try to edit the services parameters in Sybase Central, I get: 

The service could not be modified. 
An unknown error has occurred. 
com.sybase.sqlanywhere.util.ServiceException

Go back to LocalSystemAccount and Sybase Central is happy again.

asked 12 Apr '18, 14:40

Justin%20Willey's gravatar image

Justin Willey
7.6k137179248
accept rate: 19%

edited 19 Apr '18, 08:44

What (Windows) OS do you use?

(12 Apr '18, 17:48) Volker Barth
Replies hidden

Server 2016 Standard

(13 Apr '18, 05:21) Justin Willey
1

like not being able to edit the service settings in SQL Central (although I am logged on a local administrator)

Hm, if you are logged in as local admin, that does not look like missing privileges on the service account IMHO? Can you change service settings via DBSVC as local admin?

FWIW, have you considered the more restricted LocalService or NetworkService system accounts?

And apparently I have no real answer to your question...:(

(17 Apr '18, 03:33) Volker Barth
Replies hidden
like not being able to edit the service settings in SQL Central (although I am logged on a local administrator)

Yes this odd - yet it seems to relate to the user specified in the service definition not who you are logged on as.

NetworkService might be the way to go, but I'm concerned about running into unexpected problems because of missing privileges. According to MS LocalSystem has:

SE_ASSIGNPRIMARYTOKEN_NAME (disabled)
SE_AUDIT_NAME (enabled)
SE_BACKUP_NAME (disabled)
SE_CHANGE_NOTIFY_NAME (enabled)
SE_CREATE_GLOBAL_NAME (enabled)
SE_CREATE_PAGEFILE_NAME (enabled)
SE_CREATE_PERMANENT_NAME (enabled)
SE_CREATE_TOKEN_NAME (disabled)
SE_DEBUG_NAME (enabled)
SE_IMPERSONATE_NAME (enabled)
SE_INC_BASE_PRIORITY_NAME (enabled)
SE_INCREASE_QUOTA_NAME (disabled)
SE_LOAD_DRIVER_NAME (disabled)
SE_LOCK_MEMORY_NAME (enabled)
SE_MANAGE_VOLUME_NAME (disabled)
SE_PROF_SINGLE_PROCESS_NAME (enabled)
SE_RESTORE_NAME (disabled)
SE_SECURITY_NAME (disabled)
SE_SHUTDOWN_NAME (disabled)
SE_SYSTEM_ENVIRONMENT_NAME (disabled)
SE_SYSTEMTIME_NAME (disabled)
SE_TAKE_OWNERSHIP_NAME (disabled)
SE_TCB_NAME (enabled)
SE_UNDOCK_NAME (disabled)

while NetworkService has

SE_ASSIGNPRIMARYTOKEN_NAME (disabled)
SE_AUDIT_NAME (disabled)
SE_CHANGE_NOTIFY_NAME (enabled)
SE_CREATE_GLOBAL_NAME (enabled)
SE_IMPERSONATE_NAME (enabled)
SE_INCREASE_QUOTA_NAME (disabled)
SE_SHUTDOWN_NAME (disabled)
SE_UNDOCK_NAME (disabled)
Any privileges assigned to users and authenticated users (not sure what this means)

Basically I'm way out of my depth here! What I really want to do is define a user with the minimum rights needed to run SQLA properly and add access to a couple of network locations.

(17 Apr '18, 06:31) Justin Willey
1

Any privileges assigned to users and authenticated users (not sure what this means)

In my limited understanding, these are the privileges given to the according local user groups.

Just to add: There's an older white paper "Securing SQL Anywhere Server 10" (sic!) still available but is it also rather vague in terms of choosing a fitting user account for a Windows database service...

(17 Apr '18, 07:04) Volker Barth
1

It's an excellent doc - and an updated version would be really useful. However, as you say doesn't really give me the detail I'm after!

(17 Apr '18, 07:59) Justin Willey

If not able to edit the service in Sybase Central I usually find I get an "Access Denied" error and irrespective of being logged on as a local admin that "Right click - Run as Administrator" is required.

(17 Apr '18, 11:42) RADicalSYS
Replies hidden
1

This doesn't seem to be the problem in this case - the behaviour is the same whether I run Sybase Central while logged on with local admin rights or choose Run As Administrator

(19 Apr '18, 08:29) Justin Willey
showing 3 of 8 show all flat view
Be the first one to answer this question!
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Question tags:

×260
×48
×40

question asked: 12 Apr '18, 14:40

question was seen: 2,388 times

last updated: 19 Apr '18, 08:44

Related questions

What impact will the switch to OpenSSL have on SQL Anywhere strong encryption?

Does the use of OpenSSL have influences on database encryption?

Failures starting SA16 as a service under linux/ubuntu

Service parameters cache

Spatial Data and ST_Transform

Protecting intellectual property

What can stop a database from being opened in read-only mode?

LOOP - variable not found

Allow SADIAGDIR to be set by DB server start-up parameters

SQL Anywhere on Windows operating system changes db file to read only