Setup No Windows Global Access - SQL-FineBuild/Common GitHub Wiki
| Previous Setup Kerberos | Manual Install | Setup Volume Labels Next |
|---|
FineBuild can disable unrestricted access by Windows accounts to the Server.
When a server is joined to a Domain, certain rights are granted to all users in the Domain. Additionally, depending on the version of Windows, wide-ranging access rights are granted to local users. These rights represent a security weakness by allowing access to users who have no business need to access the server. The ability to access a server can be the first step in discovering restricted data or mounting an attack on the server.
The Setup No Windows Global Access seeks to remove access to all accounts except those who have a business need to access the server. This processing will also ensure the Windows Guest account is disabled.
Security Compliance
No Windows Global Access configuration helps to prevent unwanted accountsfrom accessing the SQL Server host server. If you setup Security Compliance then No Windows Global Access configuration will always be implemented.
Group Policy Management
The Setup No Windows Global Access Configuration can be enforced by Group Policy Management.
FineBuild Setup No Windows Global Access Processing
Processing of Setup No Windows Global Access relates to Process Id 1EE in the FineBuild1Preparation script, and is controlled by the parameter below:
| SQL Version | Parameter | FULL Build | WORKSTATION Build | CLIENT Build |
|---|---|---|---|---|
| SQL2019 | /SetupNoWinGlobal: | Yes | No | Yes |
| SQL2017 | /SetupNoWinGlobal: | Yes | No | Yes |
| SQL2016 | /SetupNoWinGlobal: | Yes | No | Yes |
| SQL2014 | /SetupNoWinGlobal: | Yes | No | Yes |
| SQL2012 | /SetupNoWinGlobal: | Yes | No | Yes |
| SQL2008R2 | /SetupNoWinGlobal: | Yes | No | Yes |
| SQL2008 | /SetupNoWinGlobal: | Yes | No | Yes |
| SQL2005 | /SetupNoWinGlobal: | Yes | No | Yes |
The FineBuild processing for Setup No Windows Global Access includes the following:
Manual Setup No Windows Global Access Processing
The following steps show what you would have to do to Setup No Windows Global Access manually. FineBuild does all of this work for you automatically.
This processing is split in to two steps:
Remove Global Access to Server
The following accounts should be removed from the local Users group on the server. This is done by using the following command and substituting the appropriate account name. Depending on the version of Windows, some of these accounts may not be in the Users group or may not exist.
If you are installing on a non-English edition of Windows, some of these account names will have a local language name.
NET LOCALGROUP "Users" "account" /DELETE
| Account Name |
|---|
| Everyone |
| NT AUTHORITY\INTERACTIVE |
| NT AUTHORITY\Anonymous |
| NT AUTHORITY\Terminal Service Users |
| Guest |
| domain\Guest |
| domain\Domain Users |
| domain\Domain Guests |
Disable Windows Guest Account
The Windows Guest account should be disabled. The account should not be deleted as it is built in to Windows. Disabling this account will prevent anonymous access to the server.
Use the following command to disable the Windows Guest account:
NET USER guest /ACTIVE:NO
Copyright FineBuild Team © 2015 - 2021. License and Acknowledgements
| Previous Setup Kerberos | Top | Setup Volume Labels Next |
|---|