SQL Server Registry Key Security

Issue

The Everyone group should not have more than read access to the Microsoft® SQL Server™ registry keys. For example, if an unauthorized person has write access to the registry, they could change the authentication type for your server from Windows Authentication to Mixed Mode, and use this change to try to gain access to your system through the sa (system administrator) account. If a blank or weak password was assigned to that account, the unauthorized person could log on as system administrator.

Solution

Ensure that the Everyone group is restricted to read access for the SQL Server registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\MICROSOFT SQL Server

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\MSSQLSERVER

Caution

• Using the Registry Editor incorrectly can cause serious, system-wide problems that may require you to reinstall Microsoft Windows® to correct them. Microsoft cannot guarantee that problems resulting from the incorrect use of the Registry Editor can be solved.

Instructions

To ensure that the Everyone group is restricted to read access for the SQL Server registry keys

1. Click Start, click Run, and then type regedt32.exe.
2. Expand the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\MICROSOFT SQL Server.
3. On the Security menu, click Permissions.
4. Click Everyone, and make sure that only the Read check box is selected.
5. Repeat for the following key: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\MSSQLSERVER.

Additional Information

SQL Server 7.0 Security

Microsoft SQL Server 2000 Security

©2002-2004 Microsoft Corporation. All rights reserved.