I am attempting to tighten the security of our MSSQL environment in a number
of ways and one of these is to run scheduled CmdExec jobs via a non-admin
Windows account. Alas, I cannot get this to work correctly.
I created a credential "abc_job" based on a non-admin Windows domain account
"dom01\abc" in a global group.
I assigned permission for "log on as a batch job" to the global group.
I created a proxy "abc_prox", assigned it to the credential and set it to
active for CmdExec.
I gave access to the proxy for a MSSQL account "xyz" (non sysadmin).
I created a test job and gave ownership of the job to the "xyz" MSSQL account.
The job only has one step and the step runs as proxy "abc_prox".
The job is one line: g:\hjk\test.bat > g:\hjk\test.out
The batch file consists of 5 lines:
chdir /D g:\hjk
whoami
net time
ping gh234test
dir
When I start the job, only the chdir and dir commands succeed. The other 3
lines return "access is denied". However when I remote term to the SQL
Server machine as "dom01\abc" and run the batch file in a command prompt
window it succeeds.
What am I missing?forgot to mention, I also assigned the "xyz" MSSQL account to the
SQLAgentUserRole in the msdb database.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment