Monday, 13 January 2014
If you are using SQL Server 2012 you will probably have noticed that the default account for the SQL services has changed from that used in previous versions. With SQL 2005 and 2008 the default account for SQL service and SQL Agent service was “NT Authority\System”. This is one the built in accounts on a Windows machine, managed by the machine and selectable from a dedicated dropdown list
The Network Service account was introduced in Windows 2003 as an alternative to using the LocalSystem account, which has full local system privileges on the local machine, a major security concern.
The Network Service has limited local privileges easing these security concerns but when many services on a machine use the Network Service account it becomes harder to track which service is actually accessing resources and performing actions, because all the services are using the one Network Service account.
Also, this account, by default, has sysadmin permissions on your instance.
Most people change their service accounts to a local or domain account with limited permissions. This introduces another security problem in that this account has a password that could be hacked and used to launch some sort of attack. Changing the password of a service account regularly can be problematic though programs like Secret Server can alleviate this (www.thycotic.com)
To try and resolve some of these problems Windows 2008 R2 and above introduced a new type of account called a virtual account
Virtual accounts emulate creating many unique instances of the Network Service account, so each service runs with its own instance of the Network Service account. These unique instances of Network Service make auditing and tracking much easier.
You won’t find these virtual accounts listed in Local Users and Groups or Active Directory Users, they cannot be created, deleted, or edited and you can’t change their password. They are not in the built in account list and you won’t find them if you browse for an account.
When you install SQL 2012 on Windows Server 2008 R2 or Windows 7 and later you’ll see the services run with virtual service accounts named like:
NT Service\MSSQLSERVER or NT Service\MSSQL$<Instance Name>
NT Service\SQLSERVERAGENT or NT Service\SQLAGENT$<Instance Name>
If you change your service account and later want to switch back to using the virtual account you have to type the name in yourself since, because it doesn’t really exist anywhere, you can’t use the browse option to find it.
You also don’t know the password so you can’t type that into the appropriate box. If you do it will tell you it’s wrong. But if you leave the password fields blank and click Apply then Windows will apply the correct password for you and give the virtual account “login as a service” permissions.
One drawback of a virtual account is that it only has permissions to the local machine. If your SQL Server requires access to a network share or something on another machine then you will have to revert to a domain account.
But overall, virtual service accounts are a step in the right direction in securing our databases from attack.
More information can be found at http://msdn.microsoft.com/en-us/library/ms143504(v=sql.110).aspx
Monday, 9 December 2013
If you are thinking of upgrading to SQL Server 2012 in the near future then why not join me in London this December, Wednesday 18th to Friday 20th December at Learning Tree’s London Education Centre (LEC) which is based at Euston House on Eversholt.
You can read more about the course and what we will be covering and also enrol on the course by following this link http://www.learningtree.co.uk/courses/2105/sql-server-2012-administration-skills-upgrade/ the link to enrol is on the right-hand side of the page.
If you any questions for me please let me know
Friday, 6 December 2013
I’m writing this blog post to simply to vent some frustration. I live in Wales’ third largest city, Newport and for some obscure unbelievable reason I am unable to get high speed internet. BT’s online speed check currently tells me the very best I can hope for is…
I never get this, if it makes 1mb download speed I am very lucky.
So back in 2012 when my BT exchange was enabled I tried to get superfast fiber broadband. The BT website said it wasn’t available to me yet. That's strange I thought to myself, I spoke with BT who said my cabinet needed to upgraded and that will be done early 2013. No worries I thought, not long now I’ll just be patient. I have no documentary evidence of this conversation, so maybe I imagined it.
Then in July this year after being told by the super-fast BT broadband checker that I still could not receive a fast broadband internet connection, I got in touch with BT again asking when I could sign up and pay them lots of money for superfast broadband. I did this via twitter and I got good service off the guys managing the twitter account, I didn’t get the answer I wanted to hear but I got told very quickly the outcome of my request. here is an excerpt of an email I was sent:
“This cabinet is not part of the Openreach commercial rollout, it is being rolled out as part of the Welsh BDUK project, Superfast Cymru.
The cabinet is currently predicted to go live in mid to late October. Customers should go to the Welsh website for more information. http://www.superfast-cymru.com/home.”
This was a change to what I was told initially but it was still going to happen later so I let it be. Full of hope for fast broadband come the autumn I make contact with nice people at Superfast Cymru, I waited until September to do this, who inform of the following:
“We can confirm from the deployment plans that your postcode area is within scope of the Superfast-cymru programme and cabinet X on the XXXXXXXX exchange that supplies your service will be enabled for fibre. According to the latest deployment plans the work should be completed in December 2013”
So yesterday afternoon waiting for a SQL Server service pack to install I though I would see if my cabinet has been enabled yet and if can get superfast broadband I’m told by the BT website that I still can’t get. I send an email and a tweet to @superfastcymru asking when I would be able to get it
I exchange some details with the nice person on the end of @superfastcymru twitter account and I get told the following
I was told the during my last round of email exchanges that the work would be complete by December. Its December today and I’m told that work hasn’t started yet but work will start at the end of December. I’m doubting work will start at the end of December…The end of December being Christmas and New Year I will be very shocked if my cabinet is upgraded during this period. Which means it has slipped again and much to my dismay I was told work will be completed by the end of summer 2014. Now I’m not a betting man but I think it safe to say I won’t getting fast internet until after my next summer holiday. Its not going to be a Christmas present anyway
I suggested that if it was end of summer 2014 it will be more than two years between my exchange getting enabled and me actually getting fast broadband. I said that I had signed up to the e-shot several times and I found it to be quite useless.
I then got this reply
I did in fact Laugh Out Loud at this – Great I thought good for them. I know for a fact lots of people have fibre already, houses on my estate can get it if they are connected to the correct cabinet - this is where my frustration comes in. In the photo below you will see a house with solar panels on the roof – its about 300 yards as the crow flies from my house – this street and all the streets on the other side of it can get super duper broadband. I can’t, It is very frustrating.
It turns out when you sign up for the e-shot – which will tell you that can in fact get fast broadband you also get signed up to a newsletter – it was the newsletter I was getting – my bad. I didn’t know they were two different things I assumed that the newsletter was in fact the e-shot. The person on the twitter account asked me for feedback on the newsletter to make it better I did some of this via twitter but I will also include it here
- My main issue - I signed up to be told when I can get fast broadband. I get a newsletter every month telling me all these lucky people have it already.
- To begin with this is OK but after six months I start to feel like its never going to happen.
- When I registered my interest in superfast broadband i don’t recall being told the difference between an e-shot and and e-newsletter. I was getting the Newsletter which servers as a reminder that
- a) I don't have it,
- b) I've told I could have it by now so the project has slipped again
- I was just expecting to be told when I could get it – the newsletter never told me that, adding to my frustrations
- Every time I saw the newsletter, I was filled with hope only to be told everyone in Bedlinog (all 10 of them) have it and I don't
- If I was interested in who has fast broadband and who doesn't then great, but that's not what I wanted. Every time i received the newsletter I thought it was confirming I was good to go but in-fact it meant no such thing.
So just a couple of things that could be improved. The newsletter is OK – but make it clear it is not the same thing as the e-shot. More importantly, give the people who can’t yet get superfast broadband a date when they can and let them know if that date changes – you e-shot people when its ready. Let people know when it slips. Obviously between September and now my date has changed – nobody has told me, I’ve spoken and registered with you several time over the last year. I’m waiting for December full of expectation, if you’d have told me I wouldn’t have been so upset when I found it wasn’t going to happen.
Anyway thanks for listening a bit off topic I know but I do feel better. Two years on I’ll go back to waiting patiently for the slow superfast broadband rollout to take place.
Monday, 18 November 2013
Tuesday, 29 October 2013
I’m in New York City this week delivering a SQL Server Virtualization and Consolidation 3 days course for Learning Tree. You might be a little too late to join me at that event but I have two more course scheduled this year
At the end of November 27th-30th I’m teaching 137 - Introduction to SQL Server 2008: Hand-on Introduction for those of you starting out with SQL Server this a great introduction to the SQL Server product. You can enrol online using the enrol button
Or if you thinking of upgrading to SQL Server 2012 in the new year, why come and spend a few days with me in London in the week before Christmas. I’ll be delivering 2105 – SQL Server 2012 Database Administration Skills Upgrade which is a three day course at the London Education Centre from the 18th to 20th December. You can pick up some last minute Christmas presents while you are there. You can enrol by choosing how you wish to attend (online or in-class) and hitting the enrol button.
Alternatively if you prefer the comfort of your own home or office you attend both courses online using Learning Tree Anyware – So you can attend class without the leaving the warmth of your study.
Thursday, 5 September 2013
A client of mine are looking for a good SQL Server DBA on a permanent basis, the location is flexible with offices in the South West and South London. The role offers a competitive package with excellent benefits, they are a great company to work for. If you have some Oracle experience or prepared to learn oracle too then this would be an advantage. If you are interested please email me (email@example.com)your CV and covering letter in the first instance and I will pass these along to my client.
Wednesday, 8 May 2013
If you read my post from yesterday you will know I will be spending some time on the US east coast at the end of May.Last week my friend and fellow Learning Tree instructor Sharon Dooley asked me if I would like to attend SQL Saturday #200 in Philadelphia which is being organised by the Philadelphia User group. Seeing as I was in-town, well close by anyway, I was delighted to accept and registered for the event
I will be traveling from DC to Philadelphia on Friday the 31st,I’m going to have myself a bit of road trip staying in a hotel close to the venue on the Friday night and enjoying the conference on the Saturday. I might be able to take in some sights early on Sunday before I return to DC for my flight home.
This will be the second SQL Saturday that I have attended and I’m very much looking forward to it. This is what the sqlsaturday.com website has to say about the event
“The Philadelphia SQL Server User's Group is extremely proud to be presenting SQL Saturday #200. The event will be held Jun 1 2013 at Microsoft 45 Liberty Blvd., Suite 210 Malvern, PA 19355. Admittance to this event is free, but we do charge a lunch fee of 10.00 so that we can provide a lunch. Please register soon as seating is limited, and let friends and colleagues know about the event.”
I’m not speaking this time, as I’m attending with relatively short notice and speaker registration had closed but the speaking line up is great and if you are going do come and say hello. If you would like to register you can sign up here http://www.sqlsaturday.com/200/eventhome.aspx