Thursday, December 12, 2013

SQL Server 2012 and the [NT SERVICE\winmgmt] account

I've been diving in to some of the finer details of SQL Server 2012 recently and one item I noticed was an account I've never seen before called [NT SERVICE\winmgmt].  By definition:

Windows Management Instrumentation (WMI) must be able to connect to the Database Engine. To support this, the per-service SID of the Windows WMI provider (NT SERVICE\winmgmt) is provisioned in the Database Engine.

Now, that's all fine and dandy - er, not really.  As Argenis Fernandez [blog | twitter] pointed out in this blog post, it's quite possible to circumvent one of these accounts and get yourself connected as a sysadmin.  Not cool.  Especially since per Microsoft, there are a very distinct set of lesser privileges that this account requires - so why are they not the default?  I'm still searching for the answer to that.


The SQL WMI provider requires the following permissions:

  • Membership in the db_ddladmin or db_owner fixed database roles in the msdb database.
  • CREATE DDL EVENT NOTIFICATION permission in the server.
  • CREATE TRACE EVENT NOTIFICATION permission in the Database Engine.
  • VIEW ANY DATABASE server-level permission.
    SQL Server setup creates a SQL WMI namespace and grants read permission to the SQL Server Agent service-SID.
If you wish to copy and paste a script into SSMS, this will reduce the permission of the [NT SERVICE\winmgmt] account to the least required.

ALTER SERVER ROLE [sysadmin] DROP MEMBER [NT SERVICE\Winmgmt]
GO

USE [msdb]
GO
CREATE USER [NT SERVICE\Winmgmt] FOR LOGIN [NT SERVICE\Winmgmt]
GO
ALTER ROLE [db_ddladmin] ADD MEMBER [NT SERVICE\Winmgmt]
GO

use [master]
GO
GRANT CREATE DDL EVENT NOTIFICATION TO [NT SERVICE\Winmgmt]
GO
GRANT CREATE TRACE EVENT NOTIFICATION TO [NT SERVICE\Winmgmt]
GO
GRANT VIEW ANY DATABASE TO [NT SERVICE\Winmgmt]
GO