Windows Management Instrumentation (WMI) must be able to connect to the Database Engine. To support this, the per-service SID of the Windows WMI provider (NT SERVICE\winmgmt) is provisioned in the Database Engine.
Now, that's all fine and dandy - er, not really. As Argenis Fernandez [blog | twitter] pointed out in this blog post, it's quite possible to circumvent one of these accounts and get yourself connected as a sysadmin. Not cool. Especially since per Microsoft, there are a very distinct set of lesser privileges that this account requires - so why are they not the default? I'm still searching for the answer to that.
The SQL WMI provider requires the following permissions:
- Membership in the db_ddladmin or db_owner fixed database roles in the msdb database.
- CREATE DDL EVENT NOTIFICATION permission in the server.
- CREATE TRACE EVENT NOTIFICATION permission in the Database Engine.
- VIEW ANY DATABASE server-level permission.SQL Server setup creates a SQL WMI namespace and grants read permission to the SQL Server Agent service-SID.
If you wish to copy and paste a script into SSMS, this will reduce the permission of the [NT SERVICE\winmgmt] account to the least required.
ALTER SERVER ROLE [sysadmin] DROP MEMBER [NT SERVICE\Winmgmt]
CREATE USER [NT SERVICE\Winmgmt] FOR LOGIN [NT SERVICE\Winmgmt]
ALTER ROLE [db_ddladmin] ADD MEMBER [NT SERVICE\Winmgmt]
GRANT CREATE DDL EVENT NOTIFICATION TO [NT SERVICE\Winmgmt]
GRANT CREATE TRACE EVENT NOTIFICATION TO [NT SERVICE\Winmgmt]
GRANT VIEW ANY DATABASE TO [NT SERVICE\Winmgmt]