批量执行定时任务
介绍 (Introduction)
You may see it more commonly referenced as Database Instance File Initialization (DIFI). If you are not familiar with the file initialization, this is the process SQL Server has to go through when it is creating the data files for a given database, and also during an expansion event (either manually or from auto growth) for a database. It only pertains to the data file(s) of the database, as log files are not affected by this security policy. SQL Server will “zero out” the file, basically fill it up with a bunch of zeros to allocate the amount of space requested. If you are a new DBA, this configuration actually goes all the way back to SQL Server 2005.
您可能会看到它更常见地被称为数据库实例文件初始化(DIFI)。 如果您不熟悉文件初始化,则SQL Server在为给定数据库创建数据文件时以及在数据库的扩展事件(手动或自动增长)过程中必须经历此过程。 它仅适用于数据库的数据文件,因为日志文件不受此安全策略的影响。 SQL Server会将文件“清零”,基本上用一堆零填充它以分配请求的空间量。 如果您是新的DBA,则此配置实际上可以一直追溯到SQL Server 2005。
Now, one thing to note is that the local Administrator group on a given Windows Server automatically gets this permission. So as you should know, or be told now, you should never give your SQL Server service account local Administrator permission, it is not a good security posture for your environment. If your organization has any security standards to follow (HIPPA, SOX, PCI, etc.) it is an auditing point to verify that your SQL Server services do not have full administrator privileges on the local server.
现在,要注意的一件事是,给定Windows Server上的本地Administrator组自动获得此权限。 因此,正如您应该知道的或现在被告知的那样,您永远不要给SQL Server服务帐户本地管理员权限,这对您的环境而言不是一个好的安全状态。 如果您的组织具有要遵循的任何安全标准(HIPPA,SOX,PCI等),则它是验证您SQL Server服务在本地服务器上没有完全管理员特权的审核点。
SQL Server服务帐户 (SQL Server service account)
I am not going to go into detail of what type of service account you should use with SQL Server. Suffice to say, it is not a good thing to be running as the Local System account. In the best practice of the security world, I would suggest you use one of the following supported options:
我不会详细介绍您应该在SQL Server中使用哪种类型的服务帐户。 可以说,以本地系统帐户身份运行不是一件好事。 在安全领域的最佳实践中,建议您使用以下受支持的选项之一:
- Best option for domain environments] 域环境的最佳选择 ]
- Local User Account 本地用户帐号
- Managed Service Account 托管服务帐户
- default on Server 2008 R2+] Server 2008 R2 +上的默认帐户]
If you are working on Window Server 2008 the default service account during SQL Server installation will be the Network Service or Local System, depending on the particular service. If you are on Window Server 2008 R2 or higher the default is the Virtual Account. The Virtual Account takes naming format of “NT SERVICE\MSSQLSERVER” on a default instance. If you are on a new OS version, this is perfectly fine, and a secure method to use for the service account.
如果使用的是Window Server 2008,则SQL Server安装期间的默认服务帐户将是网络服务或本地系统,具体取决于特定的服务。 如果您使用的是Window Server 2008 R2或更高版本,则默认值为虚拟帐户。 虚拟帐户在默认实例上的命名格式为“ NT SERVICE \ MSSQLSERVER”。 如果您使用的是新的OS版本,那么这很好,并且是用于服务帐户的安全方法。
One special thing that you might not be aware of either, is that DIFI also effects your SQL Server Analysis Services (AS) databases. AS will zero out the file as well for those databases. So you should remember to add that service account into this setup as well if you have that in your environment.
您可能都不知道的一件事是DIFI也会影响您SQL Server Analysis Services(AS)数据库。 AS也将这些数据库的文件清零。 因此,如果您的环境中有该服务帐户,则还应记住将该服务帐户添加到此设置中。
最低0.47元/天 解锁文章
1280
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
