Guidelines on Securing folders for Database Files and Program Files of a SQL Server Installation

Applies to: SQL Server 2008 R2 DatacenterSQL Server 2008 R2 DeveloperSQL Server 2008 R2 Enterprise

Summary


For any SQL Server installation, care must be taken to ensure that only necessary accounts have permissions to the Database files and SQL Server installed files and binaries. SQL Server setup sets appropriate file access permissions on the physical data and log files for each database to specific accounts during the installation or when the databases are created by user post install. If the permissions to these files are altered outside of SQL Server, the database engine will not try to enforce the original permissions and instance could result in an unsupported state. For example, if a windows administrator grants every one full control on the database files and and SQL Server installed files and binaries, any user on the system can delete or modify or replace the files though they may not have SQL Server permissions to access/modify  the database itself.

Only the administrators on the machine and SQL Server service groups should have full control permissions on the DATA  folder of SQL Server and only administrators should have full control permission on the BINN folder of SQL Server installation.

During the installation, one should follow best practices as discussed in the article Securing SQL Server

More Information


For more information about securing your SQL Server installation, please refer to the following articles.

Securing Data and Log Files

Setting Up Windows Service Accounts 

For more information about the products or tools that automatically check for this condition on your instance of SQL Server and on the versions of the SQL Server product, see the following table:

Rule softwareRule titleRule descriptionProduct versions against which the rule is evaluated 
SQL Server 2008 R2 Best Practice Analyzer (SQL Server 2008 R2 BPA)





Permission on the Binn folder

Permission on the Data folder



The SQL Server 2008 R2 Best Practice Analyzer (SQL Server 2008 R2 BPA) provides a rule to detect when an account that is not an administrator on the box or an account that is not a SQL Server service group has permissions on the BINN folder and the DATA folder.

If you run the BPA tool and encounter a Warning with the title of Engine – Permission on the Data Folder or Engine – Permission on the Binn folder , then your SQL Server 2008 or SQL Server 2008 R2 folder permissions are changed since SQL Server setup installation and not set according to best practices.
SQL Server 2008
SQL Server 2008 R2








SQL Server 2012 Best Practice Analyzer (SQL Server 2012 BPA)






Permission on the Binn folder

Permission on the Data folder



The SQL Server 2012 Best Practice Analyzer (SQL Server 2012 BPA) provides a rule to detect when an account that is not an administrator on the box or an account that is not a SQL Server service group has permissions on the BINN folder and the DATA folder.

If you run the BPA tool and encounter a Warning with the title of Engine – Permission on the Data Folder or Engine – Permission on the Binn folder , then your SQL Server 2012 folder permissions are changed since SQL Server setup installation and not set according to best practices.
SQL Server 2012