Overview
Some clients may not want our service account to have permanent "sysadmin" permissions in MSSQL. This permission can be revoked using the following procedure.
Note: that the service account will still need "sysadmin" permissions during any installations and upgrades.
Procedure
After installation/upgrade and successful BAT test, do the following:
- Add the service account as an owner of the ADG database by running the following SQL query, replacing ServiceAccountName with your service account login:
USE [ADG] GO EXEC sp_addrolemember 'db_owner',[ServiceAccountName] GO
- (7.5.2 and older)Confirm the service account is the owner of the eDiscovery and Infrastructure databases
- Change the SQL permissions for the service account to only "Public", "ProcessAdmin", and "SecurityAdmin"
Notes
- No further changes to SQL permissions should be made apart from those defined in this guide.
- Forensic Tools will create new SQL users as it is used, and their permissions should not be altered. This is done for the following reasons:
- To ensure that each database and case has the proper parameters and permissions to allow Forensic Tools to functions correctly.
- To preserve security and forensic integrity by ensuring that each case is only accessible by its own SQL user. - The service account's SQL permissions must be granted the "sysadmin" role during upgrades.
- The information above describes the roles / permissions granted to the service account. However, please note that the following SQL logins are automatically created during database initialization and are granted the corresponding permissions as listed:
Permission | Granted To | Login Type | Purpose |
ALTER ANY DATABASE | ADG7X1SPLogin | CERTIFICATE_MAPPED_LOGIN | Allow FTK to create/delete tables etc. |
ALTER ANY LOGIN | ADG7X1SPLogin | CERTIFICATE_MAPPED_LOGIN | Allow FTK to create/delete case app logins |
ALTER SETTINGS | ADG7X1SPLogin | CERTIFICATE_MAPPED_LOGIN | Allow FTK to manage settings for ADG and case databases |
CONTROL SERVER | ADG7X1SPLogin | CERTIFICATE_MAPPED_LOGIN | Allow FTK to link secondary servers to primary server |
CREATE ANY DATABASE | ADG7X1SPLogin | CERTIFICATE_MAPPED_LOGIN | Allow FTK to create case databases |
VIEW SERVER STATE | ADG_user ADG7x1 | SQL_LOGIN | Allow FTK to: -look for sessions belonging to a particular case user. -change 'tempdb' size -query the amount of physical memory on the server machine for memory mgt. |