April 27, 2010 at 8:34 am
Hi everyone,
In my security senario, i have not to enable windows administrator access to my sql server because i could not make hardware security and with lots of free tools , administrator password could be reset and by this my database could be accessible.
On Sql 2000, i easily removed administrator access to my server in sql server and everything was fine but in sql 2008 , I forced to have administrator with sysadmin role to have SQL agent started and without it i could not have log shipping on my database.
is anybody has any suggestion to solve this issue?
Regards,
Iman
April 27, 2010 at 2:40 pm
The key is to secure the server. If someone gains administrative control over the server, they have control of your SQL Server. You can't stop them. So I think you're going after the wrong goal.
K. Brian Kelley
@kbriankelley
April 27, 2010 at 10:58 pm
Thank you Brian for your reply.
But as i described, I secured the server itself for normal persons but suppose a case which a stealing happen. we experienced a case which our customer server stealed by force and they did this to use server data. Hopefully i had encrypted their datafile with administrator password so password reset made data unaccessable.
does it mean that we could not secure a server from accessing its data without hardware security?
April 28, 2010 at 7:41 am
That is correct. And if it's on a domain (which is a better security option than, in most cases), there are additional attack vectors. Here's a short write-up on them:
Blog post: You pulled BUILTIN\Administrators, but are you auditing?
K. Brian Kelley
@kbriankelley
April 28, 2010 at 11:56 pm
Thank you brian for description.
Is anybody else know how to have SQL Agent on without windows administrator access to SQL server in SQL2008?
April 29, 2010 at 6:51 am
Microsoft's recommendation in Books Online is that SQL Server Agent not be a member of the local Administrators group. However, it must be a member of the sysadmin fixed server role within SQL Server.
K. Brian Kelley
@kbriankelley
May 21, 2010 at 1:07 am
u need a proxy.
May 21, 2010 at 7:54 am
securitypanda (5/21/2010)
u need a proxy.
Credentials are a better solution in SQL Server 2005/2008. They can be tightened down per actual login.
K. Brian Kelley
@kbriankelley
Viewing 8 posts - 1 through 7 (of 7 total)
You must be logged in to reply to this topic. Login to reply