"sa" and need to "permit access to db"

  • If someone is made "sa" (under Server Roles in Enterprise Manager) is there any reason to explicitly grant them permission to any databases?("Database Access > Permit")

    TIA,

    Bill

  • I assume you mean you place them in the "System Administrators" server role. If this is the case, then the answer is no. Being in this role allows you access to do everything.

    Gregory Larsen, DBA

    If you looking for SQL Server Examples check out my website at http://www.geocities.com/sqlserverexamples

    Gregory A. Larsen, MVP

  • With that being said, be very careful who you give this role to, as these users are able to execute xp_cmdshell under the context of the SQL Server user and do "bad stuff" to things out on your network. That is, if you have the SQL Server Service account logging in as a domain user. Also make sure the SA has a VERY strong password if you are using mixed security. Believe me, you don't want that laying on your neck...

    Which kinda brings me to another subject, kinda related to this. When you set SQL Server to use NT Security as its only mode of authentication, I thought this meant that the SA user was "disabled" in a sense. However, while installing SQL SP3 for SQL2k, it still asks you to secure the SA password.

    Is it just that SP3 is stupid and it doesn't realize you're set to NT only security, or is the SA user still availiable in some way, therefore it needs to be secured?

    Just curious...

    -JB

  • Check out Brian Kelley's article http://www.sqlservercentral.com/columnists/bkelley/sp3coresecurity.asp about SP3. He says "The reason for this is simple: if an attacker can access and modify the registry, it's a simple matter to toggle the server to Mixed Mode."

    Kathi

    Aunt Kathi Data Platform MVP
    Author of Expert T-SQL Window Functions
    Simple-Talk Editor

Viewing 4 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic. Login to reply