Security

  • Is there anything I should be concerned about with the BuiltIn\Administrators login ?

  • The BUILTIN\Administrators group is the same as the local Administrators group for the server. Basically, whatever rights (sysadmin by default) that group has, anyone with Administrative rights to the box has as well.

    K. Brian Kelley

    bkelley@sqlservercentral.com

    http://www.sqlservercentral.com/columnists/bkelley/

    K. Brian Kelley
    @kbriankelley

  • I usually leave this one in as a precaution for forgetting or having the sa password changed. This way you can get back in.

    Here he have an administrative poliy that I will strangle any network admin that messes with my server.

    Steve Jones

    steve@dkranch.net

  • Also, if someone has administrative rights to the box and if they know much about SQL Server, they can get access to the data without too much trouble. Therefore the tradeoff for removing the BUILTIN\Administrators usually isn't worth it.

    K. Brian Kelley

    bkelley@sqlservercentral.com

    http://www.sqlservercentral.com/columnists/bkelley/

    K. Brian Kelley
    @kbriankelley

  • I confer, don't do anything to that account unless you really are 100% sure you have a way back in. In my group there are 9 of us that have access to the server so that is how we connect and no other group accesses any of our boxes.

    "Don't roll your eyes at me. I will tape them in place." (Teacher on Boston Public)

  • So bacically, with the BUILTIN\ADMINISTRATOR Login still enabled :

    A member of the Local Admin Group, even if the SQL Server is registered as SA, can logon to the Server, edit the Registration properties and change it to Windows Anthentication. Thus having SA privilages(since the Builtin\Administrator login currently has the Server Role --> System Administrator).

    Is this the case ?

    (We have a very large System/Server Admin. group here and I am very concerned with our Data being accessed.)

  • Yes, a member of the local Administrators group could log in to SQL Server and change the settings back and forth between Windows authentication only or Mixed Mode (both Windows authentication and SQL Server logins).

    One thing to remember is the SQL Server service does not run under "sa" but either under the LocalSystem account (not an account that one can actually log in with, but an account that had local administrator rights) or a Windows login (either local to the server or one from the domain). The login sa is a special account that has full sysadmin privileges, an account that is always created. However, when the server is in Windows authentication only mode, the sa account won't work because the sa account is a SQL Server login.

    Hopefully this clarifies things a bit.

    K. Brian Kelley

    bkelley@sqlservercentral.com

    http://www.sqlservercentral.com/columnists/bkelley/

    K. Brian Kelley
    @kbriankelley

  • Understood.

    But, my point is if BUILTIN\Administrators group is enabled(has access), any member of the Local Administrators group could log in to SQL Server and have full System Administration power.

    Why not deny access to this BUILTIN\Administrators group ?

    We have a HUGE System/Server Group here. Maybe 50-60 people in that group that are apart of the Local Administration Group on our SQL Servers.

    I say close the door on this.

  • It is entirely up to you, just make sure that you have a way in in case of an emergency if you choose to disable access. Also note that you get the bennefit of being able to catch actual nt login names when they access this way. If you are trying to protect yourself from all unwanted access if someone blabs the sa password and it is overheard you will not have anyway other than the machine name to know who came in. Potentially it can flow either way as far as security and when it comes to admins on a box the fewer the better. However why is you department allowing 50-60 people potientially be an admin on an NT box instead of setting up a few people as admin and the rest as power users. As long as you have that many admins you open yourself to more trouble anyway as they can stop and start services, plus if they really wanted to do damage they could redo the SQLAgent password and circumvent security that way. Lastly, it is entirely up to you, you decide what is best for you but keep in mind anyone with admin access to an NT server potiential can get in someway.

    "Don't roll your eyes at me. I will tape them in place." (Teacher on Boston Public)

  • It comes down to a measure of trust. Now, organizations that have 50-60 user accounts with Domain Admin rights immediately tend to raise flags from a security perspective, as Antares has stated. And not only can a malicious admin tinker with the service accounts, he can tinker with *your* account.

    If security is an issue, turn on success and failure auditing for SQL Server. If an admin logs into SQL Server using a Windows account, it'll be recorded in the Security Event Log. That, at a minimum, has to occur.

    K. Brian Kelley

    bkelley@sqlservercentral.com

    http://www.sqlservercentral.com/columnists/bkelley/

    K. Brian Kelley
    @kbriankelley

  • An Admin. could turn off Auditing correct ?

    O.K. Since I don't know alot of these Admin. people personally and our Data CANNOT be visible. This is my plan :

    1. Deny Access to Buildin\Administrators

    2. Create SQL Server Logins for our DBA group that has full power to SQL Server.

    3. SA - keep there. (Just not used).

    Is this a good Security measure ?

    Are there any issues with this ?

  • The rule of thumb is to use Windows authentication whenever possible. There are obviously exceptions, but it ensures that there is one user account, one password. There is but one login.

    Keep in mind, your data WILL be visible to an admin who knows what he's doing on SQL Server, even if you've taken away all his rights with respect to the SQL Server install. If he has administrative rights to the box, he can get to your database files. If he can get to your database files, he has got your data.

    That's why I say it involves a measure of trust.

    K. Brian Kelley

    bkelley@sqlservercentral.com

    http://www.sqlservercentral.com/columnists/bkelley/

    K. Brian Kelley
    @kbriankelley

  • Not a bad plan, but I agree with Brian's comments.

    Steve Jones

    steve@dkranch.net

  • What are the bad points about denying access to the BUILTIN\ADMINISTRATORS group ?

    --> Members of the Local Admin. group will still be able to access the Box correct ?

    (I would assume they are just denied access to SQL Server Enterprise Manager).

  • Yes they can access the box, just not SQL Server. The bad points are not having a secondary backup to get into SQL Server.

    Steve Jones

    steve@dkranch.net

Viewing 15 posts - 1 through 15 (of 25 total)

You must be logged in to reply to this topic. Login to reply