April 12, 2012 at 1:40 pm
Brandie Tarvin (4/12/2012)
What Gail said on the above. Except, if I recall correctly, does the job run under the credentials of the person running it (if it's run manually?), or am I completely off base with that one?
As far as I know a person who runs a job manually has no effect on what security context the job runs in. The job owner, and proxy accounts if applicable, determine the execution security context regardless of who or what starts the job.
There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato
April 12, 2012 at 2:16 pm
Brandie Tarvin (4/12/2012)
Why does the replacement user need similar privledges? You're just shooting yourself in the foot.Remember, least permissions needed to do the job (figuratively and literally) should be the rule here.
The only reason why I want to create a user with a similar privileges as the sa user is, because I'm trying to disable the sa user; as a general rule it should not be used as it is a perfect target for hackers.
Thank you!
April 12, 2012 at 2:24 pm
tt-615680 (4/12/2012)
Brandie Tarvin (4/12/2012)
Why does the replacement user need similar privledges? You're just shooting yourself in the foot.Remember, least permissions needed to do the job (figuratively and literally) should be the rule here.
The only reason why I want to create a user with a similar privileges as the sa user is because I'm trying to disable the sa user as a general rule it should not be used as it is a perfect target for hackers.
Thank you!
We did something similar at a previous employer. Third party software needed either sa access or another user with same privledges. Created a new user for the application. Only that applications admin had the password, just like I was the only one to have the sa password on that applications sql servers. The passwords were written down, sealed in an envelop, and that secured away should it be needed.
April 12, 2012 at 2:25 pm
tt-615680 (4/12/2012)
Brandie Tarvin (4/12/2012)
Why does the replacement user need similar privledges? You're just shooting yourself in the foot.Remember, least permissions needed to do the job (figuratively and literally) should be the rule here.
The only reason why I want to create a user with a similar privileges as the sa user is because I'm trying to disable the sa user as a general rule it should not be used as it is a perfect target for hackers.
Thank you!
That's only part of the problem with sa, or more to the point, membership in the sysadmin Fixed Server Role. By allowing a login to be a member of the sysadmin Role you are allowing them access to all aspects of your instance, and in some cases the entire physical server. This can be a very bad thing, and is why Brandie pointed out that all logins should follow the rules of "least privilege", i.e. they should only be able access what they need, nothing more, nothing less. By creating another login not-named sa and putting them in the sysadmin Role you're only addressing a portion of the issue, and in my opinion, not the most important portion.
Remediation steps:
1. Find out what the current users of the sa login actually need.
2. Create a new login for each of those people and grant their new login only those permissions they need.
3. Switch those users over to using their new logins.
4. Run a trace for a few days, or a normal business cycle, to make sure noone else is logging in as sa.
5.Disable sa.
There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato
April 13, 2012 at 5:28 am
opc.three (4/12/2012)
tt-615680 (4/12/2012)
Brandie Tarvin (4/12/2012)
Why does the replacement user need similar privledges? You're just shooting yourself in the foot.Remember, least permissions needed to do the job (figuratively and literally) should be the rule here.
The only reason why I want to create a user with a similar privileges as the sa user is because I'm trying to disable the sa user as a general rule it should not be used as it is a perfect target for hackers.
That's only part of the problem with sa, or more to the point, membership in the sysadmin Fixed Server Role. By allowing a login to be a member of the sysadmin Role you are allowing them access to all aspects of your instance, and in some cases the entire physical server. This can be a very bad thing...
This ^. EDIT: There is no reason to give similar permissions to sa except...
BTW, as Lynn pointed out, sometimes vendors develop third party apps which require access to the sa user. Many of us here on SSC disgree with this practice and advocate pushing back. However, sometimes you do actually have to bit the bullet and allow that access (business politics). That is the only time I would actually allow an application to use sa, and I would fight even that so hard that I'd leave claw marks in the floor and walls of the building.
April 13, 2012 at 6:26 am
Brandie Tarvin (4/13/2012)
opc.three (4/12/2012)
tt-615680 (4/12/2012)
Brandie Tarvin (4/12/2012)
Why does the replacement user need similar privledges? You're just shooting yourself in the foot.Remember, least permissions needed to do the job (figuratively and literally) should be the rule here.
The only reason why I want to create a user with a similar privileges as the sa user is because I'm trying to disable the sa user as a general rule it should not be used as it is a perfect target for hackers.
That's only part of the problem with sa, or more to the point, membership in the sysadmin Fixed Server Role. By allowing a login to be a member of the sysadmin Role you are allowing them access to all aspects of your instance, and in some cases the entire physical server. This can be a very bad thing...
This ^. EDIT: There is no reason to give similar permissions to sa except...
BTW, as Lynn pointed out, sometimes vendors develop third party apps which require access to the sa user. Many of us here on SSC disgree with this practice and advocate pushing back. However, sometimes you do actually have to bit the bullet and allow that access (business politics). That is the only time I would actually allow an application to use sa, and I would fight even that so hard that I'd leave claw marks in the floor and walls of the building.
Hehehehehehe... I have 2 words for you. "Great Plains" LMAO :hehe:
Jared
CE - Microsoft
April 20, 2012 at 3:12 am
Thank you All for all of your comments and opinions, it is much appreciated!
April 20, 2012 at 4:50 am
You are welcome. We all hope it helps.
Viewing 8 posts - 16 through 22 (of 22 total)
You must be logged in to reply to this topic. Login to reply