July 15, 2003 at 9:30 am
Hello,
After looking closely at what can be done with command shell SP, I am now worried about the builtIn account.
Questions is, after the SQL has been installed in a mix-mode and "BuiltIn/Administrators"(Windows) has been given "SysAdmin" access (and the SQL service runs under that same account). What will happen if I just unchecked that SysAdmin privilige (if it is possible at all).
What other alternatives do I have (now that is installed and working)?
Thanks
Amir
July 15, 2003 at 9:42 am
Hi amira,
quote:
What other alternatives do I have (now that is installed and working)?
depending on your OS you can remove BUILTIN\Administrators and add back, if wanted, the single accounts.
Although a trivial thing to do, this step should be considered carefully. You might search on this site for similar threads.
Cheers,
Frank
--
Frank Kalis
Microsoft SQL Server MVP
Webmaster: http://www.insidesql.org/blogs
My blog: http://www.insidesql.org/blogs/frankkalis/[/url]
July 15, 2003 at 9:55 am
Well, if you don't need it you can remove xp_cmdshell. That still leaves plenty of other holes though ... you'll find plenty of good material on this site that covers security. You might want to start with:
http://www.sqlservercentral.com/columnists/bknight/10securingyoursqlserver.asp
July 15, 2003 at 10:02 am
Yes you can uncheck the Sysadmin privileges, but they still have DBO rights on the DB, you can’t uncheck either. If you don’t want your NT Admins to access the DB’s just delete the BUILTIN\Admin login or deny the access to them, you can still use it as the service account, but to protect your sql server, it is good if your startup account is with least permissions possible
Shas3
July 15, 2003 at 10:07 am
Removing the account all-together from the SQL server would be the thing I'd like to do best. So, as far as I understand, removing the account itself won't have an adverse affect on the SQL service (I'll deal with that at a later time)
July 15, 2003 at 10:15 am
I cover this in:
http://www.sqlservercentral.com/columnists/bkelley/sqlserversecuritysecurityadmins.asp
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1
K. Brian Kelley
@kbriankelley
July 15, 2003 at 12:18 pm
Brian has good information, but we don't remove them here. We have to trust someone and we've limited admin access to a few people and they are audited.
Steve Jones
Viewing 7 posts - 1 through 6 (of 6 total)
You must be logged in to reply to this topic. Login to reply