June 4, 2004 at 11:38 am
Hi everyone,
I am running SQL 2000 on Win 2000. The databases are set up with SQL Server and Windows authentication. Can the system admins in the company access the databases? If yes, I am looking for ways to not allow them access. Thanks in advance for your help.
June 4, 2004 at 11:48 am
If System Admins really wants it, he/she can do it especially with Windows Authentication. However, there are a couple ways to prevent System Admins to explore databases.
One of them is to delete "BUILTIN\Administrators" login ID. That will take 'sa' level from whoever Local Admin on the SQL server box.
There are a few others but this is MSFT recommended way I believe.
June 4, 2004 at 10:21 pm
To prevent sysadmins to explore databases you need also password-protect database backups. But theoretically a sysadmin may stop SQL Server, copy a database file to another SQL Server computer and run sp_attach_single_file_db. Now he will have a nice individual access to your data.
I would limit a membership in Windows Administrators on the server to people you trust. But do not forget that somebody should maintain your server too. They need access.
If you really need to remove Builtin\Administrators from SQL Server do not forget to add yourself first and the account that the Agent starts and make them members of System Administrators role
Regards,
Yelena
Regards,Yelena Varsha
June 7, 2004 at 6:02 am
If you are talking about how to prevent SQL System Administrators from access databases, you can NOT do this. Some other DBMSs allow access by system admins to be prevented, but not SQL Server.
There are 2 options to limit the effect of this in SQL Server.
1) Install a tool such as Entrgra, and monitor all select/insert/update/delete access to sensitive databases by system admin users. Get the system admins to justify their access to the sensitive databases.
2) Encrypt the sensitive databases so that even if system admins look at the data, it is meaningless.
Both of these options are a long way from being free, and both will involve a lot of DBA and non-DBA administration to set up and use. Also, encryption in SQL2000 will require application changes to implement, but may not do so in Yukon.
Original author: https://github.com/SQL-FineBuild/Common/wiki/ 1-click install and best practice configuration of SQL Server 2019, 2017 2016, 2014, 2012, 2008 R2, 2008 and 2005.
When I give food to the poor they call me a saint. When I ask why they are poor they call me a communist - Archbishop Hélder Câmara
June 7, 2004 at 9:35 am
hm... this is an interesting issue. What type of Sys Admin are we talking about. Our NT sysadmin are not allow to get into SQL Server. They have no rights to see anything. Our sql sysadmin can see everything but what are you concerning about? Does sql sysadmin really want to see everythings that is going on? There are thousands of databases and hundreds of servers that we took care, but personally I don't want to open up and look at them. If DBAs and developers need help then I would have to get into the database and try to sort out what they want and what they expected, but that's all my limitation. Everyone in where I work had to pass background check and criminal check from janitor to the executive. On top of this we don't have access to those individual applications.
mom
June 7, 2004 at 9:43 am
SQL SysAdmin - Yes and no. Natively you cannot prevent access, but Protegra and other products allow you to encrypt the data and this prevent access to the information. The sysadmin can still get to the data, but cannot read it.
NT Admins - Remove Builtin/Admins from logins will do this. However, I allow them access, just with administrative controls. If one of them accessed the data without authorization, same as file shares, they'd be fired. They are handy for remote hands when needed.
June 7, 2004 at 11:37 am
Bottom line is that if the login BUILTIN/ADMINISTRATORS exists, the Windows admins have access to SQL Server.
Depending on how much security you want, you can remove that login and they will no longer have access--provided they don't have any other login to SQL Server (for instance, if they created themselves a new login while using Builtin/Adminstrator login).
If you need more security, you'll need to follow the suggestions about encrypting the data.
-SQLBill
June 7, 2004 at 11:39 am
Below are couple of articles you might want to take a look if you want to remove builtin\admin group and run clusters or Fulltext Search service.
For Clusters :
http://support.microsoft.com/?id=263712
Full text Search :
http://support.microsoft.com/default.aspx?scid=kb;EN-US;317746
June 7, 2004 at 3:44 pm
A big thank you to everyone for your informative responses. I removed the builtin\admin account and added the NT Authority\System as was said in this document from Microsoft.
http://support.microsoft.com/default.aspx?scid=kb;en-us;263712
After doing so, the Domain Sys Admins were not able to access the databases.
One thing though, 5 minutes after making this change, a few of our staff got the sasser virus, which says something like 'NT Authority\System...Your system will be shutdown....' Is there a link between the change I made and the sasser being able to get into our network?
Viewing 9 posts - 1 through 8 (of 8 total)
You must be logged in to reply to this topic. Login to reply