Clustered SQL Server

  • Does anybody here run SQL Server 2000 on a cluster?

    If so, has any one had any problems with removing the builtin administrators group from the sql server. I know that if the clustering account is the same as the sql service account then it needs to be granted login permissions as a sysadmin. Apart from that are there any gotchas?

    Many thanks,

    DeltaKilo

  • We run several SQL Server clusters, but we tend not to remove BUILTIN\Administrators from SQL Server, even on non-clustered servers for a myriad of reasons discussed in some previous threads. Is there a security requirement to remove BUILTIN\Administrators?

    If so, consider that BUILTIN\Administrators has sysadmin rights. You might try a test where you've explicitly given that account such rights and removed BUILTIN\Administrators. That should effectively be the same permission as far as the cluster is concerned.

    K. Brian Kelley

    bkelley@sqlservercentral.com

    http://www.sqlservercentral.com/columnists/bkelley/

    K. Brian Kelley
    @kbriankelley

  • The main reason for removing it is that anyone with domain admin permission (hackers) has automatic sysadmin access to you SQL server installation. I know that it's an academic argument as anyone who has domain admin rights can change the password and log in. Having said that should your regular domain admin have sysadmin access to sql server

    There's no need to leave the door open and the light on.

    DeltaKilo

  • The main reason for removing it is that anyone with domain admin permission (hackers) has automatic sysadmin access to you SQL server installation. I know that it's an academic argument as anyone who has domain admin rights can change the password and log in. Having said that should your regular domain admin have sysadmin access to sql server

    There's no need to leave the door open and the light on.

    DeltaKilo

  • To remove the builtin\administrators login in a clusterd environment use the Q in this header :

    How to Prevent Windows NT Administrators from Administering a Clustered SQL Server (Q263712)

  • Thanks Wootton.

    I'd read most of those already and I'm quite happy with doing this. However our NT admin isn't and that's because they're not comfortable with clustering. I want to know if anyone has done this and if they've had any problems. I just want to be able to say to the NT admin with confidence that "this will be fine".

    Thanks for your help so far,

    DeltaKilo

  • Hidee Ho on this Friiiiiday morning,

    Just thought I'd let you know that I removed sysadmin rights from the builtin group two days ago with no negative reponse. It still has dbo rights on indivdual databases but that's to be removed today and I don't forsee there being a problem.

    Thanks all for your help

    DeltaKilo

Viewing 7 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic. Login to reply