December 16, 2013 at 2:30 pm
Our SQL DBAs have not been given RDP access to the SQL machines in our environment. While they realize they do not need RDP access to setup maintenance plans because this can be done via SSMS, they claim it is helpful to be able to see (things) like the amount of free space on the drives, where the data and log files are stored, access to the server Event Logs, access to the server Task Manager Performance tab, access to the Services, and a few other OS functions. Is it common and necessary for SQL DBAs to have RDP access to the Windows Server or can they perform all their work via SSMS?
December 16, 2013 at 2:43 pm
do they do installs? RDP is needed for that.
Is remote DAC enabled so DBAs could get on if SQL is unresponsive?
whilst all SQL based work can be done via SSMS having RDP access makes it easier for DBAs to do the full range of their tasks especially when troubleshooting so why do you want to make it harder for them? A dBA can do a lot of damage (including branching out to the OS) via the high level of access they will have in Sql server, so what are you trying to protect against?
If a server supports SQL DBAs should be trusted as much as the sysadmins on that server.
---------------------------------------------------------------------
December 16, 2013 at 2:46 pm
...........and no they cannot do all their work via SSMS.
As a DBA I have performed all those other functions you mention and more
---------------------------------------------------------------------
December 16, 2013 at 3:04 pm
They do not do installs.
Not sure what DAC enablement is for? If the server is down, we bring it back up for them.
We just feel the DBAs need to stay off the server to prevent any possible damage to the server itself.
If SSMS gives them what they need, why risk giving them RDP access?
December 16, 2013 at 3:14 pm
defyant_2004 (12/16/2013)
They do not do installs.Not sure what DAC enablement is for? If the server is down, we bring it back up for them.
We just feel the DBAs need to stay off the server to prevent any possible damage to the server itself.
If SSMS gives them what they need, why risk giving them RDP access?
So you trust these people to manage, maintain and secure the company's most valuable asset (data) but at the same time you do not trust these same highly technical people with a server? I know that is how some shops work but it seems overly paranoid to me.
Honestly what exactly are you trying to protect? What IS the risk of a DBA having RDP access to the server they are responsible for keeping running well? I am honestly curious because I would like to know what the risk truly is for this.
[sarcasm]
We just feel the DBAs need to stay off the server to prevent any possible damage to the server itself.
I agree 100% that no DBA should be allowed to sit, hang or any other things I envision from the old suitcase commercials with the gorillas to any self respecting server. 😀
[/sarcasm]
_______________________________________________________________
Need help? Help us help you.
Read the article at http://www.sqlservercentral.com/articles/Best+Practices/61537/ for best practices on asking questions.
Need to split a string? Try Jeff Modens splitter http://www.sqlservercentral.com/articles/Tally+Table/72993/.
Cross Tabs and Pivots, Part 1 – Converting Rows to Columns - http://www.sqlservercentral.com/articles/T-SQL/63681/
Cross Tabs and Pivots, Part 2 - Dynamic Cross Tabs - http://www.sqlservercentral.com/articles/Crosstab/65048/
Understanding and Using APPLY (Part 1) - http://www.sqlservercentral.com/articles/APPLY/69953/
Understanding and Using APPLY (Part 2) - http://www.sqlservercentral.com/articles/APPLY/69954/
December 16, 2013 at 3:24 pm
As a DBA, the #1 reason (for me) I seem to need access to the server itself are for diagnosing ETL issues and managing of SSIS packages;
we have a lot of SSIS packages, adn they exist and are executed on the server.
We have a large number of scheduled jobs migrate data from various flat file resources to staging folders for further processing; think of the classic migrating of SFTP files from one source to the server, so they can be bulk inserted, bcp, or have an SSIS package fiddle with them.
I very often need to open those files directly, and for that
access to the proper folders or shares.
Lowell
December 16, 2013 at 3:25 pm
We really want to protect the server and limit the amount of unnecessary access. Although I am not an expert at DBA work, I have used SSMS in the past and it seems to provide everything our DBAs should need to maintain our SQL Servers without logging onto the server itself and messing things up. We have a 90% uptime we must keep. We also want to prevent any risk for corrupting our Windows Server installations.
December 16, 2013 at 3:27 pm
I have worked in highly secure environments where ONLY RDP access was allowed. RDP access does make it much simpler and the real question is "do you trust the DBAs or not?" If the answer is no then why do you trust your system people MORE than your DBAs, people who specialize in the software? These people have VERY high level access, restricting RDP is not making you more secure, you are making it harder to do their work with no appreciable benefit.
CEWII
December 16, 2013 at 3:27 pm
We do not use SSIS or Reporting Services. We only use MS SQL database engine.
December 16, 2013 at 3:35 pm
It doesn't matter, have "console" access to the machine running the database server makes things easier. I have yet to have someone give a valid reason to prevent RDP from either a system admin or a database admin.
What are you afraid of?
CEWII
December 16, 2013 at 3:40 pm
defyant_2004 (12/16/2013)
We really want to protect the server and limit the amount of unnecessary access. Although I am not an expert at DBA work, I have used SSMS in the past and it seems to provide everything our DBAs should need to maintain our SQL Servers without logging onto the server itself and messing things up. We have a 90% uptime we must keep. We also want to prevent any risk for corrupting our Windows Server installations.
this sounds more like you want to keep people away from what you perceive is your responsibility, rather than making sure the company's needs are best served.
try to get away from putting barriers between you and the DBA's; think of working together instead.
turn your question around: what business do YOU have touching the SQL Server without the DBA knowing about it?
when you think of it that way, maybe you'll think, oh yeah, we need to talk to each other before we install updates/take server offline/defrag disks, etc., and they would do the same when they run out of disk space from backups and other things.
Lowell
December 16, 2013 at 8:12 pm
Gotta land on the other side on this one.
I spent close to 10 years as a DBA for a major insurance company and most of that time I did not have access to the production servers through RDP. I could only get to SQL Server itself and some of the file shares we used for data storage and backups. And I never really missed RDP.
Now, I didn't do installs or I would have needed it. But with that one caveat, it's pretty easy to work around it.
Sorry everyone.
"The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood"
- Theodore Roosevelt
Author of:
SQL Server Execution Plans
SQL Server Query Performance Tuning
December 17, 2013 at 3:35 am
this sounds more like you want to keep people away from what you perceive is your responsibility, rather than making sure the company's needs are best served.
try to get away from putting barriers between you and the DBA's; think of working together instead.
I agree with this.
Yes, it is possible to do the work without RDP access to your servers, but it would be like working with one hand tied behind your back.
December 17, 2013 at 3:47 am
defyant_2004 (12/16/2013)
They do not do installs.
Who does? People who are not expert in SQL server?
Not sure what DAC enablement is for? If the server is down, we bring it back up for them.
it might prevent the need to bounce the server to fix problems. If you are not aware of such tools how are you qualified to decide whether DBAs should get RDP access?
We just feel the DBAs need to stay off the server to prevent any possible damage to the server itself.
If SSMS gives them what they need, why risk giving them RDP access?
You just feel? Based on what? SSMS does not give a DBA all they need.
---------------------------------------------------------------------
December 17, 2013 at 4:15 am
defyant_2004 (12/16/2013)
We really want to protect the server and limit the amount of unnecessary access. Although I am not an expert at DBA work, I have used SSMS in the past and it seems to provide everything our DBAs should need to maintain our SQL Servers without logging onto the server itself and messing things up. We have a 90% uptime we must keep. We also want to prevent any risk for corrupting our Windows Server installations.
From your original question, this and other of your replies in the thread it seems you have simple SQL set up and your DBAs are very limited in what they are able to do. It also sounds like they would like to do more and improve the service they provide. You say yourself you are not an expert in DBA work, and using SSMS in the past is no qualification and does not give you an insight into the full range of DBA work.
Talk with your DBAs, either give them RDP and lay down ground rules or provide them remote alternatives so they can do more without having to refer to others all the time. Really I cannot see what things they would 'mess up' if they are professional.
Are any of your database related files large? Having to move those between drives or servers whilst remote involves two hops and is unnecessarily time consuming.
---------------------------------------------------------------------
Viewing 15 posts - 1 through 15 (of 29 total)
You must be logged in to reply to this topic. Login to reply