Post reply

Keeping users out of SA password

  • July 23, 2012 at 4:03 pm

    #259300

    I am working on a server that uses 'sa' and therefore i cannot rename it. I have users that when they login they can see their login and the sa login, but no other users. How do i hide the sa login or at a minimum keep them from changing sa properties.

  • July 23, 2012 at 4:32 pm

    #1516509

    Mark R1 (7/23/2012)

    I am working on a server that uses 'sa' and therefore i cannot rename it. I have users that when they login they can see their login and the sa login, but no other users. How do i hide the sa login or at a minimum keep them from changing sa properties.

    If they can change the "SA" login properties, that must mean that you have users/logins (other than DBAs) that have "SA" privs. There's only one way to fix that and no one is going to like it. You have to start locking the system down. That means no users with "SA" privs and that includes (especially includes) applications that use the "SA" login.

    It's a hard bullet to bite but, right now, if a hacker gets in, the hacker will have "SA" privs. At the best (and something I strive for), application logins should only have PUBLIC privs and the privs to run certain stored procedures. At their worst, they should never have more than DBO privs.

    --Jeff Moden

    RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
    First step towards the paradigm shift of writing Set Based code:
    ________Stop thinking about what you want to do to a ROW... think, instead, of what you want to do to a COLUMN.

    Change is inevitable... Change for the better is not.

    Helpful Links:
    How to post code problems
    How to Post Performance Problems
    Create a Tally Function (fnTally)

  • July 23, 2012 at 6:23 pm

    #1516543

    I would run it up the chain as a security hole. Explain the problems and then work to remove all users that are not DBA from the sysadmin role. When removing them - change the sa password.

    Jason...AKA CirqueDeSQLeil
    _______________________________________________
    I have given a name to my pain...MCM SQL Server, MVP
    SQL RNNR
    Posting Performance Based Questions - Gail Shaw[/url]
    Learn Extended Events

  • July 23, 2012 at 7:43 pm

    #1516552

    SQLRNNR (7/23/2012)

    I would run it up the chain as a security hole. Explain the problems and then work to remove all users that are not DBA from the sysadmin role. When removing them - change the sa password.

    +1. Explain, get permission, fix this login by login

  • July 23, 2012 at 9:55 pm

    #1516572

    This is a poorly done saas implementation that another company is hosting, I have been locking down individual logins, but that does no good unless I can restrict the as login. The sa login is controlled by the saas company. I cant control what apps are using sa

  • July 25, 2012 at 4:01 pm

    #1517661

    Mark R1 (7/23/2012)

    This is a poorly done saas implementation that another company is hosting, I have been locking down individual logins, but that does no good unless I can restrict the as login. The sa login is controlled by the saas company. I cant control what apps are using sa

    The users have membership in the sysadmin role, then they own the server. It's their bitch and they can do whatever they want with it.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • July 25, 2012 at 4:16 pm

    #1517668

    Mark R1 (7/23/2012)

    This is a poorly done saas implementation that another company is hosting, I have been locking down individual logins, but that does no good unless I can restrict the as login. The sa login is controlled by the saas company. I cant control what apps are using sa

    Then put that on a separate server with nothing else.

    What's the name of that "fine" company? I'd like to make sure I avoid them. 😉

    --Jeff Moden

    RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
    First step towards the paradigm shift of writing Set Based code:
    ________Stop thinking about what you want to do to a ROW... think, instead, of what you want to do to a COLUMN.

    Change is inevitable... Change for the better is not.

    Helpful Links:
    How to post code problems
    How to Post Performance Problems
    Create a Tally Function (fnTally)

  • July 25, 2012 at 4:24 pm

    #1517669

    Jeff Moden (7/25/2012)

    Then put that on a separate server with nothing else.

    What's the name of that "fine" company? I'd like to make sure I avoid them. 😉

    +1

  • July 26, 2012 at 12:33 pm

    #1518120

    Jeff Moden (7/25/2012)

    Mark R1 (7/23/2012)

    This is a poorly done saas implementation that another company is hosting, I have been locking down individual logins, but that does no good unless I can restrict the as login. The sa login is controlled by the saas company. I cant control what apps are using sa

    Then put that on a separate server with nothing else.

    What's the name of that "fine" company? I'd like to make sure I avoid them. 😉

    +1

    Jason...AKA CirqueDeSQLeil
    _______________________________________________
    I have given a name to my pain...MCM SQL Server, MVP
    SQL RNNR
    Posting Performance Based Questions - Gail Shaw[/url]
    Learn Extended Events

Viewing 9 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic. Login to reply