December 8, 2008 at 1:58 am
Hi,
Sorry I'm posting this topic under SQL Server 2008 - General, but I couldn't find a SQL Server 2008 - Security forum section.
When installing SQL Server 2008 on one of our servers, there is an option of giving SQL Server administrative privileges to any Windows user. I provided the local administrator account under this section, as a result of which I'm able to access and make DDL modifications on all databases.
Since I now have to share the local administrator password with another person, and I would therefore like to restrict the local administrator's access to db_datareader.
I tried doing this under Databases > Security > Users, but even after modifying access to the user, I'm still able to create/delete tables.
I also tried doing this under Server Security > Logins, but I couldn't find the user here. I also looked for any of the user groups, but the Administrator account is not present in any of the user groups.
I also modified access on the global level (right-clicking on the server name > Properties and Security), but I'm still able to create/delete tables.
Any idea what I must do to restrict access to the local administrator? Kindly revert.
Thanks!
Guru
December 8, 2008 at 6:15 am
I would ensure that the "BUILTIN\Administrators" group is removed from the sysadmin server role.
Of course, prior to doing that make sure that you have another group, or account with sysadmin privilege that you can use to access with sysadmin rights.
December 8, 2008 at 12:44 pm
Make sure you won't lock yourself out (i.e. create your account/domain account in SQL with sysadmin, or know the sa account)
By default, I believe SQL 2008 doesn't include BUILTIN\Administrators as sysadmin, while SQL 2005 does
It is not good practice to automatically assume all Local Admins are SQL Admins
Another way is to add that other user's account specifically (say DOMAIN\userB), and give him data_reader only
The login permissions should override the group permissions
December 9, 2008 at 6:48 am
Nicholas, thanks for your reply. The user is not listed under any of the groups under Server Roles, but is still able to access the DB.
Jerry, the user is able to access and make DDL modifications to the DB even if I give only db_datareader access. Seems very strange...
For now, I've disabled the login...
Regards,
Guru
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply