Odd Audit Request

Question

Odd Audit Request

Viewing 5 posts - 16 through 19 (of 19 total)

You must be logged in to reply to this topic. Login to reply

@SQLNumpty SSCrazy Points: 2940 More actions · Answer 1

Markus (10/30/2009)
Problem is we have a lot of purchased apps that REQUIRE to install you use the sa login to install it. In that install process it will create the valid userids and rights the app uses then. Odd I know but it is reality.

Then you should be the one who installs it ... Afterwards, go through the system and check there are no backdoors in the system.

Had such a request last Wednesday evening. We have just built a new SQL 2005 cluster and migrated 12 CRM databases over to it. A 3rd party wanted their old SA access back again to run an install. No but I'll run whatever you need. Compromised on dbcreator access for the duration of the install. Job done, no sweat! 😎

Now all I have to do is unpick the SA spaghetti in all the other servers ... Ho hum. Just another day of fun for a contractor. :crying:

george sibbald SSC Guru Points: 104210 More actions · Answer 2

just a warning to those guys who have renamed the 'sa' account

http://support.microsoft.com/kb/960781

---------------------------------------------------------------------

@SQLNumpty SSCrazy Points: 2940 More actions · Answer 3

george sibbald-364359 (10/31/2009)
just a warning to those guys who have renamed the 'sa' account
http://support.microsoft.com/kb/960781

Sounds like schoolboy error from MS! Perhaps they should have used where sid = 0x01 and not looked for sa as a name ... :crazy:

george sibbald SSC Guru Points: 104210 More actions · Answer 4

Mark_Pratt (10/31/2009)
george sibbald-364359 (10/31/2009)
just a warning to those guys who have renamed the 'sa' account
http://support.microsoft.com/kb/960781
Sounds like schoolboy error from MS! Perhaps they should have used where sid = 0x01 and not looked for sa as a name ... :crazy:

yes I was surprised!

---------------------------------------------------------------------

Ross McMicken SSCarpal Tunnel Points: 4436 More actions · Answer 5

We told our main vendor that sa was no longer an option. Period. They complained, but finally changed their install and update routines to work just fine with dbo equivalence on the requisite databases. We don't allow any app to create users - that gets done beofre the install starts, and follows a fairly strong change management process.