February 11, 2003 at 10:36 am
If someone is made "sa" (under Server Roles in Enterprise Manager) is there any reason to explicitly grant them permission to any databases?("Database Access > Permit")
TIA,
Bill
February 11, 2003 at 11:20 am
I assume you mean you place them in the "System Administrators" server role. If this is the case, then the answer is no. Being in this role allows you access to do everything.
Gregory Larsen, DBA
If you looking for SQL Server Examples check out my website at http://www.geocities.com/sqlserverexamples
Gregory A. Larsen, MVP
February 11, 2003 at 11:32 am
With that being said, be very careful who you give this role to, as these users are able to execute xp_cmdshell under the context of the SQL Server user and do "bad stuff" to things out on your network. That is, if you have the SQL Server Service account logging in as a domain user. Also make sure the SA has a VERY strong password if you are using mixed security. Believe me, you don't want that laying on your neck...
Which kinda brings me to another subject, kinda related to this. When you set SQL Server to use NT Security as its only mode of authentication, I thought this meant that the SA user was "disabled" in a sense. However, while installing SQL SP3 for SQL2k, it still asks you to secure the SA password.
Is it just that SP3 is stupid and it doesn't realize you're set to NT only security, or is the SA user still availiable in some way, therefore it needs to be secured?
Just curious...
-JB
February 11, 2003 at 4:46 pm
Check out Brian Kelley's article http://www.sqlservercentral.com/columnists/bkelley/sp3coresecurity.asp about SP3. He says "The reason for this is simple: if an attacker can access and modify the registry, it's a simple matter to toggle the server to Mixed Mode."
Kathi
Aunt Kathi Data Platform MVP
Author of Expert T-SQL Window Functions
Simple-Talk Editor
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply