July 1, 2005 at 3:53 am
Hi all,
We distribute an Application which uses an MSDE instance. We install the database server here at our premises, attach the database file and finally install the application before the physical machine is delivered to the client. This is all fine, however it suddenly occurred to me that there is nothing to stop the end-user administrator from installing enterprise manager or another admin tool locally on the server and accessing / copying / editing the database.
As our client applications use mixed mode auth, is there anyway to restrict access to the server by sa login only, and deny access by NT authentication. Maybe there is a very simple solution, either way I would be grateful for your views.
Thanks in advance,
NW
July 1, 2005 at 5:19 am
You can remove BUILTIN\ADMINISTRATORS from logins.
July 1, 2005 at 7:21 am
Chris' suggestion to remove BUILTIN\Administrators will keep their Windows logins from getting through on the server itself and it's probably the best you can do. It also fits the 80/20 rule. However, if you have a user database for your application, a knowlegeable DBA is still going to be able to get around your effort, just as one running something like MSSQLCrack or MSSQLSquirrel from NGSSoftware is going to be able to crack the SA password.
Without crackin the sa password, here's what they can do unless everything you're doing is going into master. Here's why:
1) Stop MSSQLServer service.
2) Copy database files to a SQL Server I control.
3) Attach database files on the SQL Server I control.
4) Make changes.
5) Dettach database files on the SQL Server I control.
6) Copy database files back to MSDE server.
7) Restart MSSQLServer service.
K. Brian Kelley
@kbriankelley
Viewing 3 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply