February 28, 2002 at 2:19 am
If you plan not to use the SA account, remember to put a password on it.
I don't use the SA account so just to be sure I have placed an sql alert on my servers to see if anyone logs onto (or fails) the server as SA. Hence I get a netsend (+ email) to my terminal if anyone tries to use the SA account. (You need auditing turned on to do this)
Steven
February 28, 2002 at 8:15 am
what alert is that exactly ?
February 28, 2002 at 9:18 am
I add alerts against the following error codes (in sql server agent), then add myself as the operator for the alert.
18454 Login succeeded for user '%ls'. Connection: Non-Trusted. (with the text sa)
18455 Login succeeded for user '%ls'.
18452 Login failed for user '%ls'. Reason: Not associated with a trusted SQL Server connection.
18456 Login failed for user '%ls'.
Steven
March 20, 2002 at 7:55 pm
Some things to consider:
K. Brian Kelley
http://www.sqlservercentral.com/columnists/bkelley/
K. Brian Kelley
@kbriankelley
March 21, 2002 at 8:48 am
The accounts can be restricted to prevent normal curiousity. However, if we're talking about compromises, it's likely the person who has compromised the system will take the steps required to get the data off the SQL Server. If a local Administrators group account gets compromised, the data is open for the taking.
K. Brian Kelley
http://www.sqlservercentral.com/columnists/bkelley/
K. Brian Kelley
@kbriankelley
March 23, 2002 at 2:40 am
I work with hosting and I always remove BUILTIN\Administrators from the SQL Server. I don't want to allow access to a bunch of NT/2000 technichians who know nothing about SQL. We've had too many troubles with this in the early days when NT/2000 technichians who knew how to write "SELECT *" also thought that they automatically knew everything about administrating SQL Server.
Then I add personal NT logins for each DBA that work or are responsible for an environment and one emergency account that the the 24/7 watch could use in case of an emergency and a DBA can't be reached. You have to open a specified envelope to get the password to the emergency account.
I also remove access to any MSSQL\ directories for local and domain admins. Only the SQL Service accounts, the DBA accounts and the emergency account have access to those directories.
'sa' is not used. We only add a strong password to it.
March 26, 2002 at 2:10 pm
Argyle,
While your method will prevent casual poking around in the database, any Domain Admin could easily get into the MSSQL\ directories, even change the PWD for your emergency account to one they know and use that to access the database.
Naturally, with the above methods you would most likely know that someone was poking around, but you still couldn't prevent it.
If you really want to keep them out (and probably tick them off) remove the Domain Admins group from the Local Administrators group. :o)
JasonL
JasonL
March 26, 2002 at 2:52 pm
Removing the domain admins from the local admins will most likely cause more issues. ou'd be better off implementing some auditing to catch changing of the ownership of folders.
I'd also implement the "you get fired if you mess with my sql server" policy. Most of my executives thoroughly support this.
Steve Jones
March 31, 2002 at 6:17 am
quote:
Argyle,While your method will prevent casual poking around in the database, any Domain Admin could easily get into the MSSQL\ directories, even change the PWD for your emergency account to one they know and use that to access the database.
Naturally, with the above methods you would most likely know that someone was poking around, but you still couldn't prevent it.
If you really want to keep them out (and probably tick them off) remove the Domain Admins group from the Local Administrators group. :o)
JasonL
A domain admin could change the password for the emergency account but all logins with any of the accounts are tracked. We would know if someone were using them. There is really no way to get around this as you say except tracking all logins or not use domain accounts at all.
When it comes to the SQL Server directores domain admins are removed from the access list so I don't see how they could gain access to them except by "taking ownership" of the files which also can be tracked.
/Argyle
Edited by - Argyle on 03/31/2002 06:18:53 AM
March 31, 2002 at 5:20 pm
Taking ownership can be tracked, but so can logins to SQL Server which tells you if someone is going in who normally shouldn't be. There's also nothing stopping a domain admin who wants to be malicious from taking control of a DBA account and using it to access the system.
K. Brian Kelley
http://www.sqlservercentral.com/columnists/bkelley/
K. Brian Kelley
@kbriankelley
April 1, 2002 at 6:45 am
Yup, no real way to prevent domain admins to do something malicious unless you disallow domain accounts completely which might not be a good idea. Hopefully the domain admins can be trusted 😛
If you don't trust them completly (like me ;)), tracking is the way to go.
1.
Track "taking ownership" etc. on the SQL files to see if someone is tampering with the SQL server files without actually loging in to the SQL Server.
2.
Track logins to the SQL Server itself.
/Argyle
Viewing 11 posts - 16 through 25 (of 25 total)
You must be logged in to reply to this topic. Login to reply