May 11, 2012 at 9:06 am
Hello,
we have a domain user named DBAAdmin which starts SQL server, SQL Agent, Analysis services, Fulltext Search and browser and ClusterAdmin which starts cluster services.
Some more users which has access to sql server .
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
ServerName\SQLServer2005MSFTEUser$ServerName$MSSQLSERVER
ServerName\SQLServer2005MSSQLUser$ServerName$MSSQLSERVER
ServerName\SQLServer2005SQLAgentUser$ServerName$MSSQLSERVER
does the mentioned users should have access to connect to SQLserver or shall i remove them.
if access needed what access should i need to configure.
Regards
Durai Nagarajan
May 11, 2012 at 9:59 am
durai nagarajan (5/11/2012)
NT AUTHORITY\NETWORK SERVICENT AUTHORITY\SYSTEM
ServerName\SQLServer2005MSFTEUser$ServerName$MSSQLSERVER
ServerName\SQLServer2005MSSQLUser$ServerName$MSSQLSERVER
ServerName\SQLServer2005SQLAgentUser$ServerName$MSSQLSERVER
does the mentioned users should have access to connect to SQLserver or shall i remove them.
if access needed what access should i need to configure.
i dont have hands on experience on security stuff
but the above mentioned security logins got created when we do the installations so there must be or would be any valid reasons for it but my question is why do you want to remove them , if its for clean up step up the i would definitely say that try it in any test environment , you will get clear picture
-------Bhuvnesh----------
I work only to learn Sql Server...though my company pays me for getting their stuff done;-)
May 11, 2012 at 10:20 am
our top mangement asked me to remove access of IT server team.
they have most of the user's password so they might access the data but i have to restrict the users who are admin in that server.
Regards
Durai Nagarajan
May 11, 2012 at 11:38 am
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
ServerName\SQLServer2005MSFTEUser$ServerName$MSSQLSERVER
ServerName\SQLServer2005MSSQLUser$ServerName$MSSQLSERVER
ServerName\SQLServer2005SQLAgentUser$ServerName$MSSQLSERVER
First two are Windows Server accounts, don't delete them.
The next three are created as part of the SQL Server 2005 install, again, don't delete them.
I'll stand corrected if someone more knowledgeable on SQL Server Security says it is okay to delete them.
May 14, 2012 at 5:49 am
can i remove DBAAdmin which starts SQL server, SQL Agent, Analysis services, Fulltext Search and browser
ClusterAdmin which starts cluster services.
what is the impact i i remove the below mentioned users
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
Regards
Durai Nagarajan
May 14, 2012 at 5:55 am
IIRC ClusterAdmin needs only public access to be able to in a fashion do a connection to the master database to check its online to either initiate a fall over or not so you can strip down the rights on this.
If DBAAdmin is used as the service account for the SQL services then removing it will have no affect as these groups
ServerName\SQLServer2005MSFTEUser$ServerName$MSSQLSERVER
ServerName\SQLServer2005MSSQLUser$ServerName$MSSQLSERVER
ServerName\SQLServer2005SQLAgentUser$ServerName$MSSQLSERVER
Also contain the DBAAdmin and are usually all SA level accounts so it make no difference in removing DBAAdmin.
May 14, 2012 at 7:30 am
Hi Anthony.green,
Thanks for your reply.
What about this users listed below, why they require access to SQLserver/databases. what is the impact if i remove the access from SQL server?.
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
Regards
Durai Nagarajan
May 14, 2012 at 7:37 am
It all depends what is configured to use them accounts, a profile trace should help you in pinpointing what runs under the two security contexts.
May 14, 2012 at 7:53 am
durai nagarajan (5/14/2012)
Hi Anthony.green,Thanks for your reply.
What about this users listed below, why they require access to SQLserver/databases. what is the impact if i remove the access from SQL server?.
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
What access do these built-in OS users have to SQL Server? Can't really answer your question without some additional information.
May 14, 2012 at 9:29 am
Hello,
NT AUTHORITY\NETWORK SERVICE - Security Admin and DB Creator
NT AUTHORITY\SYSTEM - Sysadmin
my jobs are running trough DBAdmin (running SQLAgent), if remove the access will it affect the jobs
Regards
Durai Nagarajan
May 14, 2012 at 10:21 pm
durai nagarajan (5/14/2012)
my jobs are running trough DBAdmin (running SQLAgent), if remove the access will it affect the jobs
yes but you need to replace it with another appropriate login then
-------Bhuvnesh----------
I work only to learn Sql Server...though my company pays me for getting their stuff done;-)
May 15, 2012 at 12:18 am
hi,
if i give SQL agent role in MSDBwill it suffice the purpose, i dont want the login to have more than running the job.
Regards
Durai Nagarajan
May 15, 2012 at 12:59 am
the agent account will need the rights it needs to perform the job steps across all jobs. so if it executes procedures in a user db it needs to be able to execute them procedures. which is why on installation SQL will automatically give the agent account and the engine account SA rights. AS DBAAdmin runs both SQL and the Agent I wouldnt alter its permissions as you need to remember the are cumulative, so if it has SA in one part and nothing in another part it still has SA.
Viewing 13 posts - 1 through 12 (of 12 total)
You must be logged in to reply to this topic. Login to reply