Post reply

Server Security

  • December 9, 2013 at 8:00 am

    #301214

    Hi Experts,

    We have an admin user(sysadmin) ,its given by network team by adding to a particular group.

    How can we restrict that particular user from SQL Server

    TIA

  • December 9, 2013 at 8:31 am

    #1671973

    I don't understand your question. You currently have a user that has sysadmin rights to your SQL server and you want to restrict their access? How far do you want to restrict them? They are a member of a group, but you don't want to restrict the entire group, correct?

    Please give some more details on your issue.


    Microsoft Certified Master - SQL Server 2008
    Follow me on twitter: @keith_tate

    Forum Etiquette: How to post data/code on a forum to get the best help[/url]

  • December 9, 2013 at 8:36 am

    #1671979

    Thanks Keith,

    You are right ,i want to restrict one particular domain user . Need to make that user less privileged.

  • December 9, 2013 at 8:44 am

    #1671986

    So we have the following: restrict a single user that has sysadmin rights through a group membership. What are the restrictions you want? No access?


    Microsoft Certified Master - SQL Server 2008
    Follow me on twitter: @keith_tate

    Forum Etiquette: How to post data/code on a forum to get the best help[/url]

  • December 9, 2013 at 8:46 am

    #1671988

    If they are a member of the sysadmin server role you can't. My understanding was that effectively that role bypasses all security checks, so even a deny would be ignored (since it wouldn't even be checked)..

    CEWII

  • December 9, 2013 at 9:00 am

    #1672007

    Elliott Whitlow (12/9/2013)

    If they are a member of the sysadmin server role you can't. My understanding was that effectively that role bypasses all security checks, so even a deny would be ignored (since it wouldn't even be checked)..

    Elliott is correct, but let's see what you want restricted and see if there is a way to at least monitor it so that you know what that single user is doing.

    If everyone in that group shouldn't have access to your server then maybe you need to create a second group and only add the members that do need access. Is that a possibility?


    Microsoft Certified Master - SQL Server 2008
    Follow me on twitter: @keith_tate

    Forum Etiquette: How to post data/code on a forum to get the best help[/url]

  • December 9, 2013 at 12:36 pm

    #1672099

    Thanks everyone,

    Even i felt the same what Elliot told,but i seriously what to restrict that user to make sure he wont delete a DB.

    How can i at least monitor that particular user?

  • December 9, 2013 at 12:52 pm

    #1672107

    you could add a serverwide DDL trigger that watches for drop database, and issue a rollback command.

    that would not prevent a sysadmin from disabling said trigger, nor from restore the "wrong" database over the top of an existing one.

    the right thing to do is to build a new role for the domain user, remove sysadmin, and add back the more limited permissions.

    Lowell

    --help us help you! If you post a question, make sure you include a CREATE TABLE... statement and INSERT INTO... statement into that table to give the volunteers here representative data. with your description of the problem, we can provide a tested, verifiable solution to your question! asking the question the right way gets you a tested answer the fastest way possible!

  • December 9, 2013 at 2:57 pm

    #1672141

    If you have access to the summit recordings Bob Pusateri did a whole session on how to keep track of your sysadmin level accounts: http://www.sqlpass.org/SessionResources/SessionDetails.aspx?sid=4386

    The best option is to create a new group if you can and only add those users that need access.


    Microsoft Certified Master - SQL Server 2008
    Follow me on twitter: @keith_tate

    Forum Etiquette: How to post data/code on a forum to get the best help[/url]

Viewing 9 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic. Login to reply