System Admin not to be able to access Database
-
How do i set up a database / table inside a database so that the system admin (networks and server) does not have access to the database running on the server?
-
First question : Why ?
- don't trust the network people ....that is not an argument
- they don't have a clue about sqlsever and the consequences of the sqlserver related actions ... THAT IS A VALID ARGUMENT
Be carefull when you do this !
Have sqlserver running using a service account (windows user (domain or local))
Be sure to first grant your DBA windows account or group and grant sysadmin on the sqlserver isntance
drop "builtin\administrators" from your sqlserver logins.
Don't just do this, but inform people why you are doing this and get support from your superiours !
(we did implement this in our sqlserver policy for our plant).
This way our "regular" windows admins have no access to the sqlserver INSTANCE !
(unless they are explicitly being granted )
Also keep in mind, you are just closing doors, if they want to , they may still add themself to your dba windows group and get full access this way.
If builtin\administrators cannot be removed, there is no way of doing this because DENY will not work for sysadmins !!
Johan
Learn to play, play to learn !Dont drive faster than your guardian angel can fly ...
but keeping both feet on the ground wont get you anywhere :w00t:- How to post Performance Problems
- How to post data/code to get the best help[/url]- How to prevent a sore throat after hours of presenting ppt
press F1 for solution, press shift+F1 for urgent solution 😀
Need a bit of Powershell? How about this
Who am I ? Sometimes this is me but most of the time this is me
-
Another argument I like to use for not giving Server operations/Network operations access to SQL Server is it makes it hard to manage the server. When there are databases, jobs, and accounts being added without the DBA knowledge you never knew. And later maybe month or two later they say aaa something went wrong we need recovery for database XYZ ...
You give them a funny look and say you have no idea what that database is ... I don't like giving people funny looks. Because I should know what is going on and when; but sometimes it is not possible.
So another option you have is implementing simple auditing processes; like saving your Default Trace logs. So you can see who is creating what and where, this will help you better understand what is going on the server that you didn't know about.
Thanks.
[font="Arial"]---Mohit K. Gupta, MCITP: Database Administrator (2005), My Blog, Twitter: @SQLCAN[/url].
Microsoft FTE - SQL Server PFE* Some time its the search that counts, not the finding...
* I didn't think so, but if I was wrong, I was wrong. I'd rather do something, and make a mistake than be frightened and be doing nothing. :smooooth:[/font] -
Don't drop BUILTIN\Administrators on a clustered instance without explicitly adding the cluster service account first.
-
Don't drop the BUILTIN\Administrators group at all - just remove sysadmin access. Yes, this still allows public access to the instance, but does not allow access to the databases unless explicitly set.
Jeffrey Williams
“We are all faced with a series of great opportunities brilliantly disguised as impossible situations.”― Charles R. Swindoll
How to post questions to get better answers faster
Managing Transaction Logs
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply