Welcome to ServerForumz.com!
FAQFAQ    SearchSearch      ProfileProfile    Private MessagesPrivate Messages   Log inLog in

SQL Server Administrative rights VS DBA SA rights

  
   Windows Server (Home) -> Windows Server Security RSS
Next:  Logon as a Batch Job  
Author Message
vancouvermesa

External


Since: Jul 25, 2006
Posts: 1



(Msg. 1) Posted: Tue Jul 25, 2006 5:30 am
Post subject: SQL Server Administrative rights VS DBA SA rights
Archived from groups: microsoft>public>sqlserver>setup, others (more info?)
Hi,
In previous versions of SQL it has been possible for us, the OS
Administrators, to remove administrative rights of the operating system

from the SQL DBA's.
Recently, we have installed a new SQL 2005 server.
The DBAis demanding administrative rights over the OS as well as the
Database.

This would give the DBA rights over applications that have nothing to
do with the SQL 2005 databases; what's more, it does not follow the
philosophy of providing the least amount of privledges required to do
your job.


(As a side note, we do make it a point to remove the privledges of
local machine adminstrators and domain admins from having SA authority
over SQL systems as well.)


DBA's not being administrators over the OS worked just fine in SQL
2000.


We have removed the local machine admin privledges from the DBA/SA;
however, the DBA has attempted to deploy an SSIS package and he no
longer can do so.


I have done searches and have yet to find an article or how to on what
privledges a SA/DBA needs to remotely administrate SQL 2005
successfully. There are some higher level pieces of information, but
no "how-to" articles or guides.


If it is now required that DBA's have local machine system
administration rights, it would seem like it would be a step backwards
in terms of security.


Can someone provide information on how to set this up so that we have a

good seperation of the OS administrative rights and the DBA/SA
administrative rights, it would be appreciated!
Thanks!

 >> Stay informed about: SQL Server Administrative rights VS DBA SA rights 
Back to top
Login to vote
alanser




Joined: Mar 23, 2007
Posts: 1



(Msg. 2) Posted: Fri Mar 23, 2007 5:57 am
Post subject:
As I know it is hard to seperation of the OS administrative rights and the DBA/SA administrative rights, but you can try limit privilege level of SQL Server Services.

SQL Server 2000 and SQL Server Agent run as Windows services. Each service must be associated with a Windows account, from which it derives its security context. I think this can make Sql Server more secure.

SQL Server allows users of the sa login, and in some cases other users, to access operating system features. These operating system calls are made with the security context of the account that owns the server process. If the server is cracked, these operating system calls may be used to extend the attack to any other resource to which the owning process (the SQL Server service account) has access. For this reason, it is important to grant only necessary privileges to SQL Server services.

good luck.

 >> Stay informed about: SQL Server Administrative rights VS DBA SA rights 
Back to top
Login to vote
mikegood




Joined: Apr 17, 2007
Posts: 1



(Msg. 3) Posted: Tue Apr 17, 2007 5:34 pm
Post subject: Re: SQL Server Administrative rights VS DBA SA rights [Login to view extended thread Info.]
I'm a DBA who's recently had to begin administering SQL 2005 boxes where I'm not the local admin (at least not for now). Things I can no longer do:
- monitor performance with perfmon
- export system event logs (for subsequent analysis with LogParser)
- remotely admin services with SC command
- manage local SQL Server aliases with SQL Server Configuration Mgr
- use SQL Server Configuration Mgr at all for that matter (e.g. to add -T1204 startup traceflag)
- view "all processes" when monitoring CPU in taskmgr
- use cluster mgmt tools

I'm willing to be non-admin if I could have these capabilities, but my system admins say they can't achieve that fine a level of control. I miss being able to to these things, and have not quit campaigning to get these capabilities back.

My vote would be setup DBAs as either
- non-administrator with above extra capabilities; or
- local administrator and then figure out a way to restrict DBA from doing whatever it is you don't want her to do
 >> Stay informed about: SQL Server Administrative rights VS DBA SA rights 
Back to top
Login to vote
Display posts from previous:   
Related Topics:
WinNT4 user without rights to 2003 server - Hello, We use a WinNT4 network (PDC/BDC) with a new Win2003 server (no migration to AD has been made yet). I have copied a existing user profile who has all rights on a directory located on the 2003 server. The new user doesn't have sufficient privileges...

Best way sto assign Admin Rights to remote server - I'm currently planning my migration to Active Directory using Windows 2003. My company has many subsidiaries around the world and I'm planning to go to a one domain structure, installing a DC in every subsidiary. There is no IT support available at the..

File access rights in Windows Server 2003 - Hi, I am using windows server 2003 for my site. When I move the code folder from one location to another, the permissions which I have assigned to users for files in the folder are changed. So, I can not delete files (after moving the code folder) from....

new forms on print server without admin rights - for some label printers we want to put on the net through a print server (Win 2003 SP1) we need to create regularly new forms. This is to get the printer to print new label sizes and cannot be done in the printer driver. You do it und "printer an...

Remove Administrator Rights from Folder in Win2k Server - Is there any way to completely remove Administrator rights (including the ability to change owners, set permissions, etc) from a folder? I know all of the risks associated with such a change, but I have a client that insists on it. tia, B
   Windows Server (Home) -> Windows Server Security All times are: Pacific Time (US & Canada)
Page 1 of 1

 
 You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



[ Contact us | Terms of Service/Privacy Policy ]