Welcome to ServerForumz.com!
FAQFAQ      ProfileProfile    Private MessagesPrivate Messages   Log inLog in

SQL Server Administrative rights VS DBA SA rights

  
   Windows Server (Home) -> Windows Server Security RSS
Next:  Logon as a Batch Job  
Author Message
vancouvermesa

External


Since: Jul 25, 2006
Posts: 1



(Msg. 1) Posted: Tue Jul 25, 2006 5:30 am
Post subject: SQL Server Administrative rights VS DBA SA rights
Archived from groups: microsoft>public>sqlserver>setup, others (more info?)
Hi,
In previous versions of SQL it has been possible for us, the OS
Administrators, to remove administrative rights of the operating system

from the SQL DBA's.
Recently, we have installed a new SQL 2005 server.
The DBAis demanding administrative rights over the OS as well as the
Database.

This would give the DBA rights over applications that have nothing to
do with the SQL 2005 databases; what's more, it does not follow the
philosophy of providing the least amount of privledges required to do
your job.


(As a side note, we do make it a point to remove the privledges of
local machine adminstrators and domain admins from having SA authority
over SQL systems as well.)


DBA's not being administrators over the OS worked just fine in SQL
2000.


We have removed the local machine admin privledges from the DBA/SA;
however, the DBA has attempted to deploy an SSIS package and he no
longer can do so.


I have done searches and have yet to find an article or how to on what
privledges a SA/DBA needs to remotely administrate SQL 2005
successfully. There are some higher level pieces of information, but
no "how-to" articles or guides.


If it is now required that DBA's have local machine system
administration rights, it would seem like it would be a step backwards
in terms of security.


Can someone provide information on how to set this up so that we have a

good seperation of the OS administrative rights and the DBA/SA
administrative rights, it would be appreciated!
Thanks!

 >> Stay informed about: SQL Server Administrative rights VS DBA SA rights 
Back to top
Login to vote
alanser




Joined: Mar 23, 2007
Posts: 1



(Msg. 2) Posted: Fri Mar 23, 2007 5:57 am
Post subject:
As I know it is hard to seperation of the OS administrative rights and the DBA/SA administrative rights, but you can try limit privilege level of SQL Server Services.

SQL Server 2000 and SQL Server Agent run as Windows services. Each service must be associated with a Windows account, from which it derives its security context. I think this can make Sql Server more secure.

SQL Server allows users of the sa login, and in some cases other users, to access operating system features. These operating system calls are made with the security context of the account that owns the server process. If the server is cracked, these operating system calls may be used to extend the attack to any other resource to which the owning process (the SQL Server service account) has access. For this reason, it is important to grant only necessary privileges to SQL Server services.

good luck.

 >> Stay informed about: SQL Server Administrative rights VS DBA SA rights 
Back to top
Login to vote
mikegood




Joined: Apr 17, 2007
Posts: 1



(Msg. 3) Posted: Tue Apr 17, 2007 5:34 pm
Post subject: Re: SQL Server Administrative rights VS DBA SA rights [Login to view extended thread Info.]
I'm a DBA who's recently had to begin administering SQL 2005 boxes where I'm not the local admin (at least not for now). Things I can no longer do:
- monitor performance with perfmon
- export system event logs (for subsequent analysis with LogParser)
- remotely admin services with SC command
- manage local SQL Server aliases with SQL Server Configuration Mgr
- use SQL Server Configuration Mgr at all for that matter (e.g. to add -T1204 startup traceflag)
- view "all processes" when monitoring CPU in taskmgr
- use cluster mgmt tools

I'm willing to be non-admin if I could have these capabilities, but my system admins say they can't achieve that fine a level of control. I miss being able to to these things, and have not quit campaigning to get these capabilities back.

My vote would be setup DBAs as either
- non-administrator with above extra capabilities; or
- local administrator and then figure out a way to restrict DBA from doing whatever it is you don't want her to do
 >> Stay informed about: SQL Server Administrative rights VS DBA SA rights 
Back to top
Login to vote
Display posts from previous:   
Related Topics:
Apache on W2k Server - Does anyone know of ANY legitimate reason why two unkillable instances of Apache would be running on an internal non-web server? Apache has not been installed by anyone legitimately. The only software installed is Veritas Backup Exec and a home-grown..

Anti-Virus software for WIN2K Server? - I just discovered that I can't install Norton AV on my new WIN2K Server, which I use as the gateway to my DirecWay Satellite. Can some one suggest a good Anti-Virus software package that will install on the WIN2K Server?

IAS Server - Hey all, I am currently using IAS to authenticate our VPN connections from our PIX. I added another client (my backbone switch) to the IAS and another Access Policy. When I try and authenticate myself from the switch, it does not let me pass unless I..

IIS6 Web Server Certificate Wizard Not Running - When I click on Server Certificate under any site...new or old...the Web Server Certificate Wizard does not start. Nothing Happens at all. I have been trying to figure this out for way too long. I have no idea what the problem could be. This is a..

Member Server Logons - This is, presumably, explainable by a security guru with ease... We have a terminal server that also handles a few print job requests for users. A user who *never* uses the machine is shown as logging into it with the following "Success Audit"...
   Windows Server (Home) -> Windows Server Security All times are: Pacific Time (US & Canada) (change)
Page 1 of 1

 
 You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



[ Contact us | Terms of Service/Privacy Policy ]