August 8, 2009 at 5:34 am
Hi All,
AS SECURITY IN CONSIDERATION we are removing sysadmin/db-owner perms to all of the logins on the server.while removing on one of server i found that XYJUMK login is having db_owner fixed role and sysadmin perms .SO WHEN I TRIED TO REMOVE db_owner fixed role and sysadmin perms I GOT ONE ERROR that the actual dbo for that database is XYJUMK logins therefore i changed the db ownership from that login to SA account and removed the db_owner fixed role and sysadmin perms .
question is .....is it correct to change db ownership to SA ACCOUNT.
IF ANY ANONYMOUS USER HAS SA PRIVILEGES THEN ANY ONE CAN ACCESS DATABASE.
I FOUND SYSTEM DB OWNERSHP AS SA ACCOUNT...
QUICK RESPONSE IS HIGHLY APPRECIATED:-)
August 10, 2009 at 8:22 am
To ensure database access is clear:
If a login has CONTROL SERVER rights that login has access to every database. Likewise, if a login is a member of the sysadmin fixed server role, that login has access to every database.
Switch owner to sa:
Yes, you can switch the owner of a database to sa by using the GUI or using ALTER AUTHORIZATION. For instance:
ALTER AUTHORIZATION ON DATABASE::AdventureWorks TO sa
However, whether or not you can is a different matter. Some applications create the database they use and are therefore the database owners, meaning access from the application is not checked inside the database. This is a lazy approach, because it means the application team didn't have to think about permissions within the database, but I've seen it on both 3rd party products as well as home grown applications. So before you make the change, you need to check on how the application is using the database and whether it has the proper permissions if you change the database owner.
K. Brian Kelley
@kbriankelley
Viewing 2 posts - 1 through 1 (of 1 total)
You must be logged in to reply to this topic. Login to reply