Removing the Builtin Administrators - Some Pitfalls to Avoid

SQLServerCentral is supported by Red Gate Software Ltd.

Popular Topics

Home

Members

Calendar

Who's On

Home » Article Discussions » Article Discussions by Author » Discuss Content Posted by Kathi Kellenberger » Removing the Builtin Administrators - Some...

29 posts, Page 3 of 3

«««1 2 3

Removing the Builtin Administrators - Some Pitfalls to Avoid

Rate Topic

Display Mode

Topic Options

Author

Message

K. Brian Kelley

Posted Monday, June 02, 2008 2:46 PM

Keeper of the Duck

Group: Moderators
Last Login: Yesterday @ 1:55 PM
Points: 6,584, Visits: 1,789

John Dennis (6/2/2008)

As ALZDBA points out--It is better to create a windows account for the service to run under than NT Authority\SYSTEM. Granting permission to NT Authority\SYSTEM gives "any" service or application, running under that context, the same rights to the SQL Server and there is even less tracability than BUILTIN\Administrators.

Depending on the 3rd party backup software, though, that may not be a supported configuration. We've hit that wall ourselves. The local SYSTEM does have some implicit rights that even the local Administrators group on the server doesn't.

K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog |

LinkedIn | Twitter

Post #510294

CGSJohnson

Posted Monday, June 02, 2008 3:28 PM

Ten Centuries

Group: General Forum Members
Last Login: Monday, May 20, 2013 1:31 AM
Points: 1,385, Visits: 1,085

With that said, and us only getting an error message for the VSS service, not being able to log-in with the NT AUthority\SYSTEM, I guess it would be best to just have the VSS service log-in with some Windows account. Thanks all.

Chris

Post #510320

K. Brian Kelley

Posted Tuesday, June 03, 2008 7:08 AM

Keeper of the Duck

Group: Moderators
Last Login: Yesterday @ 1:55 PM
Points: 6,584, Visits: 1,789

If it's Volume Shadow Copy, I'm not sure what supported configuration there is with respect to service accounts. I know in the past you couldn't run Full Text with anything other than the System account. Thankfully, that was changed in SQL Server 2005. You may want to verify that, first.

K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog |

LinkedIn | Twitter

Post #510624

ZeeAtl

Posted Monday, February 22, 2010 9:40 AM

Valued Member

Group: General Forum Members
Last Login: Saturday, June 23, 2012 9:48 AM
Points: 59, Visits: 259

Kathi,

A question I have is this about removing BUILTIN\Administrators from Security->Logins on SQL Server [2005] instance.

If I remove this account from Logins, but the domain users remain as Local\Administrator on the box where SS instance is, are the users able to login the instance and remain a sysadmin? I would assume unless you add their domain users account directly to Logins, then NO, but just wanted to check.

Thanks,

Zee - Atlanta
Accidental DBA

Post #870502

John M Dennis

Posted Monday, February 22, 2010 10:27 AM

SSC Rookie

Group: General Forum Members
Last Login: Monday, May 20, 2013 9:49 AM
Points: 43, Visits: 266

ZeeAtl (2/22/2010)

Zee,
Only the logins enumerated in the sysadmin server role will have sysadmin access so if Local\Administrator is not listed then you are good to go.

EXEC sp_helpsrvrolemember 'sysadmin'

I do have to ask (or rather you should ask yourself) why would "Domain users" need any administrator rights? Especially local.

John D

Post #870547

ALZDBA

Posted Monday, February 22, 2010 11:33 AM

SSCertifiable

Group: General Forum Members
Last Login: Yesterday @ 2:17 AM
Points: 6,862, Visits: 8,049

ZeeAtl (2/22/2010)

No, you'll first have to add them to your sqlinstances sysadmin role.

Your assumption is correct.

Johan

     Jul 13

Don't drive faster than your guardian angel can fly ...
but keeping both feet on the ground won't get you anywhere w00t

- How to post Performance Problems
- How to post data/code to get the best help

- How to prevent a sore throat after hours of presenting ppt ?

"press F1 for solution", "press shift+F1 for urgent solution" BigGrin

Need a bit of Powershell? How about this

Who am I ? Sometimes this is me but most of the time this is me Hehe

Post #870586

ZeeAtl

Posted Monday, February 22, 2010 12:29 PM

Valued Member

Group: General Forum Members
Last Login: Saturday, June 23, 2012 9:48 AM
Points: 59, Visits: 259

Kathi,

While we are on the topic of SQL Server instance Logins, I have another question.

My SSIS service Logins for two separate SQL Server instances are set to:
NT AUTHORITY\Network Service

Can I change this service Login to a plain domain user account as well? Any special Group Policy properties required for SSIS execution (that are automatically set for Network Service built-in account)?

I'd like to change this as well to get that out of the Logins for the server.

Thanks,

Zee

Post #870635

marrowyung-701823

Posted Thursday, April 15, 2010 4:36 AM

Forum Newbie

Group: General Forum Members
Last Login: Thursday, March 21, 2013 3:56 AM
Points: 4, Visits: 65

from SQL 2005, I found that the most safe method is to create one more account with sysadmin righ t and then deny the access of builtin\Administrator account to SQL server 2005. Don't know why SQL do'nt allow to remove it directly but has to grant deny first.

Then login using the new login and delete it.

DBA100

Post #903895

ZeeAtl

Posted Wednesday, April 21, 2010 8:35 AM

Valued Member

Group: General Forum Members
Last Login: Saturday, June 23, 2012 9:48 AM
Points: 59, Visits: 259

Kathi,

What is the deny step for BuiltIn\Administrators (T-SQL), or SSMS? Can you give me
specific example of what you've done?

Thanks,

Zee,
Atlanta

Post #907770

« Prev Topic | Next Topic »

29 posts, Page 3 of 3

«««1 2 3

Permissions