Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

Spackle: Making sure you can connect to the DAC Expand / Collapse
Author
Message
Posted Wednesday, July 30, 2014 10:48 PM


Hall of Fame

Hall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of Fame

Group: General Forum Members
Last Login: Yesterday @ 4:58 PM
Points: 3,475, Visits: 1,886
Comments posted to this topic are about the item Spackle: Making sure you can connect to the DAC

Kenneth Fisher
I strive to live in a world where a chicken can cross the road without being questioned about its motives.
--------------------------------------------------------------------------------
For better, quicker answers on T-SQL questions, click on the following...
http://www.sqlservercentral.com/articles/Best+Practices/61537/
For better answers on performance questions, click on the following...
http://www.sqlservercentral.com/articles/SQLServerCentral/66909/

Link to my Blog Post --> www.SQLStudies.com
Post #1598089
Posted Thursday, July 31, 2014 7:01 AM


Mr or Mrs. 500

Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500

Group: General Forum Members
Last Login: 2 days ago @ 10:29 AM
Points: 543, Visits: 599
Would there be any security concerns with allowing remote admin connections? Seems like it would be ok as long as you have your sysadmin logins controlled appropriately.


Personal blog relating fishing to database administration:

https://davegugg.wordpress.com/
Post #1598242
Posted Thursday, July 31, 2014 7:33 AM


Hall of Fame

Hall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of Fame

Group: General Forum Members
Last Login: Yesterday @ 4:58 PM
Points: 3,475, Visits: 1,886
Really the DAC doesn't really add any security implications. Only sysadmins can connect and if you are a sysadmin you have complete control of the instance anyway. The only thing you can do in the DAC that you can't in a regular connection is view the system tables. This can give you a little bit of extra information (the password hash for a contained user for example) but nothing that is all that big a deal if you are a sysadmin already.

That being said, you still want to make sure your sysadmins are under control :)


Kenneth Fisher
I strive to live in a world where a chicken can cross the road without being questioned about its motives.
--------------------------------------------------------------------------------
For better, quicker answers on T-SQL questions, click on the following...
http://www.sqlservercentral.com/articles/Best+Practices/61537/
For better answers on performance questions, click on the following...
http://www.sqlservercentral.com/articles/SQLServerCentral/66909/

Link to my Blog Post --> www.SQLStudies.com
Post #1598257
Posted Friday, April 24, 2015 8:41 AM


Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Friday, April 24, 2015 9:54 AM
Points: 1, Visits: 9
Actually there are a couple implications to using DAC that a person may want to consider.
When logging in via DAC, any login trigger you might be using to audit or otherwise control access will be bypassed.
If you have auditing turned on and are using the 'Fail operation on audit failure' feature the DAC may be your only way to get in if your attempt to connect is being rejected due to an audit problem.
These are both reasons to turn it on and reasons to leave it off depending on your situation. If a login trigger fails the login will be denied, even to SA, but since the trigger is bypassed on the DAC you can still get in to fix it. The same goes for problems with server level auditing.
You might have other auditing around use of RDP to access your servers and therefore use of DAC can be indirectly monitored with those controls whereas, if remote DAC is allowed, anyone who relies solely on a login trigger will not see the login. Anyone who relies on instance auditing will always see the login unless there is a problem logging the attempt. Via the DAC the attempt will succeed even if it might otherwise fail using a normal connection.
If your server is so pegged that you can't RDP but remote DAC is enabled, since the DAC has a dedicated thread you can always get in if remote DAC is enabled.
Post #1679949
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse