Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

Looking for help due to SOX - Removal of local admin from DBAs Expand / Collapse
Author
Message
Posted Tuesday, December 20, 2005 12:46 PM
Grasshopper

GrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopper

Group: General Forum Members
Last Login: Wednesday, March 23, 2011 12:32 PM
Points: 13, Visits: 45

Thanks to SOX regulations their is a movenement to remove the dba's from the local administrators group on all the servers.  Is there a paper or anything to get me started that list out what premissions a DBA would need such as regiestry keys file access and anything else in general?

Post #245670
Posted Wednesday, December 21, 2005 5:37 AM
SSC Veteran

SSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC Veteran

Group: General Forum Members
Last Login: Friday, April 18, 2014 8:01 AM
Points: 258, Visits: 701
This just seems like a bad idea and the thing about SOX -- its very open to interpetation. I've been through a SOX audit and did not loose my local admin permissions. The auditors did try to get us to implement data changes and select audit on all data (of course they are a reseller of such software), but we were able to show this request was not necessary. I would agrue against it and try to get your senior management to back you on it. The service account basically requires local admin access (there are several KB articles that document this, especially in a cluster). Also there is big difference in running SQL on a Windows server and running Oracle or Informix on a UNIX server. My team supports both and guess what -- we don't need root access on UNIX. The DBMS is somewhat OS agnostic and one of our UNIX servers reached an uptime of 360 days. As for SQL it is very tied to Windows and guess what -- sometimes you need to reboot or recycle the services and this requires admin access.


Post #245802
Posted Wednesday, December 21, 2005 10:20 AM
Grasshopper

GrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopper

Group: General Forum Members
Last Login: Wednesday, March 23, 2011 12:32 PM
Points: 13, Visits: 45
Thanks for the reply.  We are trying to fight it and what are plan is to come with such an obsured list of premissions need (registry keys, folders, etc.) that it would be crazy to local admin away and try to manage those premissions for every dba.
Post #245920
Posted Wednesday, December 21, 2005 11:18 AM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Today @ 8:57 AM
Points: 6,634, Visits: 1,872
DBAs don't need local administrative access to the servers if the responsibilities for said DBAs are solely within SQL Server. Notice I said solely, as in nothing outside of SQL Server. And that's a key point: what are the expected responsibilities? In my organization there are a lot of things outside of SQL Server our DBAs are responsible for, meaning the removal of such rights would render our DBAs incapable of doing the job they've been assigned to do.

If you give us an idea of what all your DBAs are expected to do, we can probably give you a better of idea of what rights are needed.


K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #245934
Posted Thursday, March 2, 2006 12:50 PM
SSC Rookie

SSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC Rookie

Group: General Forum Members
Last Login: Tuesday, September 7, 2010 2:39 PM
Points: 30, Visits: 44

I recently worked as a DBA under a (extremely painful) SOX environment.  Not only did I not have admin rights to the box, but I was also not SA on the SQL Server.  I was doled out rights by the Network Admins so I had DBO for each individual db and could gain access for things like backups. 

The most painful part was that you had to use Remote Desktop to connect to a "bastion host" from which you could PC Anywhere to the SQL Servers (moving backups from prod to refresh dev took an afternoon per DB) but that's not here nor there.

The theory behind this was that the DBA role should be seperate from the Network Admin role entirely.  Therfore the DBA could not affect security audits on the boxes and the Network Admins couldn't fudge data.  I could never figure out how this Consultant-Approved system kept the Network Admins out of my financial data, but it certainly kept me from being able to hide my tracks from having logged in...  The main issue is who has the responsibility for maintaining the SQL Server application itself?  In this environment it was the Net Admins. 

My takeaway from this experience, however, was that it is possible to do many DBA functions without access to the box, let alone admin access.  The rest of the functions, however, took a committee to accomplish. 




Post #262883
Posted Thursday, March 2, 2006 1:04 PM
SSC Rookie

SSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC Rookie

Group: General Forum Members
Last Login: Tuesday, September 7, 2010 2:39 PM
Points: 30, Visits: 44
I just realized there is another thread in this group where this is discussed in more detail.


Post #262890
Posted Wednesday, July 16, 2008 9:44 AM
SSC Journeyman

SSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC Journeyman

Group: General Forum Members
Last Login: Thursday, May 24, 2012 2:06 PM
Points: 97, Visits: 356
What was that thread? We're being asked right now the same thing. So if someone else has already gone through this I'd appreciate the knowlege share.

Thanks
Post #535350
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse