Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase ««12345»»»

How to Connect to a SQL 2005 Server When You Are Completely Locked Out Expand / Collapse
Author
Message
Posted Tuesday, November 3, 2009 8:27 AM
Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: Thursday, September 18, 2014 8:25 AM
Points: 312, Visits: 1,108
Thank you John.

I wrote this article in case you have "no other way" to connect to the SQL server.

Rudy



Post #812966
Posted Tuesday, November 3, 2009 8:30 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Tuesday, June 17, 2014 10:10 AM
Points: 8, Visits: 53
einman33 (11/3/2009)
From the article:

The builtin\administrators account has been removed for security reasons

??



This happens if you don't want your outsourced IT Dept. seeing accounting data, such as payroll. SQL Server single user mode must use a separate set of permissions that, when active, allows anyone with local admin permissions rights to the data. So, the IT Dept. could still get into the data if they switched it to single user mode? Nice.
Post #812970
Posted Tuesday, November 3, 2009 8:31 AM
SSC Journeyman

SSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC Journeyman

Group: General Forum Members
Last Login: Wednesday, December 22, 2010 10:46 AM
Points: 88, Visits: 181
einman33 (11/3/2009)
From the article:

The builtin\administrators account has been removed for security reasons

??



What is your question?
Post #812972
Posted Tuesday, November 3, 2009 8:32 AM
SSC Journeyman

SSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC Journeyman

Group: General Forum Members
Last Login: Wednesday, December 22, 2010 10:46 AM
Points: 88, Visits: 181


This happens if you don't want your outsourced IT Dept. seeing accounting data, such as payroll. SQL Server single user mode must use a separate set of permissions that, when active, allows anyone with local admin permissions rights to the data. So, the IT Dept. could still get into the data if they switched it to single user mode? Nice.


I know, right. Very uncomfortable feeling knowing that the network team could still get in if they really wanted to.
Post #812973
Posted Tuesday, November 3, 2009 8:35 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Tuesday, June 17, 2014 10:10 AM
Points: 8, Visits: 53
john.vanda (11/3/2009)


This happens if you don't want your outsourced IT Dept. seeing accounting data, such as payroll. SQL Server single user mode must use a separate set of permissions that, when active, allows anyone with local admin permissions rights to the data. So, the IT Dept. could still get into the data if they switched it to single user mode? Nice.


I know, right. Very uncomfortable feeling knowing that the network team could still get in if they really wanted to.


Well, at least I learned something today that I never knew.
Post #812976
Posted Tuesday, November 3, 2009 8:37 AM
Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: Thursday, September 18, 2014 8:25 AM
Points: 312, Visits: 1,108
True, but the servers would have to be restarted in single user mode. Hopefully your monitoring systems would alert you that the server has been restarted. You should then review all logs server logs and sql server logs and question your staff as to who and why this server was started in single user mode. I would be getting the security department involved too.

Rudy



Post #812978
Posted Tuesday, November 3, 2009 8:39 AM
Grasshopper

GrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopper

Group: General Forum Members
Last Login: Tuesday, July 29, 2014 9:08 AM
Points: 13, Visits: 285
this way is not exact, because when you type sqlcmd -E you will obtain à time out for sql connexion because your account dont existe in sys.logins.
In the case when you have a login , it is not necessary to stop sql service you can access anr execute query like (create bultin\administrators from windows).
The group bultin\administrators allows to system administratot to connect in sysadmin, the best practise is to change the role for this group to "public".
When you install sql server, sql server add news groups like sysadmin login, you can add yout account in this group in order to connect you on sql server.

I repeat, this article is not applied in sql server
Post #812979
Posted Tuesday, November 3, 2009 8:41 AM
Grasshopper

GrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopper

Group: General Forum Members
Last Login: Tuesday, July 29, 2014 9:08 AM
Points: 13, Visits: 285
this way is not exact, because when you type sqlcmd -E you will obtain à time out for sql connexion because your account dont existe in sys.logins.
In the case when you have a login , it is not necessary to stop sql service you can access anr execute query like (create bultin\administrators from windows).
The group bultin\administrators allows to system administratot to connect in sysadmin, the best practise is to change the role for this group to "public".
When you install sql server, sql server add news groups like sysadmin login, you can add yout account in this group in order to connect you on sql server.

I repeat, this article is not applied in sql server
Post #812980
Posted Tuesday, November 3, 2009 8:41 AM
SSC Rookie

SSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC Rookie

Group: General Forum Members
Last Login: Wednesday, January 29, 2014 6:31 AM
Points: 44, Visits: 175
The main question (I think) is unanswered:

If you have removed BUILTIN\Administrators and all other administrative access to the SQL instance, how can you log into the SQL instance with administrative access?

Rudy - are you suggesting that by starting the instance in single user mode and using SQLCMD -E that the access can be bypassed? If so, that is news to me.
Post #812981
Posted Tuesday, November 3, 2009 8:42 AM
Grasshopper

GrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopper

Group: General Forum Members
Last Login: Tuesday, July 29, 2014 9:08 AM
Points: 13, Visits: 285
this way is not exact, because when you type sqlcmd -E you will obtain à time out for sql connexion because your account dont existe in sys.logins.
In the case when you have a login , it is not necessary to stop sql service you can access anr execute query like (create bultin\administrators from windows).
The group bultin\administrators allows to system administratot to connect in sysadmin, the best practise is to change the role for this group to "public".
When you install sql server, sql server add news groups like sysadmin login, you can add yout account in this group in order to connect you on sql server.

I repeat, this article is not applied in sql server
Post #812984
« Prev Topic | Next Topic »

Add to briefcase ««12345»»»

Permissions Expand / Collapse