Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 

Removing NT Administrators as Sysadmins

By Brian Knight,

By default, all NT administrators of the domain that your SQL Server is installed in, have SA rights in every database. This presents interesting challenge for DBAs, political and technical. Does your NT administrator group need SA rights to every database? The answer is no.

Let me take a moment to contradict and clarify the statement I just made. Although the NT group "Administrators" does not need SA rights, the people inside that group may need SA rights. The better way to lock down your SQL Server versus the default would be to create a second user group and assign any users that need SA rights into it. By doing this, you give only the NT administrators that need SA access the rights as well as create a universal SA group to audit.

The first step before you do this would be to remove the current administrators group from your SQL Server. You can do this by expanding the Security group and selecting Logins. Then, delete the BULTIN\Administrators login in the right pane.

Now, create a new NT group and reverse the steps. Generally there is no need to give your network administrators SA rights, but if there is a need, do so through this technique.

 
Total article views: 4032 | Views in the last 30 days: 0
 
Related Articles
FORUM

Denying Local Administrators accounts Sysadmin rights ?

How do I - Denying Local Administrators accounts Sysadmin rights ?

FORUM

The user group “administrators” had full access rights before

after execution sp_attach_db and sp_detach_db user group “administrators” disappeared

ARTICLE

Multi-Server Administration

Multi server administration allows you to create jobs and maintenance plans once. You can then monit...

FORUM

Creating USER Group in SQL Server 2005

Creating USER Group in SQL Server 2005

BLOG

More on DBAs and Local Administrator Rights

I'm looking over the comments about DBAs and local Administrator rights and I noticed an interesting...

Tags
other    
rants    
security    
sql server 7    
 
Contribute