Hello,

Two things:

1- Restarting SQL in single mode (using the -m flag) will allow any person that is a member o the Windows Local Admin group to be automatically a SYSADMIN in SQL is valid for SQL2K5, SQL2K8 and SQL2K8R2 (haven't test it on 2008).

2- Is the above a security gap? I don't think so, it's just a back door. Hopefully you have monitoring in place that will alert you if someone stops and restart SQL, and auditing in place that will tell you who did such a thing.