• I've decided Option 2 is the way to go for me. I finally found some "best practices" info, although it's related to PCI DSS compliance. It's a great read with some great recommendations. I can't implement all of them, and I may never pass a PCI audit, but I'll most definitely improve security. For what it's worth, here are the recommendations related to the SYSADMIN role:

    A critical step in restricting access to cardholder data is to limit the number of privileged users assigned to the sysadmin server role. By default, the BUILTIN/Administrators group is not a member of the sysadmin role in SQL Server 2008 R2. The PCI DSS directly supports the best practice concept of “least privilege” access model; therefore, we recommended the following:

  • Members of the sysadmin role should only login using individual Windows Logins
  • The number of users assigned to the sysadmin role should be minimal
  • The sysadmin role should be assigned based on job function
  • Members of the sysadmin role’s Windows logins should be individually given access to SQL Server rather than through a mapped AD group
  • Members of the sysadmin role should not be local Windows administrators
  • Members of the sysadmin role should not have access to any folders or file shares on the server that the SQL Server service has access to such as, the folders containing the data and log files, and directories that databases or encryption keys could be backed up to
  • A Windows local or domain administrator should not have sysadmin access to SQL Server