Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Is RDP Access Needed for a SQL Server Administrator?


Is RDP Access Needed for a SQL Server Administrator?

Author
Message
defyant_2004
defyant_2004
SSC Rookie
SSC Rookie (47 reputation)SSC Rookie (47 reputation)SSC Rookie (47 reputation)SSC Rookie (47 reputation)SSC Rookie (47 reputation)SSC Rookie (47 reputation)SSC Rookie (47 reputation)SSC Rookie (47 reputation)

Group: General Forum Members
Points: 47 Visits: 146
Our SQL DBAs have not been given RDP access to the SQL machines in our environment. While they realize they do not need RDP access to setup maintenance plans because this can be done via SSMS, they claim it is helpful to be able to see (things) like the amount of free space on the drives, where the data and log files are stored, access to the server Event Logs, access to the server Task Manager Performance tab, access to the Services, and a few other OS functions. Is it common and necessary for SQL DBAs to have RDP access to the Windows Server or can they perform all their work via SSMS?
george sibbald
george sibbald
SSCertifiable
SSCertifiable (6.3K reputation)SSCertifiable (6.3K reputation)SSCertifiable (6.3K reputation)SSCertifiable (6.3K reputation)SSCertifiable (6.3K reputation)SSCertifiable (6.3K reputation)SSCertifiable (6.3K reputation)SSCertifiable (6.3K reputation)

Group: General Forum Members
Points: 6326 Visits: 13687
do they do installs? RDP is needed for that.

Is remote DAC enabled so DBAs could get on if SQL is unresponsive?

whilst all SQL based work can be done via SSMS having RDP access makes it easier for DBAs to do the full range of their tasks especially when troubleshooting so why do you want to make it harder for them? A dBA can do a lot of damage (including branching out to the OS) via the high level of access they will have in Sql server, so what are you trying to protect against?

If a server supports SQL DBAs should be trusted as much as the sysadmins on that server.

---------------------------------------------------------------------
george sibbald
george sibbald
SSCertifiable
SSCertifiable (6.3K reputation)SSCertifiable (6.3K reputation)SSCertifiable (6.3K reputation)SSCertifiable (6.3K reputation)SSCertifiable (6.3K reputation)SSCertifiable (6.3K reputation)SSCertifiable (6.3K reputation)SSCertifiable (6.3K reputation)

Group: General Forum Members
Points: 6326 Visits: 13687
...........and no they cannot do all their work via SSMS.

As a DBA I have performed all those other functions you mention and more

---------------------------------------------------------------------
defyant_2004
defyant_2004
SSC Rookie
SSC Rookie (47 reputation)SSC Rookie (47 reputation)SSC Rookie (47 reputation)SSC Rookie (47 reputation)SSC Rookie (47 reputation)SSC Rookie (47 reputation)SSC Rookie (47 reputation)SSC Rookie (47 reputation)

Group: General Forum Members
Points: 47 Visits: 146
They do not do installs.

Not sure what DAC enablement is for? If the server is down, we bring it back up for them.

We just feel the DBAs need to stay off the server to prevent any possible damage to the server itself.

If SSMS gives them what they need, why risk giving them RDP access?
Sean Lange
Sean Lange
SSCoach
SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)

Group: General Forum Members
Points: 16566 Visits: 17016
defyant_2004 (12/16/2013)
They do not do installs.

Not sure what DAC enablement is for? If the server is down, we bring it back up for them.

We just feel the DBAs need to stay off the server to prevent any possible damage to the server itself.

If SSMS gives them what they need, why risk giving them RDP access?


So you trust these people to manage, maintain and secure the company's most valuable asset (data) but at the same time you do not trust these same highly technical people with a server? I know that is how some shops work but it seems overly paranoid to me.

Honestly what exactly are you trying to protect? What IS the risk of a DBA having RDP access to the server they are responsible for keeping running well? I am honestly curious because I would like to know what the risk truly is for this.

[sarcasm]


We just feel the DBAs need to stay off the server to prevent any possible damage to the server itself.


I agree 100% that no DBA should be allowed to sit, hang or any other things I envision from the old suitcase commercials with the gorillas to any self respecting server. :-D

[/sarcasm]

_______________________________________________________________

Need help? Help us help you.

Read the article at http://www.sqlservercentral.com/articles/Best+Practices/61537/ for best practices on asking questions.

Need to split a string? Try Jeff Moden's splitter.

Cross Tabs and Pivots, Part 1 – Converting Rows to Columns
Cross Tabs and Pivots, Part 2 - Dynamic Cross Tabs
Understanding and Using APPLY (Part 1)
Understanding and Using APPLY (Part 2)
Lowell
Lowell
SSChampion
SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)

Group: General Forum Members
Points: 14957 Visits: 38958
As a DBA, the #1 reason (for me) I seem to need access to the server itself are for diagnosing ETL issues and managing of SSIS packages;

we have a lot of SSIS packages, adn they exist and are executed on the server.

We have a large number of scheduled jobs migrate data from various flat file resources to staging folders for further processing; think of the classic migrating of SFTP files from one source to the server, so they can be bulk inserted, bcp, or have an SSIS package fiddle with them.

I very often need to open those files directly, and for that
access to the proper folders or shares.

Lowell

--
help us help you! If you post a question, make sure you include a CREATE TABLE... statement and INSERT INTO... statement into that table to give the volunteers here representative data. with your description of the problem, we can provide a tested, verifiable solution to your question! asking the question the right way gets you a tested answer the fastest way possible!

defyant_2004
defyant_2004
SSC Rookie
SSC Rookie (47 reputation)SSC Rookie (47 reputation)SSC Rookie (47 reputation)SSC Rookie (47 reputation)SSC Rookie (47 reputation)SSC Rookie (47 reputation)SSC Rookie (47 reputation)SSC Rookie (47 reputation)

Group: General Forum Members
Points: 47 Visits: 146
We really want to protect the server and limit the amount of unnecessary access. Although I am not an expert at DBA work, I have used SSMS in the past and it seems to provide everything our DBAs should need to maintain our SQL Servers without logging onto the server itself and messing things up. We have a 90% uptime we must keep. We also want to prevent any risk for corrupting our Windows Server installations.
Elliott Whitlow
Elliott Whitlow
SSCertifiable
SSCertifiable (6.2K reputation)SSCertifiable (6.2K reputation)SSCertifiable (6.2K reputation)SSCertifiable (6.2K reputation)SSCertifiable (6.2K reputation)SSCertifiable (6.2K reputation)SSCertifiable (6.2K reputation)SSCertifiable (6.2K reputation)

Group: General Forum Members
Points: 6208 Visits: 5314
I have worked in highly secure environments where ONLY RDP access was allowed. RDP access does make it much simpler and the real question is "do you trust the DBAs or not?" If the answer is no then why do you trust your system people MORE than your DBAs, people who specialize in the software? These people have VERY high level access, restricting RDP is not making you more secure, you are making it harder to do their work with no appreciable benefit.

CEWII
defyant_2004
defyant_2004
SSC Rookie
SSC Rookie (47 reputation)SSC Rookie (47 reputation)SSC Rookie (47 reputation)SSC Rookie (47 reputation)SSC Rookie (47 reputation)SSC Rookie (47 reputation)SSC Rookie (47 reputation)SSC Rookie (47 reputation)

Group: General Forum Members
Points: 47 Visits: 146
We do not use SSIS or Reporting Services. We only use MS SQL database engine.
Elliott Whitlow
Elliott Whitlow
SSCertifiable
SSCertifiable (6.2K reputation)SSCertifiable (6.2K reputation)SSCertifiable (6.2K reputation)SSCertifiable (6.2K reputation)SSCertifiable (6.2K reputation)SSCertifiable (6.2K reputation)SSCertifiable (6.2K reputation)SSCertifiable (6.2K reputation)

Group: General Forum Members
Points: 6208 Visits: 5314
It doesn't matter, have "console" access to the machine running the database server makes things easier. I have yet to have someone give a valid reason to prevent RDP from either a system admin or a database admin.

What are you afraid of?

CEWII
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search