SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Spackle: Making sure you can connect to the DAC


Spackle: Making sure you can connect to the DAC

Author
Message
Kenneth Fisher
Kenneth Fisher
SSCertifiable
SSCertifiable (6.1K reputation)SSCertifiable (6.1K reputation)SSCertifiable (6.1K reputation)SSCertifiable (6.1K reputation)SSCertifiable (6.1K reputation)SSCertifiable (6.1K reputation)SSCertifiable (6.1K reputation)SSCertifiable (6.1K reputation)

Group: General Forum Members
Points: 6141 Visits: 2059
Comments posted to this topic are about the item Spackle: Making sure you can connect to the DAC

Kenneth FisherI strive to live in a world where a chicken can cross the road without being questioned about its motives.--------------------------------------------------------------------------------For better, quicker answers on T-SQL questions, click on the following... http://www.sqlservercentral.com/articles/Best+Practices/61537/For better answers on performance questions, click on the following... http://www.sqlservercentral.com/articles/SQLServerCentral/66909/Link to my Blog Post --> www.SQLStudies.com
david.gugg
david.gugg
SSCommitted
SSCommitted (1.8K reputation)SSCommitted (1.8K reputation)SSCommitted (1.8K reputation)SSCommitted (1.8K reputation)SSCommitted (1.8K reputation)SSCommitted (1.8K reputation)SSCommitted (1.8K reputation)SSCommitted (1.8K reputation)

Group: General Forum Members
Points: 1842 Visits: 1042
Would there be any security concerns with allowing remote admin connections? Seems like it would be ok as long as you have your sysadmin logins controlled appropriately.


Personal blog relating fishing to database administration:

https://davegugg.wordpress.com/
Kenneth Fisher
Kenneth Fisher
SSCertifiable
SSCertifiable (6.1K reputation)SSCertifiable (6.1K reputation)SSCertifiable (6.1K reputation)SSCertifiable (6.1K reputation)SSCertifiable (6.1K reputation)SSCertifiable (6.1K reputation)SSCertifiable (6.1K reputation)SSCertifiable (6.1K reputation)

Group: General Forum Members
Points: 6141 Visits: 2059
Really the DAC doesn't really add any security implications. Only sysadmins can connect and if you are a sysadmin you have complete control of the instance anyway. The only thing you can do in the DAC that you can't in a regular connection is view the system tables. This can give you a little bit of extra information (the password hash for a contained user for example) but nothing that is all that big a deal if you are a sysadmin already.

That being said, you still want to make sure your sysadmins are under control Smile

Kenneth FisherI strive to live in a world where a chicken can cross the road without being questioned about its motives.--------------------------------------------------------------------------------For better, quicker answers on T-SQL questions, click on the following... http://www.sqlservercentral.com/articles/Best+Practices/61537/For better answers on performance questions, click on the following... http://www.sqlservercentral.com/articles/SQLServerCentral/66909/Link to my Blog Post --> www.SQLStudies.com
Rick.Bielawski
Rick.Bielawski
Grasshopper
Grasshopper (17 reputation)Grasshopper (17 reputation)Grasshopper (17 reputation)Grasshopper (17 reputation)Grasshopper (17 reputation)Grasshopper (17 reputation)Grasshopper (17 reputation)Grasshopper (17 reputation)

Group: General Forum Members
Points: 17 Visits: 10
Actually there are a couple implications to using DAC that a person may want to consider.
When logging in via DAC, any login trigger you might be using to audit or otherwise control access will be bypassed.
If you have auditing turned on and are using the 'Fail operation on audit failure' feature the DAC may be your only way to get in if your attempt to connect is being rejected due to an audit problem.
These are both reasons to turn it on and reasons to leave it off depending on your situation. If a login trigger fails the login will be denied, even to SA, but since the trigger is bypassed on the DAC you can still get in to fix it. The same goes for problems with server level auditing.
You might have other auditing around use of RDP to access your servers and therefore use of DAC can be indirectly monitored with those controls whereas, if remote DAC is allowed, anyone who relies solely on a login trigger will not see the login. Anyone who relies on instance auditing will always see the login unless there is a problem logging the attempt. Via the DAC the attempt will succeed even if it might otherwise fail using a normal connection.
If your server is so pegged that you can't RDP but remote DAC is enabled, since the DAC has a dedicated thread you can always get in if remote DAC is enabled.
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search