Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Looking for help due to SOX - Removal of local admin from DBAs


Looking for help due to SOX - Removal of local admin from DBAs

Author
Message
SAIC Dba
SAIC Dba
Grasshopper
Grasshopper (13 reputation)Grasshopper (13 reputation)Grasshopper (13 reputation)Grasshopper (13 reputation)Grasshopper (13 reputation)Grasshopper (13 reputation)Grasshopper (13 reputation)Grasshopper (13 reputation)

Group: General Forum Members
Points: 13 Visits: 45

Thanks to SOX regulations their is a movenement to remove the dba's from the local administrators group on all the servers. Is there a paper or anything to get me started that list out what premissions a DBA would need such as regiestry keys file access and anything else in general?


cmille19
cmille19
SSC Veteran
SSC Veteran (275 reputation)SSC Veteran (275 reputation)SSC Veteran (275 reputation)SSC Veteran (275 reputation)SSC Veteran (275 reputation)SSC Veteran (275 reputation)SSC Veteran (275 reputation)SSC Veteran (275 reputation)

Group: General Forum Members
Points: 275 Visits: 724
This just seems like a bad idea and the thing about SOX -- its very open to interpetation. I've been through a SOX audit and did not loose my local admin permissions. The auditors did try to get us to implement data changes and select audit on all data (of course they are a reseller of such software), but we were able to show this request was not necessary. I would agrue against it and try to get your senior management to back you on it. The service account basically requires local admin access (there are several KB articles that document this, especially in a cluster). Also there is big difference in running SQL on a Windows server and running Oracle or Informix on a UNIX server. My team supports both and guess what -- we don't need root access on UNIX. The DBMS is somewhat OS agnostic and one of our UNIX servers reached an uptime of 360 days. As for SQL it is very tied to Windows and guess what -- sometimes you need to reboot or recycle the services and this requires admin access.



SAIC Dba
SAIC Dba
Grasshopper
Grasshopper (13 reputation)Grasshopper (13 reputation)Grasshopper (13 reputation)Grasshopper (13 reputation)Grasshopper (13 reputation)Grasshopper (13 reputation)Grasshopper (13 reputation)Grasshopper (13 reputation)

Group: General Forum Members
Points: 13 Visits: 45
Thanks for the reply. We are trying to fight it and what are plan is to come with such an obsured list of premissions need (registry keys, folders, etc.) that it would be crazy to local admin away and try to manage those premissions for every dba.
K. Brian Kelley
K. Brian Kelley
Keeper of the Duck
Keeper of the Duck (6.8K reputation)

Group: Moderators
Points: 6816 Visits: 1917
DBAs don't need local administrative access to the servers if the responsibilities for said DBAs are solely within SQL Server. Notice I said solely, as in nothing outside of SQL Server. And that's a key point: what are the expected responsibilities? In my organization there are a lot of things outside of SQL Server our DBAs are responsible for, meaning the removal of such rights would render our DBAs incapable of doing the job they've been assigned to do.

If you give us an idea of what all your DBAs are expected to do, we can probably give you a better of idea of what rights are needed.

K. Brian Kelley
@‌kbriankelley
NotElite
NotElite
SSC Rookie
SSC Rookie (30 reputation)SSC Rookie (30 reputation)SSC Rookie (30 reputation)SSC Rookie (30 reputation)SSC Rookie (30 reputation)SSC Rookie (30 reputation)SSC Rookie (30 reputation)SSC Rookie (30 reputation)

Group: General Forum Members
Points: 30 Visits: 44

I recently worked as a DBA under a (extremely painful) SOX environment. Not only did I not have admin rights to the box, but I was also not SA on the SQL Server. I was doled out rights by the Network Admins so I had DBO for each individual db and could gain access for things like backups.

The most painful part was that you had to use Remote Desktop to connect to a "bastion host" from which you could PC Anywhere to the SQL Servers (moving backups from prod to refresh dev took an afternoon per DB) but that's not here nor there.

The theory behind this was that the DBA role should be seperate from the Network Admin role entirely. Therfore the DBA could not affect security audits on the boxes and the Network Admins couldn't fudge data. I could never figure out how this Consultant-Approved system kept the Network Admins out of my financial data, but it certainly kept me from being able to hide my tracks from having logged in... The main issue is who has the responsibility for maintaining the SQL Server application itself? In this environment it was the Net Admins.

My takeaway from this experience, however, was that it is possible to do many DBA functions without access to the box, let alone admin access. The rest of the functions, however, took a committee to accomplish.





NotElite
NotElite
SSC Rookie
SSC Rookie (30 reputation)SSC Rookie (30 reputation)SSC Rookie (30 reputation)SSC Rookie (30 reputation)SSC Rookie (30 reputation)SSC Rookie (30 reputation)SSC Rookie (30 reputation)SSC Rookie (30 reputation)

Group: General Forum Members
Points: 30 Visits: 44
I just realized there is another thread in this group where this is discussed in more detail.



Bob Lee
Bob Lee
SSC-Enthusiastic
SSC-Enthusiastic (121 reputation)SSC-Enthusiastic (121 reputation)SSC-Enthusiastic (121 reputation)SSC-Enthusiastic (121 reputation)SSC-Enthusiastic (121 reputation)SSC-Enthusiastic (121 reputation)SSC-Enthusiastic (121 reputation)SSC-Enthusiastic (121 reputation)

Group: General Forum Members
Points: 121 Visits: 356
What was that thread? We're being asked right now the same thing. So if someone else has already gone through this I'd appreciate the knowlege share.

Thanks
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search