SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


How to Connect to a SQL 2005 Server When You Are Completely Locked Out


How to Connect to a SQL 2005 Server When You Are Completely Locked Out

Author
Message
Rudy Panigas
Rudy Panigas
SSCarpal Tunnel
SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)

Group: General Forum Members
Points: 4346 Visits: 1325
Thank you John.

I wrote this article in case you have "no other way" to connect to the SQL server.

Rudy



pmal
pmal
SSC Journeyman
SSC Journeyman (92 reputation)SSC Journeyman (92 reputation)SSC Journeyman (92 reputation)SSC Journeyman (92 reputation)SSC Journeyman (92 reputation)SSC Journeyman (92 reputation)SSC Journeyman (92 reputation)SSC Journeyman (92 reputation)

Group: General Forum Members
Points: 92 Visits: 53
einman33 (11/3/2009)
From the article:

The builtin\administrators account has been removed for security reasons

??



This happens if you don't want your outsourced IT Dept. seeing accounting data, such as payroll. SQL Server single user mode must use a separate set of permissions that, when active, allows anyone with local admin permissions rights to the data. So, the IT Dept. could still get into the data if they switched it to single user mode? Nice.
john.vanda
john.vanda
SSC-Enthusiastic
SSC-Enthusiastic (132 reputation)SSC-Enthusiastic (132 reputation)SSC-Enthusiastic (132 reputation)SSC-Enthusiastic (132 reputation)SSC-Enthusiastic (132 reputation)SSC-Enthusiastic (132 reputation)SSC-Enthusiastic (132 reputation)SSC-Enthusiastic (132 reputation)

Group: General Forum Members
Points: 132 Visits: 181
einman33 (11/3/2009)
From the article:

The builtin\administrators account has been removed for security reasons

??



What is your question?
john.vanda
john.vanda
SSC-Enthusiastic
SSC-Enthusiastic (132 reputation)SSC-Enthusiastic (132 reputation)SSC-Enthusiastic (132 reputation)SSC-Enthusiastic (132 reputation)SSC-Enthusiastic (132 reputation)SSC-Enthusiastic (132 reputation)SSC-Enthusiastic (132 reputation)SSC-Enthusiastic (132 reputation)

Group: General Forum Members
Points: 132 Visits: 181


This happens if you don't want your outsourced IT Dept. seeing accounting data, such as payroll. SQL Server single user mode must use a separate set of permissions that, when active, allows anyone with local admin permissions rights to the data. So, the IT Dept. could still get into the data if they switched it to single user mode? Nice.


I know, right. Very uncomfortable feeling knowing that the network team could still get in if they really wanted to.
pmal
pmal
SSC Journeyman
SSC Journeyman (92 reputation)SSC Journeyman (92 reputation)SSC Journeyman (92 reputation)SSC Journeyman (92 reputation)SSC Journeyman (92 reputation)SSC Journeyman (92 reputation)SSC Journeyman (92 reputation)SSC Journeyman (92 reputation)

Group: General Forum Members
Points: 92 Visits: 53
john.vanda (11/3/2009)


This happens if you don't want your outsourced IT Dept. seeing accounting data, such as payroll. SQL Server single user mode must use a separate set of permissions that, when active, allows anyone with local admin permissions rights to the data. So, the IT Dept. could still get into the data if they switched it to single user mode? Nice.


I know, right. Very uncomfortable feeling knowing that the network team could still get in if they really wanted to.


Well, at least I learned something today that I never knew.
Rudy Panigas
Rudy Panigas
SSCarpal Tunnel
SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)

Group: General Forum Members
Points: 4346 Visits: 1325
True, but the servers would have to be restarted in single user mode. Hopefully your monitoring systems would alert you that the server has been restarted. You should then review all logs server logs and sql server logs and question your staff as to who and why this server was started in single user mode. I would be getting the security department involved too.

Rudy



harriga.rabie-1008938
harriga.rabie-1008938
Valued Member
Valued Member (63 reputation)Valued Member (63 reputation)Valued Member (63 reputation)Valued Member (63 reputation)Valued Member (63 reputation)Valued Member (63 reputation)Valued Member (63 reputation)Valued Member (63 reputation)

Group: General Forum Members
Points: 63 Visits: 293
this way is not exact, because when you type sqlcmd -E you will obtain à time out for sql connexion because your account dont existe in sys.logins.
In the case when you have a login , it is not necessary to stop sql service you can access anr execute query like (create bultin\administrators from windows).
The group bultin\administrators allows to system administratot to connect in sysadmin, the best practise is to change the role for this group to "public".
When you install sql server, sql server add news groups like sysadmin login, you can add yout account in this group in order to connect you on sql server.

I repeat, this article is not applied in sql server
harriga.rabie-1008938
harriga.rabie-1008938
Valued Member
Valued Member (63 reputation)Valued Member (63 reputation)Valued Member (63 reputation)Valued Member (63 reputation)Valued Member (63 reputation)Valued Member (63 reputation)Valued Member (63 reputation)Valued Member (63 reputation)

Group: General Forum Members
Points: 63 Visits: 293
this way is not exact, because when you type sqlcmd -E you will obtain à time out for sql connexion because your account dont existe in sys.logins.
In the case when you have a login , it is not necessary to stop sql service you can access anr execute query like (create bultin\administrators from windows).
The group bultin\administrators allows to system administratot to connect in sysadmin, the best practise is to change the role for this group to "public".
When you install sql server, sql server add news groups like sysadmin login, you can add yout account in this group in order to connect you on sql server.

I repeat, this article is not applied in sql server
SleepyHead
SleepyHead
SSC Journeyman
SSC Journeyman (92 reputation)SSC Journeyman (92 reputation)SSC Journeyman (92 reputation)SSC Journeyman (92 reputation)SSC Journeyman (92 reputation)SSC Journeyman (92 reputation)SSC Journeyman (92 reputation)SSC Journeyman (92 reputation)

Group: General Forum Members
Points: 92 Visits: 201
The main question (I think) is unanswered:

If you have removed BUILTIN\Administrators and all other administrative access to the SQL instance, how can you log into the SQL instance with administrative access?

Rudy - are you suggesting that by starting the instance in single user mode and using SQLCMD -E that the access can be bypassed? If so, that is news to me.
harriga.rabie-1008938
harriga.rabie-1008938
Valued Member
Valued Member (63 reputation)Valued Member (63 reputation)Valued Member (63 reputation)Valued Member (63 reputation)Valued Member (63 reputation)Valued Member (63 reputation)Valued Member (63 reputation)Valued Member (63 reputation)

Group: General Forum Members
Points: 63 Visits: 293
this way is not exact, because when you type sqlcmd -E you will obtain à time out for sql connexion because your account dont existe in sys.logins.
In the case when you have a login , it is not necessary to stop sql service you can access anr execute query like (create bultin\administrators from windows).
The group bultin\administrators allows to system administratot to connect in sysadmin, the best practise is to change the role for this group to "public".
When you install sql server, sql server add news groups like sysadmin login, you can add yout account in this group in order to connect you on sql server.

I repeat, this article is not applied in sql server
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum







































































































































































SQLServerCentral


Search