prevent login as admin w/ windows authentication?
-
Hello All,
I would like to restrict SQL Server access to anyone who physically logs onto the server where the SQL Server installation resides.
I know you can password protect Enterprise Manager when using SQL authentication by selecting the "always prompt for password" option. However this does not prevent someone changing the server registration to use windows authentication and logging in as admin(or logging in using Query Analyzer w/ Windows Authentication for that matter).
Is there a way to prevent people from logging in at the physical machine as admin using windows authentication? (other than locking the machine
)If so, what is the best way to do this?
I'd appreciate any feedback!
Thanks,
John
-
You could remove BUILTIN\ADMINISTRATORS from the SQL Server logins. Bear in mind that you had better not lose your sa password if you do this.
-
As stacenic points out, so long as BUILTIN\Administrators has rights, you're not going to keep them out. You can remove BUILTIN\Administrators but there are some gotchas. The pros and cons of removing BUILTIN\Administrators and some of the gotchas:
http://www.sqlservercentral.com/columnists/bkelley/sqlserversecuritysecurityadmins.asp
Solid auditing and regular review are usually the best way to ensure an admin or a DBA doesn't overstep his or her bounds. When you get to the level of the privileged accounts, it's one of the few controls that's viable.
K. Brian Kelley
@kbriankelley -
Thank you both for your responses...I've began looking into removing the BUILTIN\Administrators account.
Brian- that article you wrote is a great. Thanks!
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply