Removing accounts

  • Hi !!  This thread might have been placed under the security forum , but it isn´t

    I got at tip about removing the guest account in the Northwind and pubs db  in an SQL2000 server as a security reason.

    My question: Should I remove the guest account in the other db as well ( master , model,....) ??


  • You cannot remove guest from either master or tempdb.

    If you remove it from MODEL then it won't appear in any future databases that you add to the system. MODEL is effectively a template database that is used to create other databases.

    If a database has a guest account then provided that a user has a login to the SQL Server they will be assumed to be the guest in any databases where they don't currently have a specific user account.

  • Of course will I not remove it from model !! Mistake by me  !!

    How about remove it from msdb , tempdb  and distribution ?? What will happend ??

    I just want to secure the database at much as possible and prevent unauthorized access.


  • I would remove it from MODEL.

    I have removed it from MSDB in my environment with no ill effects but I am not doing any complicated development with DTS or SQLServerAgent jobs.

    I am not sure about Distribution though. I treat replication like a handgrenade with a very loose pin. I think Steve Jones is the one to answer this.

    It must depend on whether you are using push or pull subscriptions though I cannot be sure. I would suspect that pull subscriptions may need the guest account. The problem is that if you break replication it can be a pain to get it working again.

    If you remove the guest account from a database you can always put it back by running sp_grantdbaccess 'guest' in your database.

  • I haven't ever thought about distribution, but I have removed it from model. I don't want any guest permissions on servers, only those that I explicitly have setup.

    If it breaks replication, probably a good thing and means you need to setup proper security for those subscribers.

  • You can't remove guest from master and tempdb. You can from msdb, usually with no ill effects. The information in msdb isn't something most users need access to. You can remove it from distribution, but as Steve indicates, if you have pull subscribers that don't have another valid way into distribution, you'll break. Push subscribers, since the work is being done by the distributor, won't break.

    K. Brian Kelley

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic. Login to reply