Going through SQL Server Enterprise Manager and changing the service account using that tool usually gets all of these rights set correctly. So running setup again is not necessary.

OK, but from an auditing perspective there is an avoidable weakness...

I can understand shielding the customer from direct DB access. A lot of good reasons to do that, especially in...

Talk to the guys here at SSC. They might be able to point you in the right direction.

Anything that references file paths (potentially DTS packages), may be impacted. But this is not a new concern if you are moving from one server environment to another.

From within SQL...

Local administrative rights are not necessary and unless there is a business or functional reason as to why they should be there, it's generally advised against from a security perspective...

Being a member of db_ddladmin doesn't auto-create objects as dbo. Being a member of db_ddladmin will still create object as your user unless you're aliased as dbo... which you are...

We build from images all the time.

Can you provide a bit more details? Operating system, service pack? Also, version of SQL Server and service pack?

Another mechanism is to use log exploring software like what Lumigent or ApexSQL sells. There's also Entegra from Lumigent.

In 3rd party cases, I'd tend to agree with you, only because you're not left with my choice in order to be supported. But in a homegrown app...

This tells you files, registry keys, etc. to clean out:

How to manually remove SQL Server 2000 default, named, or virtual instance (290991)

Version Database:

Versions List at SQLSecurity.com

Fixes can be downloaded from Microsoft's site. For security hotfixes, go to:

http://www.microsoft.com/technet/security/default.mspx

For other hotfixes, you can determine if...

What is the actual alert message?

Generally speaking, you want to minimize the number of accounts that have login rights. You also, however, want each user to login using a login only they have access to,...

True. The "for optimum performance, do not use more than 4,000 characters" for EXEC doesn't apply in this case because you're only building the stored procedure once. Good point.

There are two issues here, though.

One, with a login per database (as the owner) there is an extra account per database. Since that account is owner of the database,...