Builtin\Administrators

I have a rogue co-worker who wants to support SQL buit doesn't know
how. This person is a domain admin so it's difficut to keep him from
accessing and "doing stuff" with SQL server.
I want to SAFELY deny access to the builtin\administrator login but I
want to be sure I don't deny access to people who need it.
Here are a few steps I think I nned to take in order to secure my
instance:
1. Review the local administrators group membership on the server and
remove any unnecesary members.
2. Create a local group and add the network admins that need access to
SQL to the group
3. Create a role/user (not sure which is best) and map the local group
to this login
4. Restrict login based on fixed server/database roles
Any asistance is appreciated.I always remove BUILTIN\Administrators not only from sysadmin but from the
entire SQL Server instance. If there are some services, like FullText Search,
that may be using these permissions, I give them a Windows account instead.
Hope this helps,
Ben Nevarez
Senior Database Administrator
AIG SunAmerica
"NC3" wrote:
> I have a rogue co-worker who wants to support SQL buit doesn't know
> how. This person is a domain admin so it's difficut to keep him from
> accessing and "doing stuff" with SQL server.
> I want to SAFELY deny access to the builtin\administrator login but I
> want to be sure I don't deny access to people who need it.
> Here are a few steps I think I nned to take in order to secure my
> instance:
> 1. Review the local administrators group membership on the server and
> remove any unnecesary members.
> 2. Create a local group and add the network admins that need access to
> SQL to the group
> 3. Create a role/user (not sure which is best) and map the local group
> to this login
> 4. Restrict login based on fixed server/database roles
> Any asistance is appreciated.
>|||Hello!
Local Administrators Windows group has nothing to do with Domain Admins
group. They are different stuff. As your co-worker is in the Domain Admins
group (according to your saying he was a domain admin) and the mentioned
group must be a member of the sysadmin fixed server role. So it would not
make any difference if you remove Local Admin group in SQL Server Windows
Logins. He would be able to connect to your instance (I assume there is a
Domain Admins login in SQL Server Logins)
If your SQL Server is in a domain environment, then you better use domain
accounts to connect to your instance. BUILTIN\Administrators should be
deleted in many cases however this rule does not apply to ALL cases. First,
ensure that there is nothing using this account related to your SQL Server
instance. After ensuring this, you can delete it safely.
Why don't you explicitly deny him connecting to your SQL Server if he is the
only problem?
In which group is your account? You can remove Domain Admins from the Logins
if you are not in that group and if there is no one connecting to your SQL
Server in that group.
--
Ekrem Önsoy
"NC3" <ncoleman3@.yahoo.com> wrote in message
news:1194973802.571321.51230@.o3g2000hsb.googlegroups.com...
>I have a rogue co-worker who wants to support SQL buit doesn't know
> how. This person is a domain admin so it's difficut to keep him from
> accessing and "doing stuff" with SQL server.
> I want to SAFELY deny access to the builtin\administrator login but I
> want to be sure I don't deny access to people who need it.
> Here are a few steps I think I nned to take in order to secure my
> instance:
> 1. Review the local administrators group membership on the server and
> remove any unnecesary members.
> 2. Create a local group and add the network admins that need access to
> SQL to the group
> 3. Create a role/user (not sure which is best) and map the local group
> to this login
> 4. Restrict login based on fixed server/database roles
> Any asistance is appreciated.
>|||While I respect the advice given and acknowledge you need to do those
things, frankly you have a people problem, not a database problem.
I suggest that if he is doing things that has gotten your attention, and
won't stop, you need to take it up with your manager. If you don't and just
deny him access, it is likely HE will take it up wit HIS manager and then,
you'll have a completly different mess.
"NC3" <ncoleman3@.yahoo.com> wrote in message
news:1194973802.571321.51230@.o3g2000hsb.googlegroups.com...
>I have a rogue co-worker who wants to support SQL buit doesn't know
> how. This person is a domain admin so it's difficut to keep him from
> accessing and "doing stuff" with SQL server.
> I want to SAFELY deny access to the builtin\administrator login but I
> want to be sure I don't deny access to people who need it.
> Here are a few steps I think I nned to take in order to secure my
> instance:
> 1. Review the local administrators group membership on the server and
> remove any unnecesary members.
> 2. Create a local group and add the network admins that need access to
> SQL to the group
> 3. Create a role/user (not sure which is best) and map the local group
> to this login
> 4. Restrict login based on fixed server/database roles
> Any asistance is appreciated.
>