builtin\adminstrators

what is best practice with this group account?
it is installed by default, if i understand correctl, it gives anyone who is
in the server admin group, admin rights to sql server. isn't that a bad id
ea?See:
SQL Server 2000 SP3 Security Features and Best Practices
http://www.microsoft.com/technet/pr...n/sp3sec00.mspx
Thanks,
Kevin McDonnell
Microsoft Corporation
This posting is provided AS IS with no warranties, and confers no rights.|||Hi Kevin,
i believe have looked at this article before...however, i just reviewed it
again.
where does this article address my question specifically..am i missing it.
thanks|||Hi Kevin,
Thanks for your update. As the SQL Server 2000 security model is based on
the Windows security model and as the system administrator of windows
operating system, it will have permission on all the activities on the SQL
Server since they are combined together. So, 'buildin\admin' security will
depends on the windows security model for it. SQL Server will benifit from
the Windows security architecture. Please refer to the following article:
Authentication Modes
http://msdn.microsoft.com/library/e...curity_47u6.asp
Security Architecture
http://msdn.microsoft.com/library/e...curity_4fol.asp
Hope this helps. Thanks.
Best regards
Baisong Wei
Microsoft Online Support
----
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.
Please reply to newsgroups only. Thanks.|||let me put it this way, if you have os adminstrators who are in the local ad
ministrators group and you don't want them to have admin rights to the sql s
erver...then you should i remove the builtin\administrators group from the
sql server logins.....is t
hat correct?
thanks
-jason|||Yes.
The following article has a section with links to some
issues that could come up if you remove the group:
INF: How to impede Windows NT administrators from
administering a clustered instance of SQL Server
http://support.microsoft.com/?id=263712
-Sue
On Wed, 14 Apr 2004 14:01:06 -0700, "jason" <jason_fin>
wrote:

>let me put it this way, if you have os adminstrators who are in the local administr
ators group and you don't want them to have admin rights to the sql server...then y
ou should i remove the builtin\administrators group from the sql server logins.....
is
that correct?
>thanks
>-jason|||Hi Kevin,
I just want to add some more information to your question. Please look at
the
"Step 11. SQL Server Logins, Users, and Roles" in "Securing Your Database
Server" at
http://msdn.microsoft.com/library/d...-us/dnnetsec/ht
ml/THCMCh18.asp
That is, if you differentiate the role of domain administrator and database
administrator. You'd better remove the BUILTIN\Administrators SQL Server
login and then create a specific Windows group containing specific database
administrations added to SQL server as a server login.
Hope this helps. Thanks.
Best regards
Baisong Wei
Microsoft Online Support
----
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.
Please reply to newsgroups only. Thanks.|||Hi,
I am reviewing you post. Since we have not heard from you for some time, I
wonder if you still have quesitons of the information I provided. For any
question, please feel free to post new message here and we are glad to
help.
Thanks.
Best regards
Baisong Wei
Microsoft Online Support
----
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.
Please reply to newsgroups only. Thanks.|||Thanks Sue and Biasong,
the reason it takes me a while to tget back is because that nospam alias acc
ount doesn't work as far as sending me notifications for replys.
thanks
-jason