Re: SQL Server
From: BP Margolin (bpmargo@attglobal.net)
Date: 11/24/02
- Next message: linda deng[MS]: "RE: Windows XP Pro and SQL Server 2000?"
- Previous message: Brett Karst: "Re: SQL Server"
- In reply to: Brett Karst: "Re: SQL Server"
- Next in thread: Stamey: "Re: SQL Server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "BP Margolin" <bpmargo@attglobal.net> Date: Sun, 24 Nov 2002 15:41:04 -0500
Brett,
> 2. Server upgrades and other tasks require the user to log in as "sa",
> so the account cannot be removed. This was the part that I was
> wondering about, and if it were true.
Not an entirely accurate statement.
It is true that in order to apply, for example, a service pack to SQL Server
one has to (a) login as a member of the sysadmin role, and (b) have (almost)
administrator privileges on the machine. But one can be a member of the
sysadmin role without being "sa". The "sa" login is useful only when SQL
Server is in Mixed Authentication mode, so one can have SQL Server in
Windows Authentication mode, in which case the "sa" login just doesn't work
at all.
Additionally, even if the application requirements are such that one must
support Mixed Authentication mode, one can assign an "impossible" password
to the sa login (thereby making it effectively both hack proof and useless
for every day use as well), but still have individuals in the sysadmin role.
BTW, passwords can be up to 128 characters long :-)
You might consider taking a look at the documentation in the SQL Server
Books Online about the sysadmin fixed server role. Perhaps a good starting
place is the section "System Administrator (sa) Login".
-------------------------------------------
BP Margolin
Please reply only to the newsgroups.
When posting, inclusion of SQL (CREATE TABLE ..., INSERT ..., etc.) which
can be cut and pasted into Query Analyzer is appreciated.
"Brett Karst" <karst.brett@mayo.edu> wrote in message
news:eW19rV$kCHA.2616@tkmsftngp09...
> Thanks for the articles. I agree with you that the situation under
> which the sa account was being used was inappropriate. When I asked the
> administrators to create separate accounts, they argued that:
>
> 1. The standard SQL Server audit logs only indicate when a user logged
> on/off; not what they did. Utilizing the enhanced SQL Server auditing
> ("Profile"?) may require too many system resources, even if they were to
> just log the details of the individual sa accounts because the logging
> mechanism would have to verify whether each transaction was performed by
> an sa-privileged account.
>
> 2. Server upgrades and other tasks require the user to log in as "sa",
> so the account cannot be removed. This was the part that I was
> wondering about, and if it were true. They are somewhat open to the
> envelope method mentioned in the references you cited.
>
> Thanks again for your help.
>
>
>
> *** Sent via Developersdex http://www.developersdex.com ***
> Don't just participate in USENET...get rewarded for it!
- Next message: linda deng[MS]: "RE: Windows XP Pro and SQL Server 2000?"
- Previous message: Brett Karst: "Re: SQL Server"
- In reply to: Brett Karst: "Re: SQL Server"
- Next in thread: Stamey: "Re: SQL Server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
