Re: SQL Server
From: Stamey (Stamey@REMOVEThisAndTheDot.Farther.com)
Date: 11/26/02
- Next message: Stamey: "Re: Need some security suggest"
- Previous message: Stamey: "Re: Difficult qualified name problem"
- In reply to: Brett Karst: "Re: SQL Server"
- Next in thread: Martín: "SQL Server "sa" Account"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Stamey" <Stamey@REMOVEThisAndTheDot.Farther.com> Date: Tue, 26 Nov 2002 00:07:30 -0500
Actually, your admins are not as knowledgable about SQL Server as they
might think. While the SQL log may not be as extensive in data, when an
error occurs SQL Server will log the information to the Application log of
the server. I had this problem today where a developer was running an app
that cuased the process to GPF in SQL Server. When I looked at the
application log in Win 2000 I saw the developer's login and was able to walk
right over to his desk to see what he was trying to do when the error
occurred. If he had been logged in a SA I might have never known who
actually caused the problem.
And I agree with the the other reply from BP When I set up a SQL Server,
if I HAVE to make it Standard Security accessible, I make it mixed mode
security. I then assign myself to the SysAdmin role, assign a tough password
to the SA account and then lock the password away as a last resort. I will
only use the SA account as a last resort if everything else fails. I have
dealt with many people who firmly believe they must have the SA account to
manage SQL Server and I have amazed a few when I proved them wrong. The
others weren't worth educating.
Chris
"Brett Karst" <karst.brett@mayo.edu> wrote in message
news:eW19rV$kCHA.2616@tkmsftngp09...
> Thanks for the articles. I agree with you that the situation under
> which the sa account was being used was inappropriate. When I asked the
> administrators to create separate accounts, they argued that:
>
> 1. The standard SQL Server audit logs only indicate when a user logged
> on/off; not what they did. Utilizing the enhanced SQL Server auditing
> ("Profile"?) may require too many system resources, even if they were to
> just log the details of the individual sa accounts because the logging
> mechanism would have to verify whether each transaction was performed by
> an sa-privileged account.
>
> 2. Server upgrades and other tasks require the user to log in as "sa",
> so the account cannot be removed. This was the part that I was
> wondering about, and if it were true. They are somewhat open to the
> envelope method mentioned in the references you cited.
>
> Thanks again for your help.
>
>
>
> *** Sent via Developersdex http://www.developersdex.com ***
> Don't just participate in USENET...get rewarded for it!
- Next message: Stamey: "Re: Need some security suggest"
- Previous message: Stamey: "Re: Difficult qualified name problem"
- In reply to: Brett Karst: "Re: SQL Server"
- Next in thread: Martín: "SQL Server "sa" Account"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
