Re: how to block local admins

From: Wayne Snyder (wsnyder@ikon.com)
Date: 12/18/02

• Next message: Steve: "easy question"
• Previous message: Wayne Snyder: "Re: Delegate Power of God to only 1 database - How?"
• In reply to: Alexia: "how to block local admins"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Wayne Snyder" <wsnyder@ikon.com>
Date: Wed, 18 Dec 2002 14:59:40 -0500

In the end, the only way you can block local admins is to NOT grant
permissions to the BUILTIN/adminstrators group. for ANY SQL login that maps
to an NT group the NT guys can simply make themselves members of the
group... So for Sysadministrator privileges always add INDIVIDUAL NT logins
to the role, (NOT an NT group)

--
Wayne Snyder MCDBA, SQL Server MVP
Computer Education Services Corporation (CESC), Charlotte, NC
(Please respond only to the newsgroups.)
I support the Professional Association for SQL Server
(www.sqlpass.org)
"Alexia" <alexia.allen@kellogg.com> wrote in message
news:060301c2a51a$fa3fc090$d4f82ecf@TK2MSFTNGXA11...
> We are Oracle DBA's and relatively new to MS SQL.  I would
> like to know how we can prevent local administators from
> accessing certain (or all, whichever is easier)
> databases.  There are many IT folks here that need to be a
> part of this group for server admin purposes but we don't
> want them to be able to view sensitive database data (ex:
> payroll).
>
> We have tried revoking all from builtin\admin but this
> doesnt seem to prevent access.  We tried deny login to
> builtin\admin but this causes many issues with other users
> not being able to log in.  It also causes issues with db
> maintenance jobs.
>
> Is there an easy way we can block builtin\admin from
> seeing data in certain databases without causing all sorts
> of other issues?
>
> This is probably a complex question with a complex answer
> that may not easily answered via a news group.  However,
> wanted to give it a shot.
>
> thanks.

---

• Next message: Steve: "easy question"
• Previous message: Wayne Snyder: "Re: Delegate Power of God to only 1 database - How?"
• In reply to: Alexia: "how to block local admins"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Cant Login SQL from ASP.NET applications ... > databases with the same login permission from a web application ( ... > the current web request. ... Add the ASPNET user as a login to your SQL Server, ... (microsoft.public.dotnet.framework) Re: Cant Login SQL from ASP.NET applications ... > databases with the same login permission from a web application ( ... > the current web request. ... Add the ASPNET user as a login to your SQL Server, ... (microsoft.public.dotnet.framework.aspnet) Re: Cant Login SQL from ASP.NET applications ... > databases with the same login permission from a web application ( ... > the current web request. ... Add the ASPNET user as a login to your SQL Server, ... (microsoft.public.dotnet.general) WebAdmin tool keeps loosing connection ... We installed SQL Webadmin ... databases using Enterprise manager and everything was working fine. ... setup two security logins for each database: Windows Authenticated ... for login via web broswer and another SQL Authenticated. ... (microsoft.public.sqlserver.connect) Re: Permission question - another one ... If I add an Sql Login it does add the TRAVAC\ in front of the names, ... seems to be users that were setup to use SQL Server Authentication. ... RAPTOR is the Server that has SQL Server running on it. ... > " I could think I am taking permissions away from someone, ... (microsoft.public.sqlserver.programming)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)