Best Practice - Builtin\Administrators SQL account - I'm confused
smaas_at_newsgroups.nospam
Date: 11/13/04
- Next message: smaas_at_newsgroups.nospam: "Best Practice Question - "Lowest possible privileges""
- Previous message: smaas_at_newsgroups.nospam: "Re: Best Practice - xp_cmdshell question"
- Next in thread: Kevin McDonnell [MSFT]: "RE: Best Practice - Builtin\Administrators SQL account - I'm confused"
- Reply: Kevin McDonnell [MSFT]: "RE: Best Practice - Builtin\Administrators SQL account - I'm confused"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 12 Nov 2004 15:44:01 -0800
I couldn't find anything about Builtin\Administrators in the Microsoft Best
Practices checklist, but MBSA reports that it is part of the sysadmin role
and apparently should not be. I started to research this and see that a lot
of people are going so far as to remove the account altogether from SQL
Server with varying results in an effort to prevent system administrators
from gaining the same access as the DBA. I am confused about the differing
opinions and am wondering if there is some definitive guide to handling this
account to meet Sarbanes-Oxley objectives.
In our particular environment, there are only 4 people in our IT staff and
we intend for two of them, the DBA and the senior sys admin, to have access -
the senior sys admin in more of a back-up context for the DBA but also as
overall responsibility for the server. We would like to exclude the other
two staff. The senior sys admin's plan is reserve knowledge of the System
Administrator account login only to himself but to put the other staff in an
NT group with at least some administrative rights (so that they can
troubleshoot systems from a support perspective - beyond that, I don't know
the details of his plan).
To accomplish this, will it be enough to remove the Builtin\Administrators
account from the sysadmins role or is there some reason to remove the account
completely?
- Next message: smaas_at_newsgroups.nospam: "Best Practice Question - "Lowest possible privileges""
- Previous message: smaas_at_newsgroups.nospam: "Re: Best Practice - xp_cmdshell question"
- Next in thread: Kevin McDonnell [MSFT]: "RE: Best Practice - Builtin\Administrators SQL account - I'm confused"
- Reply: Kevin McDonnell [MSFT]: "RE: Best Practice - Builtin\Administrators SQL account - I'm confused"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
