Re: All users can start and stop SQL Server?

From: Simon (Simon_at_discussions.microsoft.com)
Date: 02/28/05

Next message: Simon: "RE: Changing SQL startup account"

Previous message: Simon: "EM does not display Login Name"
In reply to: Geoff N. Hiten: "Re: All users can start and stop SQL Server?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 27 Feb 2005 20:17:03 -0800

Hi Geoff,

This doesn't seem quite right to me, but I might be missing something.

Riki's problem as I see it is that the local Admin on Machine B can stop and
start services on Machine A. But the local Admin is just that - local - and
so should not be able to affect any other machine.

So while a local Admin can start and stop the local MSSQLServer service
irrespective of SQL Server rights, they shouldn't be able to affect another
machine's services.

So, have I missed something?

Simon.

"Geoff N. Hiten" wrote:

> Sounds normal. Removing the role prevented them from accessing the data
> within the SQL server. SQL runs as a service and any local administrator
> can stop and start any service. Treat it as a learning opportunity.
> Learning to be careful when you are a local administrator on a SQL server
> host computer is a very important skill.
>
> --
> Geoff N. Hiten
> Microsoft SQL Server MVP
> Senior Database Administrator
> Careerbuilder.com
>
> I support the Professional Association for SQL Server
> www.sqlpass.org
>
> "Riki" <riki@bounce.com> wrote in message
> news:ueJ$t9zGFHA.1528@TK2MSFTNGP09.phx.gbl...
> > I work for a training center and we have the following scenario:
> > SQL Server 2000 SP3A is installed on 10 computers in our classroom, under
> > Windows 2000 SP4 Professional.
> > The students log on with their own user name.
> > They are member of the local Administrators group (we trust them on their
> > own machine).
> >
> > They are also member of the sysadmin role on their own SQL Server.
> > We removed the BUILTIN/Administrators login on every SQL Server.
> >
> > The students cannot access any database on the other machines, which is
> OK.
> > But by playing around, they discovered that they are still able to start
> and
> > stop any of the other servers.
> >
> > Is this normal?
> > Did I overlook something?
> > What should I do to prevent this?
> >
> > Riki
> >
> >
>
>
>

Next message: Simon: "RE: Changing SQL startup account"

Previous message: Simon: "EM does not display Login Name"
In reply to: Geoff N. Hiten: "Re: All users can start and stop SQL Server?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Problems installing SQL Server 2005 in two node cluster
... the SQL Server service account does not need to be a local admin. ... > -> Purging the setup files from the registry with the Windows Install ...
(microsoft.public.sqlserver.clustering)
Re: All users can start and stop SQL Server?
... Learning to be careful when you are a local administrator on a SQL server ... > The students log on with their own user name. ... > They are also member of the sysadmin role on their own SQL Server. ...
(microsoft.public.sqlserver.security)
Re: Table loseing primary key when not local admin?
... sufficient rights or a proper initial catalog defined. ... When a user is using the app we developed, ... > if they are a local admin it works perfectly fine... ... > permissions on sql server or just .NET stuff? ...
(microsoft.public.dotnet.framework.adonet)
Re: Registry
... open query analyzer using just my Windows login even ... though I'm not mapped into the logins on the sql server. ... I get in simply because I'm local admin. ...
(microsoft.public.sqlserver.security)
Re: SQL Server Remote Management - Command Line Question
... If you are a local admin on the Win2K box that is running ... or isql to add, delete, change logins, users in SQL Server. ... If you disable or delete the users Windows account when the ... >rights on the machine, be able to log into that machine remotely and somehow ...
(microsoft.public.sqlserver)