Re: Visual Studio gives direct dbo access to Sql Server 2000 ??? <<Update>>
From: BBFrost (barry.b.frost_at_remove_this.wrd.state.or.us)
Date: 07/19/05
- Next message: Mike Read: "sql server and active directory"
- Previous message: Mike Epprecht (SQL MVP): "RE: Keeping Domain & SQL Access In Sync"
- In reply to: Dan Artuso: "Re: Visual Studio gives direct dbo access to Sql Server 2000 ??? <<Update>>"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 19 Jul 2005 08:53:38 -0700
Dan,
Thanks for the response!! Its very much appreciated.
As I said I'm an SqlServer 'newbie' and I'm in the process of hurridly
scrambling up the "Learning Mountain" :)
I hunted down the BuiltIn\Administrators login and toggled it to "Deny
Access" with the intention that I only want explicitly named users to have
sysadmin (dba) privledges. After I did this I made sure I could still login
into the db with the "dba" account (with Enterprise Manager) we've set up.
Good advice about checking for a lockout ... that would be "classic
slam-doe-doe".
We are starting down the path of using SqlServer that Windows access
security which I see at this point (correctly? / incorrectly ?) as requiring
actually creating SqlSever user logins and then granting them the "rolls"
that control access to tables and other DB objects.
Thats why the developer 'dbo' access caught me by surprise.
With respect to developers that are also domain admins ... we're a very
small shop and most of us handle a number of responsibilities. For instance
I'm "the DBA" and "lead C# desktop app developer", "Ken is the Unix Admin,
Net admin and lead Web app developer", etc. The developers are basically
"backup" Domain Admins ... so now, if I understand your info about
BuiltIn\Administrators User Login correctly, we should be able to re-grant
their NT Domain Admin status and they'll now have to login to the db like
everyone else.
Thanks again.
Barry
in Oregon
(Oregon Water Resources Dept)
"Dan Artuso" <dartuso@NSpagepearls.com> wrote in message
news:e22PafGjFHA.3936@TK2MSFTNGP10.phx.gbl...
> Hi,
> If you check out the logins in SQL Server, you'll see the
BuiltIn\Administrators login.
> This login is a part of the sysadmin server role.
> What this means is that any account that is a member of the machine's
local admin group
> will also be a sysadmin in SQL Server.
> If the developers need local admin rights, you can remove the
BuiltIn\Administrators from the sysadmin role.
> If you do that, make sure you make the appropriate accounts sysadmins so
you don't lock yourself out.
>
> What are developers doing with domain admin rights anyway??
>
> --
> HTH
> Dan Artuso, Access MVP
>
>
> "BBFrost" <barry.b.frost@remove_this.wrd.state.or.us> wrote in message
news:exA9nH$iFHA.2152@TK2MSFTNGP14.phx.gbl...
> > New Info ...
> >
> > A couple of the developers turned out to be NT Domain administrators.
We
> > removed the developers from the NT Domain Admin list and they now have
to
> > login (over and over again) to access their tables. They're not very
happy.
> > So far it seems that being an NT Domain Administrator allows one to
"Blow
> > Right past" Sql Server's Security checks and access the server with
"dbo"
> > rights.
> >
> > Can anyone elaborate on what's going on here ??? Is there a way to
allow
> > the developers to be NT Domain Admins without automatically granting
them
> > "cart blanc" DB access ??
> >
> > Again ... Thanks in advance.
> >
> > Barry
> > in Oregon
> >
> > "BBFrost" <barry.b.frost@remove_this.wrd.state.or.us> wrote in message
> > news:ew9p9j#iFHA.2472@TK2MSFTNGP15.phx.gbl...
> > > Greetings,
> > >
> > > I'm a new Sql Server administrator and I just received a shock ...
We've
> > > set up a pretty much default instance of Win2003 server and SqlServer
> > 2000.
> > >
> > > Just told the developers that I'd set up a test Sql Server instance
and
> > told
> > > them the name. Shortly there after I found that they were connecting
from
> > > Visual Studio are getting automatic 'dbo' access.
> > >
> > > Tables and views are popping up all over the place, all owned by dbo
and
> > I'm
> > > having a tough time figuring out what's going on.
> > >
> > > I've set the Sql Server 2000 Security parameters to "Sql Security &
> > Windows"
> > > and I've created individual user accounts for our test database. (The
> > > security options I see are "SQL Server and Windows" & "Windows Only".
> > > Selecting "SQL Server and Windows" doesn't seem to limit the
developers
> > from
> > > charging in with "Window Only" access.
> > >
> > > For example "smithca" has a Windows NT Domain account and Visual
Studio.
> > >
> > > Within the test_db_server database I've created a "smithca" user
account.
> > >
> > > With the test_db "smithca" has been granted the "public" roll.
> > >
> > > When "smithca" fires up Visual Studio Server Explorer, points at
> > > "test_db_server" and creates a "Window NT integrated security"
account.
> > > WHAM! He's got "dbo" access to the database.
> > >
> > > From what I can see any developer can log into any database (test or
> > > production) with full DBA permissions.
> > >
> > > Afraid ... very afraid !!!
> > >
> > > Any help with this would be greatly appreciated !!!
> > >
> > > Thanks in advance
> > >
> > > Barry
> > > in Oregon
> > >
> > >
> > >
> >
> >
>
>
- Next message: Mike Read: "sql server and active directory"
- Previous message: Mike Epprecht (SQL MVP): "RE: Keeping Domain & SQL Access In Sync"
- In reply to: Dan Artuso: "Re: Visual Studio gives direct dbo access to Sql Server 2000 ??? <<Update>>"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
