Re: Can't remove SA account or delete xp_cmdshell ext stored proc?
From: Rob R. Ainscough (robains_at_pacbell.net)
Date: 08/23/05
- Next message: Scott Townsend: "Re: How do I protect a Table and only give Specific Windows Accounts Access to it?"
- Previous message: Dejan Sarka: "Re: Can't remove SA account or delete xp_cmdshell ext stored proc?"
- In reply to: Dejan Sarka: "Re: Can't remove SA account or delete xp_cmdshell ext stored proc?"
- Next in thread: Dejan Sarka: "Re: Can't remove SA account or delete xp_cmdshell ext stored proc?"
- Reply: Dejan Sarka: "Re: Can't remove SA account or delete xp_cmdshell ext stored proc?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 23 Aug 2005 08:01:45 -0700
Thank you for the information.
The book I was reading is Microsoft Press and the authors are Ed Robinson
and Michael James Bond.
I have the SA password complex so no worries there.
I guess I'll leave the xp_cmdshell alone as it seems to be more trouble that
it is worth to remove it.
Should I think about installing URLScan ?
"Dejan Sarka" <dejan_please_reply_to_newsgroups.sarka@avtenta.si> wrote in
message news:%23BAAU89pFHA.3112@TK2MSFTNGP12.phx.gbl...
>> I'm trying to make my SQL Server a tad more secure, but I'm unable to
>> remove SA (I'm running Mixed mode) -- can the SA account only be removed
>> when using windows Authentication? When I try to remove SA I get
>> "selected user cannot be dropped because the user owns objects". When I
>> try to delect xp_cmdshell I get the following error "You tried to delete
>> one or more system objects. They were not deleted."
>
> The sa login account cannot be deleted or renameed, nor it can't be
> revoked any permission.
>
>> I must admit, I'm a little confused, I'm trying to implement Microsofts
>> security recommendations, but either the documention is not
>> detailed/accurate or I'm missing something?
>
> I don't think MS ever mentioned droping the sa account (as it can't be
> done). Here are recommendations from Operations Guide: "
> The sa account in a production environment should be given a complex
> password, made up of uppercase and lowercase letters, symbols, spaces, and
> numbers. The sa account should have a complex password, even if the SQL
> Server is running in only Windows Authentication Mode. A complex password
> protects SQL Server from someone easily getting administrative access to
> SQL Server. This also protects the server in the event that an
> administrator changes the security authentication mode to Mixed Mode.
> Do not use the sa login account in a production environment. Instead,
> place each DBA's network user account into a Windows group, create a
> single SQL Server login account for the group then add the login account
> to the sysadmin fixed server role. "
> (http://www.microsoft.com/technet/prodtechnol/sql/2000/maintain/sqlops3.mspx).
>
> --
> Dejan Sarka, SQL Server MVP
> Associate Mentor
> www.SolidQualityLearning.com
>
>
- Next message: Scott Townsend: "Re: How do I protect a Table and only give Specific Windows Accounts Access to it?"
- Previous message: Dejan Sarka: "Re: Can't remove SA account or delete xp_cmdshell ext stored proc?"
- In reply to: Dejan Sarka: "Re: Can't remove SA account or delete xp_cmdshell ext stored proc?"
- Next in thread: Dejan Sarka: "Re: Can't remove SA account or delete xp_cmdshell ext stored proc?"
- Reply: Dejan Sarka: "Re: Can't remove SA account or delete xp_cmdshell ext stored proc?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
