Re: BUILTIN\Administrators

From: Tom Moreau (tom_at_dont.spam.me.cips.ca)
Date: 10/24/05

Next message: Ken Schaefer: "Re: sa loginname being hacked"

Previous message: fasttrack via SQLMonster.com: "sql server sp_addlogin from vb.net and security !!!!"
Next in thread: Anthony Thomas: "Re: BUILTIN\Administrators"
Reply: Anthony Thomas: "Re: BUILTIN\Administrators"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 23 Oct 2005 20:20:39 -0400

You can add "trusted" logins to the sysadmin role and then remove
BUILTIN\Administrators from the sysadmin role (as long as you're not using a
clustered instance). Only those people who should have access to the
sensitive DB should be in the sysadmin role. Anyone who is in the sysadmin
role has access to the entire SQL Server instance - including all DB's.

-- 
    Tom
----------------------------------------------------
Thomas A. Moreau, BSc, PhD, MCSE, MCDBA
SQL Server MVP
Columnist, SQL Server Professional
Toronto, ON   Canada
www.pinpub.com
"Andy" <Andy@discussions.microsoft.com> wrote in message 
news:D366F47F-016C-408E-8D7B-D6C92DA613B7@microsoft.com...
> Is there any way to deny access to BUILTIN\Administrators on just one 
> database.
> Very highly confidential databse and want to deny the access to
> BUILTIN\Administrators.
>
> Thanks
> Andy

Next message: Ken Schaefer: "Re: sa loginname being hacked"

Previous message: fasttrack via SQLMonster.com: "sql server sp_addlogin from vb.net and security !!!!"
Next in thread: Anthony Thomas: "Re: BUILTIN\Administrators"
Reply: Anthony Thomas: "Re: BUILTIN\Administrators"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: BUILTINAdministrators
... EVEN ON A CLUSTERED INSTANCE. ... have to make sure the Cluster Service and SQL Server services accounts have ... > You can add "trusted" logins to the sysadmin role and then remove> BUILTIN\Administrators from the sysadmin role. ... Anyone who is in the sysadmin> role has access to the entire SQL Server instance - including all DB's. ...
(microsoft.public.sqlserver.security)
Re: Restricting Access priviledge on SQL2000
... You must have made the "Application-Administrators" members of the sysadmin role in SQL Server. ... Take them out of the sysadmin role, add them as users in the correct database, then make them members of the db_owner role in that database. ...
(microsoft.public.sqlserver.security)
Re: Getting the sa password with SQLDMO
... SQL Server stores passwords using a one-way hash so you can't read the ... conditional password change by attempting a connection using the expected sa ... password and, if it fails, connect using a different sysadmin role member ... member can change the sa password. ...
(microsoft.public.sqlserver.programming)
Re: Discrepancy in number of rows and size of database
... How do I make sure that I'm a member of the SysAdmin role? ... with this tool you can catch all commands SQL Server is receiving. ... >> I'm trying to help a customer extract some data out of their SQL Server ...
(microsoft.public.sqlserver.server)
Re: Other way of Changing Password if does not have Server Role
... A user can change his password without being a member of the sysadmin role. ... You just have to login as the user and then omit the 3rd parameter ... Dejan Sarka, SQL Server MVP ...
(microsoft.public.sqlserver.security)