Effect of removing LocalSystem from sysadmin role?

From: "DHamre" <dhamre@xxxxxxxxxxx>
Date: Sat, 11 Nov 2006 10:57:33 -0600

During SQL Server 2005 installation, three logins (in addition to the
service accounts) are added to the sysadmin role:
- local administrator group (BUILTIN\Administrators),
- Local System (NT AUTHORITY\SYSTEM), and
- sa (assumming mixed mode install).

A common hardening practice is to later remove the local administrator group
from the sysadmin role, thereby separating server administration from DBMS
administration. However, I don't recall ever seeing the recommendation to
also remove the LocalSystem account from the sysadmin role.

Has anyone seen recommendations to remove BOTH local administrators and
LocalSystem from the sysadmin role, and - if this were to be done - what are
the consequences?

Thanks in advance,
Drew

.

Prev by Date: SQL Server login
Next by Date: MDF Password
Previous by thread: Permission settings for views to be created
Next by thread: MDF Password
Index(es):
- Date
- Thread

Relevant Pages

LocalSystem and the sysadmin role
... service accounts) are added by default to SQL Server's sysadmin role: ... A common hardening practice is to later remove the local administrator group ... from the sysadmin role, thereby separating server administration from DBMS ...
(microsoft.public.sqlserver.security)
Re: LocalAdmins, LocalSystem, and the sysadmin role
... generally we remove local administrator group from sysadmin role which ... actually prevent accessing sql server who is having system admini privilages ...
(microsoft.public.sqlserver.security)
LocalSystem and the sysadmin role
... During SQL Server 2005 installation, several logins are added to SQL ... A common hardening practice is to later remove the local administrator group ... from the sysadmin role, thereby separating server administration from DBMS ...
(microsoft.public.sqlserver.security)
LocalAdmins, LocalSystem, and the sysadmin role
... A common hardening practice is to later remove the local administrator group ... from the sysadmin role, thereby separating server administration from DBMS ...
(microsoft.public.sqlserver.security)
Re: Question on software install and event log security
... to install software continuously throughout the day. ... The policy only allows. ... > those packages to be installed without the user being local administrator. ... >> However by adding them to the local administrator group they are allowed ...
(microsoft.public.windows.group_policy)