LocalSystem and the sysadmin role
- From: "DHamre" <dhamre@xxxxxxxxxxx>
- Date: Wed, 15 Nov 2006 08:50:52 -0600
During SQL Server 2005 installation, three logins (in addition to the
service accounts) are added by default to SQL Server's sysadmin role :
- local administrator group (BUILTIN\Administrators),
- Local System (NT AUTHORITY\SYSTEM), and
- sa (assumming mixed mode install).
A common hardening practice is to later remove the local administrator group
from the sysadmin role, thereby separating server administration from DBMS
administration. However, I don't recall ever seeing the recommendation to
also remove the LocalSystem account from the sysadmin role.
One possible reason for this omission -- many layered products (including
Microsoft's Volume Shadow Copy writer for SQL2005) run under LocalSystem and
need to retain the sysadmin role (KB 919023).
Has anyone seen recommendations to remove BOTH local administrators and
LocalSystem from the sysadmin role for hardening purposes, and - if this
were to be done - what are the consequences?
Thanks in advance (and apologies for re-posting a weekend message in hopes
of a response),
Drew
.
- Prev by Date: Re: Linked Databases
- Next by Date: sql server proxy acct
- Previous by thread: Re: SQL Server does not exist or acces denied
- Next by thread: sql server proxy acct
- Index(es):
Relevant Pages
|
