LocalAdmins, LocalSystem, and the sysadmin role

From: "DHamre" <dhamre@xxxxxxxxxxx>
Date: Fri, 5 Jan 2007 07:22:54 -0600

During SQL Server 2005 installation, several logins are added to the
sysadmin role including:
- local administrator group (BUILTIN\Administrators),
- Local System (NT AUTHORITY\SYSTEM), and
- sa.

A common hardening practice is to later remove the local administrator group
from the sysadmin role, thereby separating server administration from DBMS
administration. However, I don't recall ever seeing the recommendation to
also remove the LocalSystem account from the sysadmin role.

Has anyone seen recommendations to remove BOTH local administrators and
LocalSystem from the sysadmin role for hardening purposes, and - if this
were to be done - what are the consequences?

Thanks in advance (and apologies for re-posting in hopes of a response),
Drew

.

Follow-Ups:
- Re: LocalAdmins, LocalSystem, and the sysadmin role
  - From: MB

Prev by Date: RE: IIS (ASP) -> SQLServer Authentication Issue
Next by Date: permissions required to access Legacy DTS packages in SQL 2005
Previous by thread: Re: sqlcmd
Next by thread: Re: LocalAdmins, LocalSystem, and the sysadmin role
Index(es):
- Date
- Thread

Relevant Pages

LocalSystem and the sysadmin role
... service accounts) are added by default to SQL Server's sysadmin role: ... A common hardening practice is to later remove the local administrator group ... from the sysadmin role, thereby separating server administration from DBMS ...
(microsoft.public.sqlserver.security)
Re: LocalAdmins, LocalSystem, and the sysadmin role
... generally we remove local administrator group from sysadmin role which ... actually prevent accessing sql server who is having system admini privilages ...
(microsoft.public.sqlserver.security)
LocalSystem and the sysadmin role
... During SQL Server 2005 installation, several logins are added to SQL ... A common hardening practice is to later remove the local administrator group ... from the sysadmin role, thereby separating server administration from DBMS ...
(microsoft.public.sqlserver.security)
Effect of removing LocalSystem from sysadmin role?
... service accounts) are added to the sysadmin role: ... A common hardening practice is to later remove the local administrator group ... from the sysadmin role, thereby separating server administration from DBMS ...
(microsoft.public.sqlserver.security)
Re: Question on software install and event log security
... to install software continuously throughout the day. ... The policy only allows. ... > those packages to be installed without the user being local administrator. ... >> However by adding them to the local administrator group they are allowed ...
(microsoft.public.windows.group_policy)