Monday, March 19, 2012

MSSQLSERVER service security

I have a Windows 2000 server on which I am running SQL Server 2000
SP3. Unfortunately, this particular Windows server has far too many
accounts in the Local Administrators group. Recently we had an
incident in which a production SQL Server was stopped and restarted
unexpectedly. I suspect it was a person who did this since the service
was started back up within a minute or so of being shutdown, and the
SQL Server Agent was not restarted. No one has fessed up yet, and I
don't expect anyone to do so.
Securing the server is a long-term solution, but I need to do
something in the short term to prevent this from happening again. The
only thing I can think to do is to further limit who can stop and
start the SQL Server Service. Is there a way to specify who can and
cannot stop/start the SQL Server service, excluding even members of
the Local Administrators group?
P.S. Auditing has been ruled out as an option.
Thanks,
AaronHi,
OS Users who fall under local admin group can stop and start any services.
The best solution is to remove the
users from Local admin groups of sql server machine.
Thanks
Hari
MCDBA
"Vols Fan" <volsfan1998@.hotmail.com> wrote in message
news:2489efb1.0407191441.7c492135@.posting.google.com...
> I have a Windows 2000 server on which I am running SQL Server 2000
> SP3. Unfortunately, this particular Windows server has far too many
> accounts in the Local Administrators group. Recently we had an
> incident in which a production SQL Server was stopped and restarted
> unexpectedly. I suspect it was a person who did this since the service
> was started back up within a minute or so of being shutdown, and the
> SQL Server Agent was not restarted. No one has fessed up yet, and I
> don't expect anyone to do so.
> Securing the server is a long-term solution, but I need to do
> something in the short term to prevent this from happening again. The
> only thing I can think to do is to further limit who can stop and
> start the SQL Server Service. Is there a way to specify who can and
> cannot stop/start the SQL Server service, excluding even members of
> the Local Administrators group?
> P.S. Auditing has been ruled out as an option.
> Thanks,
> Aaron|||I am aware of this, but as I said, until we can further secure this
server, I need a short term solution.
"Hari Prasad" <hari_prasad_k@.hotmail.com> wrote in message news:<e5EEzXhbEHA.3480@.TK2MSFTNGP
11.phx.gbl>...[vbcol=seagreen]
> Hi,
> OS Users who fall under local admin group can stop and start any services.
> The best solution is to remove the
> users from Local admin groups of sql server machine.
> --
> Thanks
> Hari
> MCDBA
> "Vols Fan" <volsfan1998@.hotmail.com> wrote in message
> news:2489efb1.0407191441.7c492135@.posting.google.com...

No comments:

Post a Comment