Results 1 to 6 of 6
  1. #1
    Join Date
    Apr 2004
    Posts
    7

    Unanswered: SQL server security problem or what

    Hi,

    I don't know if I miss something, but it seems that everyone that connect to my database his able to do what he wants and so even if they don't have Logins and User created. Any idea?

    I'm using SQL Server 2005 SP1 on Windows 2003. The login are done with Windows Account. I

    Thanks

  2. #2
    Join Date
    May 2004
    Location
    Seattle
    Posts
    1,313
    are these people administrators on the box that sql server is installed on?

  3. #3
    Join Date
    Apr 2004
    Posts
    7
    No they are not. Is it because I'm using Microsoft SQL Server Management Studio. The way I do my test is that I created a new Windows Account, log to the Management Studio and delete a table, delete a database. This user doesn't exist in the SQL Database at all and I'm able to do everithing I want. This is not good security.

    I hope I'm missing something
    Last edited by dbernier2201; 12-13-06 at 16:16.

  4. #4
    Join Date
    Mar 2005
    Location
    Netherlands
    Posts
    280
    Are the users on your domain automaticly put into a Windows or domain security group which has access to your SQL Server? Are there Windows security groups administered in you SQL Server?

    And ofcourse to be sure: have you checked your not by accident logging in with your own account? Check the Management Studio registration properties or open a query window and type
    Code:
    SELECT SUSER_SNAME()
    and execute the query.

    Lex

  5. #5
    Join Date
    Apr 2004
    Posts
    7

    Thumbs up

    Thanks for the Hint. I try with an account that was Domain Admin. I didn't knew that connecting to SQL Server with Domain Admin Account give you all the rights. I try with regular user and they can't access my DB. So for this, it is fine but if one of they other Domain Admin in the office wants to screw up the database, he can. It's scary even if I don't thing others will try it.

    Thanks again

  6. #6
    Join Date
    Mar 2005
    Location
    Netherlands
    Posts
    280
    Although they have pretty blue eyes we don't leave it to chance that the domain admins or local admins (intentionally or unintentionally) mess up our servers. So we remove the login "BUILTIN\Administrators".

    Before you do this just make sure you've still got access to SQL Server after you do this. Ofcourse you never log in with "sa" (and have the password safely stored for future reference) so add your own account to the logins and give it the sysadmin server role.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •