Results 1 to 4 of 4
  1. #1
    Join Date
    Jun 2006
    Location
    DC
    Posts
    123

    Unanswered: Securing DTS Packages from

    Morning Guys,
    I'm trying to figure out a way of securing a DTS package and understanding how it works more and more.
    I have system administrators that have accesss to sql server.
    As dbas here we work with dts packages. We would like our packages secured from the system administrators that want to poke around with our work.
    how would we lock our objects down without messing them up from executing.
    The packages have been created under the servername\Administrator.
    servername\Administrator is the owner of the package.
    What would be the best way to start to understand all this.

    1). Using an owner password a user password
    2). Denying access to the sp_add_dtspackage & sp_get_dtspackages...
    3). When generating a DTS RUN util to make a job using the dts package
    usually the password is embedded in the string even after encrypting the pacakage in clear text....
    any suggestions to lead me in the right direction......
    jonathan




    If you have an owner password with no user password, you cannot execute the package without the owner password. Click OK to continue saving.

  2. #2
    Join Date
    Jan 2003
    Location
    Massachusetts
    Posts
    5,800
    Provided Answers: 11
    If it has not already been done, create a DBA group in Active Directory. Add all your DBAs to it. Remove the BUILTIN\Administrators group from the sysadmin server role. I would guess that the data is somewhat sensitive, if the code around it is sensitive, so you may as well secure both at once. ;-)

  3. #3
    Join Date
    Jun 2006
    Location
    DC
    Posts
    123
    Yes there was a domain admin group for the dbas created here....
    domain\sql_admin_ug

    If the jobs were created under the administrator will they have an issue running if removing BUILTIN\Administrators?

    If removed can a system administrator add that group back to the sql server?

  4. #4
    Join Date
    Dec 2002
    Posts
    1,245
    Quote Originally Posted by MCrowley
    If it has not already been done, create a DBA group in Active Directory. Add all your DBAs to it. Remove the BUILTIN\Administrators group from the sysadmin server role.
    If you are using a cluster, be sure to add the Cluster administrator service account and create him with sysadmin privileges. BEFORE you remove BUILTIN\Administrators.

    Also, if you are using FT Indexing, be sure you add [NT AUTHORITY\System] account (with sysadmin privileges). If you forget, your FT catalogs won't get incrementally updated or rebuilt.

    If you forget to add the Cluster admin service account, you WILL lose the database (you can get it back, but it's very nerve wracking and not recommended).

    Please don't ask how I know...

    Regards,

    hmscott
    Have you hugged your backup today?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •