SQL Server - Adding new level of security above 'sa' user.

Asked By lcsila

25-Jan-10 10:54 AM

Hi all,

Our client has asked us a good question:

We need to add security to our sql server management tools in our cliente
servers. All of them share the same password for the user 'sa'. Also, all the
applications in production use 'sa' in their connection strings. The password
of 'sa' user is almost public (everybody knows it).

The cliente asked us a way to use a new level of security for our management
tools so nobody can log on the sql server and backup any data... WITHOUT
changing SA password.

We can??t also use OS users security, cause the servers must have public
access. We are looking for some sort of application that works between SO and
Sql Server management tools.

That kind of application/software exists?...  Someone has any idea of what
can we do?.

Thanks in advance,

Regards,

SQL Server Security Discussions

SQL Server
(1)

Backup
(1)

LcsilaYou
(1)

Pierrot
(1)

Windows
(1)

Oooops
(1)

Sysadmin
(1)

Cliente
(1)

Uri Dimant replied to lcsila

26-Jan-10 04:12 AM

lcsila
You can disable sa login, however your applications will not work then....
SA has high permission (sysadmin) and you cannot create something above:-)

Erland Sommarskog replied to lcsila

26-Jan-10 11:12 PM

lcsila (u57759@uwe) writes:

I am afraid that I do not understand the last paragraph. Why would you
have to change the SA password just in order to take a backup.

In any case, in your current situation, you have zero security. If everyone
knows the SA password, everyone can do anything.

I would suggest that you make it a high priority to change this. That is,
stop using sa in connection strings, review which permission you
actually need etc.


--
Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se

Links for SQL Server Books Online:
SQL 2008: http://msdn.microsoft.com/en-us/sqlserver/cc514207.aspx
SQL 2005: http://msdn.microsoft.com/en-us/sqlserver/bb895970.aspx
SQL 2000: http://www.microsoft.com/sql/prodinfo/previousversions/books.mspx

wpher56 replied to lcsila

28-Jan-10 08:09 AM

You may create another account with sysadmin rights, and then use this
account to "downgrade" sa to something lower.
I do not know whether downgrading sa has an impact on SQL Server or not, but
I do not see why this would not work.

pher

Sylvain Lafontaine replied to wpher56

30-Jan-10 12:43 AM

Won't work.  While you can 'remove' permission from the sa account, anyone
with that sa account can add them back at will.

--
Sylvain Lafontaine, ing.
MVP - Windows Live Platform
Blog/web site: http://coding-paparazzi.sylvainlafontaine.com
Independent consultant and remote programming for Access and SQL-Server
(French)

wpher56 replied to Sylvain Lafontaine

03-Feb-10 09:04 AM

Oooops, you are right ! My apologies.
Then... I fear there is no solution without changing the sa password.

Pierrot

Previous Discussion: sql server 2000 trace files

SQL Express Installation Failed on New Windows XP Home SQL Server

SQL Express Installation Failed on New Windows XP Home SQL Server Hello: I installed SQL Express on my system. I uninstalled and reinstalled it a few times. Eventually, this hosed my system to some extent, and SQL Express would not install. I just had Windows XP Home reinstalled. I have reinstalled the software that I use. Yesterday, I tried to install SQL Express for the first time on this new installation. It failed with Wait on the

Moving database decrease performance SQL Server

Moving database decrease performance SQL Server I have moved database from one SQL2000 on win server to another standalone computer. Both SQL serverers have the same settings, same service pack, enterprise editions. On both SQL servers are tempDB, log file and mdf file on separate disks. The new SQL server is on better computer, has more RAM, beter disks, stronger proc, but all queries are there some guide for this scenario somewhere on the net? Any suggestions? Thank you, Simon SQL Server Programming Discussions SQL Server 2008 (1) SQL Server 2000 (1) SQL Server Books (1

migration from SQL 2000 to SQL 2008 SQL Server

migration from SQL 2000 to SQL 2008 SQL Server I am working on to migrate my SQL 2000 database to SQL 2008. I use SSMS to connect 2 SQL Servers and want to backup SQL 2000 database and restore on SQL 2008. I just realized that I only can

Possible server bug, would welcome your views SQL Server

Possible server bug, would welcome your views SQL Server Hi all, I have run into a bug and AFAICS it is not me (you may well decide otherwise though). Setup is Win7, 32-big, dual core and sufficient memory, sql server 2008 R2, patched to SP1 (bug appears pre and post patch). select @@version -> Microsoft SQL Server 2008 R2 (SP1) - 10.50.2500.0 (Intel X86) Jun 17 2011 00:57:23 Copyright (c) Microsoft Corporation Developer Edition on Windows NT 6.1 <X86> (Build 7601: Service Pack 1) I am creating functions and views

sqlcmd SQL Server

sqlcmd SQL Server Hello: Now that I have SQL Express, I am going back over the tutorials that I did before. I had trouble HResult 0x2, Level 16, State 1 Named Pipes Provider: Could not open a connection to SQL Server [2]. Sqlcmd: Error: Microsoft SQL Server Native Client 10.0 : A network-related or in stance-specific error has occurred while establishing a connection to SQL Server . Server is not found or not accessible. Check if instance name is correct and