Remove BUILTIN\Administrators from SQL 2005

We have a server shared by two project teams. To tight the security, I want to remove BUILTIN\Administrators off the public and sysadmin server roles. My question: any thing I should pay special attention ? I use LocalSystem to start all SQL Service. I know this is not a very good pratice yet I have no choice as our company network is a mixed of windows and novell, we do not have AD.

Make sure that you have a sysadmin left after removing builtin\administrators. I have seen sql servers in integrated mode where someone removed builtin\administrators and then nobody could administer the server.

Local System is very powerful. Any code executed by SQL Server can change anything on the windows box so if you are running untrusted code inside SQL Server you need to be aware of that fact and the potential threat it represents.

to remove builtin\administraotrs

exec sp_dropsrvrolemember [BUILTIN\Administrators] , sysadmin

go

drop login [BUILTIN\Administrators]

go

hth,

-Steven Gott

S/DET

SQL Server

|||

Hi,

What about NT AUTHORITY\System account?

Is it needed?

Regards,

Jeremy

|||

Some management tools may be using it (for example MOM).

-Raul Garcia

SDE/T

SQL Server Engine

Remove BUILTIN\Administrators from SQL 2005

We have a server shared by two project teams. To tight the security, I want to remove BUILTIN\Administrators off the public and sysadmin server roles. My question: any thing I should pay special attention ? I use LocalSystem to start all SQL Service. I know this is not a very good pratice yet I have no choice as our company network is a mixed of windows and novell, we do not have AD.

Make sure that you have a sysadmin left after removing builtin\administrators. I have seen sql servers in integrated mode where someone removed builtin\administrators and then nobody could administer the server.

Local System is very powerful. Any code executed by SQL Server can change anything on the windows box so if you are running untrusted code inside SQL Server you need to be aware of that fact and the potential threat it represents.

to remove builtin\administraotrs

exec sp_dropsrvrolemember [BUILTIN\Administrators] , sysadmin

go

drop login [BUILTIN\Administrators]

go

hth,

-Steven Gott

S/DET

SQL Server

|||

Hi,

What about NT AUTHORITY\System account?

Is it needed?

Regards,

Jeremy

|||

Some management tools may be using it (for example MOM).

-Raul Garcia

SDE/T

SQL Server Engine

Remote non-administrator monitoring of sql stats

How can I get my sql dba's to access sql counters in performance monitor
without making them computer administrators? Q158438 has aided them in
busting them into all the standard counters, but still, only my computer
administrator account seems to be able to find the sql counters?hmm... didn't know about that KB. Interesting...
In the past I've told DBA's they can look at SQL specific counters by
reading master..sysperfinfo directly. That's where PerfMon grabs all it's
SQL data from...
you could always query the table directly...
--
Brian Moran
Principal Mentor
Solid Quality Learning
SQL Server MVP
http://www.solidqualitylearning.com
"Robert Hindla" <rhindla@.panix.com> wrote in message
news:BB31AFED.5B2B%rhindla@.panix.com...
> How can I get my sql dba's to access sql counters in performance monitor
> without making them computer administrators? Q158438 has aided them in
> busting them into all the standard counters, but still, only my computer
> administrator account seems to be able to find the sql counters?
>