All geek questions in one place

How to protect SQL database from domain administrators?

I have a database that I want to keep in the main domain, but do not allow domain administrators to write. Read access is not a concern. To do this, it looks like I would have to ensure that in some accounts with write permissions only SQL logic was used (since the admin domain could reset the password of any other domain account). I understand that this has other security implications. Another problem is the scenario when the administrator on the Windows server accepts the database database file and attaches it to another instance and modifies the contents of the database, and then replaces the mdf on the source server. I first wonder if this is possible, or should it be connected again via sql server?

Because the server is still in the domain, domain administrators will obviously be administrators on the server. Are there other ways for them to access a record in the database that I should worry about (e.g. deleting the main mdf database)?

+4
source share
1 answer

. .... , ? , : . , sysadmin. . Windows ( sa), sql. . ...

sql- . SSMS, Security | Logins . "BUILTIN\Administrators". , . " ". sysadmin, "sysadmin" sql-. , . ( ) sysadmin, sysadmin. SQL (2000 , , 2005) BUILTIN\Administrators sysadmin. MS , . (.. YourDomain\JSmith), sysadmin. , sysadmin: SELECT * FROM sys.syslogins WHERE sysadmin = 1

, sql-. Sysadmin (db_owner), ( ). SSMS YourDbName | Security | Users . , "". "" . "" , . , , . , BUILTIN\Administrators sql sysadmin, dbo. . - CREATE USER [DomainAdminUser] FOR LOGIN [BUILTIN\Administrators] . , ? db db db_datareader: EXEC sp_addrolemember N'db_datawriter', 'DomainAdminUser'. , .

- , , , SQL Server, sysadmin, db, SQL Server. , , . , / SQL Server NT mdf/ldf , . , -, , . , , . ?

, / SQL Server . , . .

( )

+4

Source: https://habr.com/ru/post/1533368/

More articles:


All Articles