The latest MBSA (1.1.1) says
"Issue
Local Windows administrators should not also be SQL
database administrators. These roles are very different
and are typically performed by different people.
Solution
Remove BUILTIN\Administrators from the sysadmin role."
This makes sense for a server. Does it make sense on a
client machine?
I am thinking this is necessary for the server that may be
shared in someway; however, if I am using a setup that has
DISABLENETWORKPROTOCOLS=1 (no access except from the local
host itself), I would think this does not apply.
Does anyone know for sure?
GiacomoGiacomo wrote:
> The latest MBSA (1.1.1) says
> "Issue
> Local Windows administrators should not also be SQL
> database administrators. These roles are very different
> and are typically performed by different people.
> Solution
> Remove BUILTIN\Administrators from the sysadmin role."
> This makes sense for a server. Does it make sense on a
> client machine?
> I am thinking this is necessary for the server that may be
> shared in someway; however, if I am using a setup that has
> DISABLENETWORKPROTOCOLS=1 (no access except from the local
> host itself), I would think this does not apply.
> Does anyone know for sure?
There is not much "for sure" in security issues, just which side of a
compromise makes the most sense for you.
For me, one of the most compelling reasons to do this on a local workstation
copy of SQL is that only my SQL developers have this, and both i and they
would want to mimic the conditions the live system they are developing for
runs under as much as possible.
We've had issues in the past where a, pardon me, less diligent developer who
has had admin rights to everything on their dev machine didn't bother coding
to take security into account so their code wouldn't run on a live system
without a lot of re-working.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment