BUILTIN\Administrators group from the sysadmin role even
on a client-only installation.
Many non-administrator users are often members of the
BULTIN\Administrators group on their own machines whether
they should be or not. These users would have the
ability to drop databases, truncate tables, etc., etc.
It may not be the most likely scenario, but stranger
things have happened...
Tim
quote:
>--Original Message--
>The latest MBSA (1.1.1) says
>"Issue
>Local Windows administrators should not also be SQL
>database administrators. These roles are very different
>and are typically performed by different people.
>Solution
>Remove BUILTIN\Administrators from the sysadmin role."
>This makes sense for a server. Does it make sense on a
>client machine?
>I am thinking this is necessary for the server that may
be
quote:
>shared in someway; however, if I am using a setup that
has
quote:
>DISABLENETWORKPROTOCOLS=1 (no access except from the
local
quote:Make sure, however that the SQL Server Agent service still has sysadmin
>host itself), I would think this does not apply.
>Does anyone know for sure?
>Giacomo
>.
>
login rights for it's service account, and if you use full-text make sure
[nt authority\system] has sysadmin rights....
Richard Waymire, MCSE, MCDBA
This posting is provided "AS IS" with no warranties, and confers no rights.
"Tim Richardson" <anonymous@.discussions.microsoft.com> wrote in message
news:023601c3d948$60021dd0$a401280a@.phx.gbl...[QUOTE]
> I would think that you would still want to remove the
> BUILTIN\Administrators group from the sysadmin role even
> on a client-only installation.
> Many non-administrator users are often members of the
> BULTIN\Administrators group on their own machines whether
> they should be or not. These users would have the
> ability to drop databases, truncate tables, etc., etc.
> It may not be the most likely scenario, but stranger
> things have happened...
> Tim
>
> be
> has
> local
No comments:
Post a Comment