PDA

Click to See Complete Forum and Search --> : Windows 2000 Permissions

John Shurer
06-21-2002, 10:27 AM
My SQLAdmins are asking for the following:

1) Administrator access to the local box on running SQL
2) The ability to access the SQLData directory directly through drive mappings

We are attempting to create as secure an environment as possible and keep everything locked down. In my opinion, they do not need these type of accesses. They do have sa priviliges to the SQL server but I see no reason to give them Windows 2000 administrator priviliges. Also, to further the security on the servers (they are publicly accessible), we are trying to eliminate all shares including admin shares. Seems to me they should be able to accomplish everything using the SQL tools. Am I off base on this?
flip
06-21-2002, 10:59 AM
As far as I'm concerned, you're absolutely right. SQL Admins should be able to do their job just fine with a SQL Enterprise Manager on their local workstation and a user account added to the sysadmin role in SQL. Works fine in all companies I've seen so far, which don't even allow dbadmins to logon locally to the servers.

There's one exception. They need an administrative account if you want them to perform local installations themselves(SP's, patches). As this only occurs sporadicly, there's no need to give them administrative rights all the time. When they want to install something, put their NT account in the local admininstrators group, or enable a local administrative account which you created for this purpose but normally leave disabled.

In large environments, no one has access to the production environment except for server operators. They perform installations according to installation procedures that product specialists -like DB admins- set up and verify in a test environment.

HTH,
Flip



------------
John Shurer at 6/21/2002 11:27:59 AM


My SQLAdmins are asking for the following:

1) Administrator access to the local box on running SQL
2) The ability to access the SQLData directory directly through drive mappings

We are attempting to create as secure an environment as possible and keep everything locked down. In my opinion, they do not need these type of accesses. They do have sa priviliges to the SQL server but I see no reason to give them Windows 2000 administrator priviliges. Also, to further the security on the servers (they are publicly accessible), we are trying to eliminate all shares including admin shares. Seems to me they should be able to accomplish everything using the SQL tools. Am I off base on this?