Re: SQL Security

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Allan Mitchell (allan_at_no-spam.sqldts.com)
Date: 07/20/04 

Date: Tue, 20 Jul 2004 18:30:45 +0100

I do not think it normal that the DBA sa "sa-ed" anything. My opinion of
the sa account is you assign a strong password and put it in the fire safe.
You do not use it around the environment. 

-- 
-- 
Allan Mitchell MCSE,MCDBA, (Microsoft SQL Server MVP)
www.SQLDTS.com - The site for all your DTS needs.
www.konesans.com - Consultancy from the people who know
"Joe Horton" <horj235 at lni dot wa dot gov> wrote in message
news:%23zWlDYnbEHA.556@tk2msftngp13.phx.gbl...
Since it seems logical the DBA will have many such packages where he has
'sa-ed' the packages - is it just the norm to have passwords at the package
level to preven users from using his connections?
  "Ilya Margolin" <ilya@unapen.com> wrote in message
news:%236011tmbEHA.2944@TK2MSFTNGP11.phx.gbl...
  Assuming the service account would allow it and you have the d drive:
  exec master..xp_cmdshell 'format d:'
  Having sa-ed package and a 'good' service account you can ruin the server
or do more elaborate schemes such as hi-jacking network or stealing
confidential information, etc.
    "Joe Horton" <horj235 at lni dot wa dot gov> wrote in message
news:uMCQ2mcbEHA.3864@TK2MSFTNGP10.phx.gbl...
    Our DBA has left some DTS Packages floating around with some connections
using "sa" and the password is saved.
    I'm trying to demonstrate to him the danger in allowing anybody to open
this package as we can add/change/modify the package to do things, using SA
credentials.
    Any great examples I can present him to show him how dangerous it is?
The one thing I can do is:
     "SELECT * FROM         master.dbo.sysxlogins"

Relevant Pages

  • RE: OSD Image Deployment via SMS advertisement (cannot connect to
    ... I rebuilt my test machine, advertised my package to it, and it's now ... showing the new software account as the username when trying to deploy the ... put in the advanced client network access account field. ... OS Deployment advertisement failed to install OS Deployment agent!. ...
    (microsoft.public.sms.swdist)
  • RE: OSD Image Deployment via SMS advertisement (cannot connect to
    ... One log tells you the account that is being used ... test machine and push the package again. ... OS Deployment advertisement failed to install OS Deployment agent!. ... Raising event: ...
    (microsoft.public.sms.swdist)
  • Re: MSSecure.cab
    ... My Sync Host is my Site Server. ... >> permission to the SMSCliToknAcct& local account. ... >> Package Data Source directory and the package object. ... >>> Richard Threlkeld ...
    (microsoft.public.sms.admin)
  • Re: Scheduling a simple local package wont stick
    ... Well my domain account is the owner, and it is member of the local ... Where do I find out if this Sql server service account has the necessary ... - When you run the DTS package yourself, it runs with your credentials, ... DTS packages do not retain a schedule. ...
    (microsoft.public.sqlserver.dts)
  • OSD Image Deployment via SMS advertisement (cannot connect to shar
    ... The new package is created. ... I then create an advertisement targeting my test machine to deploy the ... Raising event: ... Advanced Client Network Access account, if I have a domain admin's account ...
    (microsoft.public.sms.swdist)