Re: SQL Server Issues ::: ( how to avoid this issues )
From: Danny John (DannyJohn_at_discussions.microsoft.com)
Date: 09/22/04
- Next message: BM: "Event ID 11, Source KDC"
- Previous message: Adam Machanic: "Re: Clustered Index and PK on GUID"
- In reply to: Tibor Karaszi: "Re: SQL Server Issues ::: ( how to avoid this issues )"
- Next in thread: Tibor Karaszi: "Re: SQL Server Issues ::: ( how to avoid this issues )"
- Reply: Tibor Karaszi: "Re: SQL Server Issues ::: ( how to avoid this issues )"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 22 Sep 2004 06:47:07 -0700
Even if you are using exec sp_revokelogin [BUILTIN\Administrators] the domain
admin can log to the SQL Server.
2. For a big company setup we can put IT policies... even in small..
most of the SQL Server mid-ranged clients are Trading companies... and most
of them have some SECRETE data... and some times the Govt. agencies will take
the system and check the database and all.. in this case if there is no stong
database security, the traderes will be really into deep truble...
in Sybase ASE and all, if u r replacing the DAT files with other database's
DAT files, it wont work unless u supply the exact parameters... so we can say
the DAT files are secured in all aspects.
Danny
"Tibor Karaszi" wrote:
> > You *cannot* keep your domain admins out of SQL Server.
>
> Hmm, what about removing the BUILTIN\Administrators group and not add another windows group (as
> sysadmin)? However, the administrators can stop SQL Server, copy the files and attach the files to
> another SQL Server...
>
>
> > If you really want to protect the data from everyone including domain
> > admins, then consider encrypting it before it's put into the database,
> > then no-one can read it except the people with the key. There should be
> > third party products available that can do this.
>
> The built-in encryption in NTFS ("EFS") is supported by SQL Server. I'm not a security person, so I
> can't say how easy this is to crack, though...
> --
> Tibor Karaszi, SQL Server MVP
> http://www.karaszi.com/sqlserver/default.asp
> http://www.solidqualitylearning.com/
>
>
> "Mark Allison" <marka@no.tinned.meat.mvps.org> wrote in message
> news:%23t$oEYHoEHA.3556@TK2MSFTNGP10.phx.gbl...
> > Danny,
> >
> > 1.
> > SQL Server 2000 has two modes Windows Only and, SQL Server and Windows
> > (Mixed Mode). SQL only mode was last seen in SQL 6.5.
> >
> > You *cannot* keep your domain admins out of SQL Server. There's nothing
> > you can do to stop it. They are a local admin on every machine in the
> > domain. If you create a SQL Server DBA Group and only assign that as
> > sysadmin in SQL Server, then they can just add themselves to that group
> > if they like.
> >
> > This sort of thing should be governed by trust, and perhaps corporate IT
> > policy, that only the DBAs are allowed access to SQL Server.
> >
> >
> > 2.
> > If you do not allow people access to the physical machine that SQL
> > Server is running on, then they won't be able to get to the physical
> > data files, so this shouldn't be a worry. Only allow domain admins and
> > DBAs access to the database server.
> >
> > If you really want to protect the data from everyone including domain
> > admins, then consider encrypting it before it's put into the database,
> > then no-one can read it except the people with the key. There should be
> > third party products available that can do this.
> >
> > --
> > Mark Allison, SQL Server MVP
> > http://www.markallison.co.uk
> >
> > Looking for a SQL Server replication book?
> > http://www.nwsu.com/0974973602m.html
> >
> >
> > Danny John wrote:
> > > Hi,
> > > I'm a Sybase ASE DBA. now we are planning to migrate our
> > > applications to MS SQL Server. and we purchased the
> > > Standard edition of MS SQL Server 2000.
> > >
> > > 1. Is it possible to restrict the Windows users (
> > > Administrators, and users ) from accessing SQL Server ?
> > > ie. Only SQL Server Authentication is enabled.
> > > Normally in most of the companies, except bigger
> > > companies, the hardware/network guys will be knowing the
> > > Administrator password and all. and they wont be DBAs if
> > > the windows authentication is enabled any of that guys can
> > > play with it.
> > > sp_denylogin is not a solution for it. coz every time they
> > > can create new users.
> > >
> > > 2. When we are creating a database we have to provide
> > > the Data and Log files. We don't want to share the
> > > information of the database to others, but in MS SQL
> > > Server .
> > > Suppose we created a database DB1, with Data File
> > > d:\Data\MyData.Dat and Log file D:\Data\MyLog.Dat and
> > > making some secrete transactions in it.
> > >
> > > Now we are creating a new database called DB2 with Data
> > > File Z:\Data\DataZ.Dat and Log file Z:\Data\LogZ.Dat. Now
> > > we are stopping the SQL Server and
> > > copying the DB1 files (d:\Data\MyData.Dat and
> > > D:\Data\MyLog.Dat ) to Z:\Data and renaming them as
> > > Z:\Data\LogZ.Dat and Z:\Data\DataZ.Dat.
> > >
> > > Start the SQL Server, now you can see all the DB1 data in
> > > DB2..
> > >
> > > That means anyone can see my secrete data in this way.
> > >
> > >
> > >
> > > Any suggestions,
> > > Thanks in advance.
> > > Danny
>
>
>
- Next message: BM: "Event ID 11, Source KDC"
- Previous message: Adam Machanic: "Re: Clustered Index and PK on GUID"
- In reply to: Tibor Karaszi: "Re: SQL Server Issues ::: ( how to avoid this issues )"
- Next in thread: Tibor Karaszi: "Re: SQL Server Issues ::: ( how to avoid this issues )"
- Reply: Tibor Karaszi: "Re: SQL Server Issues ::: ( how to avoid this issues )"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
