Locking Down SQL 2005


i'm not sure best way lock down sql server 2005. added login group maps ad group. group mapped public role , problem in group can manage server right-clicking , selecting properties. understanding allowed control server permissions removing doesn't allow them logon server anymore. there way allow people connect server not manage it?

thanks!

by default when give login public fixed server role, has the server permission of "connect sql". it should not have control server permission sysadmin. since can change server settings, it that the logins belong existing built-in admin group.  besides lekss mentioned, recommend you run following query check details:
1. check principal's id, run
select * sys.server_principals

2. check detailed server permission, run
select * sys.server_permissions

pay attention following columns in output: class_desc, grantee_principal_id, permission_name , state. 
http://msdn.microsoft.com/en-us/library/ms186260.aspx

if any of logins have control server permission, can issue revoke command as following revoke permission:
revoke control server login_principal_name

if after revoke control server permission, find not log on sql server instance, can use grant grant connect sql it:
grant connect sql login_principal_name

and make sure has connect sql server permission in sys.server_permissions. please aware not issue deny control server login cause login failed connect sql server instance. if issued deny statement, issue revoke revoke it.

for more information, can refer to:
deny server permissions
http://msdn.microsoft.com/en-us/library/ms182763.aspx
grant server permissions
http://msdn.microsoft.com/en-us/library/ms186717.aspx
revoke server permissions
http://technet.microsoft.com/en-us/library/ms186308.aspx

please remember mark replies answers if , unmark them if provide no help


SQL Server  >  SQL Server Security



Comments

Post a Comment

Popular posts from this blog

SQL server replication error Cannot find the dbo or user defined function........

hi there, i ran problem while deploying sql 2008 transactional replication between 2 servers lets assume server , b. actually created  both distributor , publisher on server , after created subscriber pointed server b, launch replication monitor , found big red cross. when click on tab "distributor subscriber history" error says "cannot find either column "dbo" or user defined-function or aggregate "dbo.ufnleadingzeros", or name ambiguous". can body regarding issue. regards, ishuv hi, you need compare data , others reseved, index size, unused should not compared. differs. here server - data - 87896 kb server b - data - 78152 kb server data size includes publication tables, can't compare directly. need check article article know exact data size. SQL Server  >  ...
Read more

BIT Version

  hi,     knows how find out ther bit version in sql  , windows os (32 or 64)   regards, s.balavenkatesh   microsoft sql server 2005 - 9.00.1399.06 (intel x86) oct 14 2005 00:33:37 copyright (c) 1988-2005 microsoft corporation standard edition on windows nt 5.2 (build 3790: service pack 2)     intel x86)   -- says sql server 32 bit   madhu SQL Server  >  SQL Server Tools
Read more

Admin Permissions

hi need create new 'role' following permissions, 1. access sql server logs. 2. access maintenance plans ( can avoid access) 3. access activity monitor 4. normal access product databases , not system db´s need guidance on how it, can point me in right direction please? thanks 1.grant  execute on xp_readerrorlog [domainname\ad user or group]; 2. http://technet.microsoft.com/en-us/library/ms191002.aspx 3.view server state permission 4. make user member of dbo_owner database role. best regards,uri dimant sql server mvp, http://sqlblog.com/blogs/uri_dimant/ ms sql optimization: ms sql development , optimization ms sql consulting: large scale of database , data cleansing remote dba services: improves ms sql database performance sql server integration services: business intelligence SQL Server  >  ...
Read more