Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion Groups
DB Engine
SQL ServerMSDESQL Server CE
Services
Analysis (Data Mining)Analysis (OLAP)DTSIntegration ServicesNotification ServicesReporting Services
Programming
CLRConnectivitySQLXML
Other Technologies
ClusteringEnglish QueryFull-Text SearchReplicationService Broker
General
Data WarehousingPerformanceSecuritySetupSQL Server ToolsOther SQL Server Topics
DirectoryUser Groups
Related Topics
MS AccessOther DB ProductsMS Server Products.NET DevelopmentVB DevelopmentJava DevelopmentMore Topics ...
SQL Server Forum / General / Security / February 2005

Tip: Looking for answers? Try searching our database.

All users can start and stop SQL Server?

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Riki - 25 Feb 2005 13:38 GMT
I work for a training center and we have the following scenario:
SQL Server 2000 SP3A is installed on 10 computers in our classroom, under
Windows 2000 SP4 Professional.
The students log on with their own user name.
They are member of the local Administrators group (we trust them on their
own machine).

They are also member of the sysadmin role on their own SQL Server.
We removed the BUILTIN/Administrators login on every SQL Server.

The students cannot access any database on the other machines, which is OK.
But by playing around, they discovered that they are still able to start and
stop any of the other servers.

Is this normal?
Did I overlook something?
What should I do to prevent this?

Riki
Reply to this Message
Geoff N. Hiten - 25 Feb 2005 14:41 GMT
Sounds normal.  Removing the role prevented them from accessing the data
within the SQL server.  SQL runs as a service and any local administrator
can stop and start any service.  Treat it as a learning opportunity.
Learning to be careful when you are a local administrator on a SQL server
host computer is a very important skill.

Signature

Geoff N. Hiten
Microsoft SQL Server MVP
Senior Database Administrator
Careerbuilder.com

I support the Professional Association for SQL Server
www.sqlpass.org

> I work for a training center and we have the following scenario:
> SQL Server 2000 SP3A is installed on 10 computers in our classroom, under
[quoted text clipped - 15 lines]
>
> Riki
Reply to this Message
Riki - 25 Feb 2005 17:48 GMT
Thanks for your response, Geoff.
I wasn't aware that starting and stopping a SQL Server
doesn't have anything to do with SQL Server Permissions.

Riki

> Sounds normal.  Removing the role prevented them from accessing the
> data within the SQL server.  SQL runs as a service and any local
[quoted text clipped - 21 lines]
>>
>> Riki

Signature

Riki

Reply to this Message
Simon - 28 Feb 2005 04:17 GMT
Hi Geoff,

This doesn't seem quite right to me, but I might be missing something.

Riki's problem as I see it is that the local Admin on Machine B can stop and
start services on Machine A.  But the local Admin is just that - local - and
so should not be able to affect any other machine.

So while a local Admin can start and stop the local MSSQLServer service
irrespective of SQL Server rights, they shouldn't be able to affect another
machine's services.

So, have I missed something?

Simon.

> Sounds normal.  Removing the role prevented them from accessing the data
> within the SQL server.  SQL runs as a service and any local administrator
[quoted text clipped - 23 lines]
> >
> > Riki
Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2009 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.