I work for a training center and we have the following scenario:
SQL Server 2000 SP3A is installed on 10 computers in our classroom, under
Windows 2000 SP4 Professional.
The students log on with their own user name.
They are member of the local Administrators group (we trust them on their
own machine).
They are also member of the sysadmin role on their own SQL Server.
We removed the BUILTIN/Administrators login on every SQL Server.
The students cannot access any database on the other machines, which is OK.
But by playing around, they discovered that they are still able to start and
stop any of the other servers.
Is this normal?
Did I overlook something?
What should I do to prevent this?
RikiSounds normal. Removing the role prevented them from accessing the data
within the SQL server. SQL runs as a service and any local administrator
can stop and start any service. Treat it as a learning opportunity.
Learning to be careful when you are a local administrator on a SQL server
host computer is a very important skill.
Geoff N. Hiten
Microsoft SQL Server MVP
Senior Database Administrator
Careerbuilder.com
I support the Professional Association for SQL Server
www.sqlpass.org
"Riki" <riki@.bounce.com> wrote in message
news:ueJ$t9zGFHA.1528@.TK2MSFTNGP09.phx.gbl...
> I work for a training center and we have the following scenario:
> SQL Server 2000 SP3A is installed on 10 computers in our classroom, under
> Windows 2000 SP4 Professional.
> The students log on with their own user name.
> They are member of the local Administrators group (we trust them on their
> own machine).
> They are also member of the sysadmin role on their own SQL Server.
> We removed the BUILTIN/Administrators login on every SQL Server.
> The students cannot access any database on the other machines, which is
OK.
> But by playing around, they discovered that they are still able to start
and
> stop any of the other servers.
> Is this normal?
> Did I overlook something?
> What should I do to prevent this?
> Riki
>|||Thanks for your response, Geoff.
I wasn't aware that starting and stopping a SQL Server
doesn't have anything to do with SQL Server Permissions.
Riki
Geoff N. Hiten wrote:[vbcol=seagreen]
> Sounds normal. Removing the role prevented them from accessing the
> data within the SQL server. SQL runs as a service and any local
> administrator can stop and start any service. Treat it as a learning
> opportunity. Learning to be careful when you are a local
> administrator on a SQL server host computer is a very important skill.
>
> "Riki" <riki@.bounce.com> wrote in message
> news:ueJ$t9zGFHA.1528@.TK2MSFTNGP09.phx.gbl...
Riki|||Hi Geoff,
This doesn't seem quite right to me, but I might be missing something.
Riki's problem as I see it is that the local Admin on Machine B can stop and
start services on Machine A. But the local Admin is just that - local - and
so should not be able to affect any other machine.
So while a local Admin can start and stop the local MSSQLServer service
irrespective of SQL Server rights, they shouldn't be able to affect another
machine's services.
So, have I missed something?
Simon.
"Geoff N. Hiten" wrote:
> Sounds normal. Removing the role prevented them from accessing the data
> within the SQL server. SQL runs as a service and any local administrator
> can stop and start any service. Treat it as a learning opportunity.
> Learning to be careful when you are a local administrator on a SQL server
> host computer is a very important skill.
> --
> Geoff N. Hiten
> Microsoft SQL Server MVP
> Senior Database Administrator
> Careerbuilder.com
> I support the Professional Association for SQL Server
> www.sqlpass.org
> "Riki" <riki@.bounce.com> wrote in message
> news:ueJ$t9zGFHA.1528@.TK2MSFTNGP09.phx.gbl...
> OK.
> and
>
>
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment