Author |
Topic |
cat_jesus
Aged Yak Warrior
547 Posts |
Posted - 2008-02-19 : 10:49:32
|
I'm in the process of locking down the SQL servers here at work and I have read in several places that you should delete builtin\admin, but I have also read that you should just remove the system administrator role from this login. I'm a little confused about which I should do.What I've done so far is: - added an AD group for the DBAs and given us the Sys admin role.
- added an AD user for the SQL service
- run sp_changedbowner to sa for each database
- removed system administrator privileges from BUILTIN\Administrators login
When I try to remove the dbo role from builtin\admin for each database listed under database access I get the following error.Error 15405: Cannot use the reserved user or role name 'dbo'.I've done this on the dev server and once I'm satisfied that I've done no harm I plan to do this on all prod databases.So, should I go ahead and delete builtin\admin? Is the dbo role listed for that login on each database an issue? |
|
sodeep
Master Smack Fu Yak Hacker
7174 Posts |
Posted - 2008-02-19 : 12:19:35
|
You can delete builtin\admin as AD group for DBA already has sysadmin rights. Donot delete other groups. |
|
|
cat_jesus
Aged Yak Warrior
547 Posts |
Posted - 2008-02-19 : 12:29:37
|
I was pretty sure I could delete Builtin\Administrator. What I am confused about is whether I should. How do I make that determination? What are the ramifications of leaving the login but removing the role of sysadmin and what are the ramifications of deleting the login? |
|
|
sodeep
Master Smack Fu Yak Hacker
7174 Posts |
Posted - 2008-02-19 : 12:40:51
|
The BUILTIN\Administrators can easily be removed from SQL Server to prevent this security issue, but heed the warnings below prior to removing the group from SQL Server.What steps should I take prior to considering removing this group?Verify that you know the "sa" password by logging into the SQL Server with the "sa" account with either Query Analyzer or Management Studio on the SQL Server you want to modify. Validate other Windows groups or Windows logins are assigned SQL Server System Administrator rights on this SQL Server. Review the rights assigned to the BUILTIN\Administrators group. Research the members of the Windows Local Administrators group. Figure out if an additional group should be created in Active Directory and assigned rights in SQL Server or if specific logins should be assigned rights to SQL Server. If necessary, create the additional logins and groups in Active Directory and assign rights in SQL Server to ensure a minimum of 1 login and/or the "sa" login has SQL Server System Administrator rights. Validate that the members of the BUILTIN\Administrators group do not own any databases, objects, Jobs, etc and that none of the logins are connected to SQL Server. If any of these steps were not completed, repeat the needed steps. If all of these steps have been followed and you are confident that removing the BUILTIN\Administrators group will not cause any issues proceed to the next set of directions.*** NOTE *** - Do not remove the BUILTIN\Administrators group from SQL Server if other logins or groups do not have SQL Server System Administrator rights or if you do not know the "sa" password.With all of that being said, how do I remove the BUILTIN\Administrators group?Method Directions SQL Server 2000T-SQL Commands USE MASTERGOexec sp_revokelogin N'BUILTIN\Administrators'GO OR SQL Server 2000Enterprise Manager Open Enterprise Manager. Navigate to the Security folder. Double click on the Logins icon, which will load the SQL Server logins and groups in the right pane. Locate the BUILTIN\Administrators group. Right click on the BUILTIN\Administrators group and select the 'Delete' option. On the subsequent screen, read the message and if you agree press 'Yes' to remove the group. Refresh the pane to verify the group has been dropped. Method Directions SQL Server 2005 T-SQL Commands DROP LOGIN [BUILTIN\Administrators] OR SQL Server 2005Management Studio Open Management Studio. Navigate to the Security folder. Expand (+) the Logins folder, which will load the SQL Server logins and groups in the right pane. Locate the BUILTIN\Administrators group. Right click on the BUILTIN\Administrators group and select the 'Delete' option. On the subsequent screen, review the screen and if you agree press 'OK' to remove the login. Refresh the pane to verify the login has been dropped. |
|
|
cat_jesus
Aged Yak Warrior
547 Posts |
Posted - 2008-02-19 : 16:13:16
|
This is great. Thank you for putting it together. I have a much better understanding now.quote: Validate that the members of the BUILTIN\Administrators group do not own any databases, objects, Jobs, etc and that none of the logins are connected to SQL Server.
This is the one remaining problem I have. Even though I set the owners of all the databases to sa, BUILTIN\Administrators still has dbo on most of the databases. Weird. |
|
|
sodeep
Master Smack Fu Yak Hacker
7174 Posts |
Posted - 2008-02-19 : 16:23:10
|
Change the owner of DB to USer who has SYSADMIN rights. |
|
|
cat_jesus
Aged Yak Warrior
547 Posts |
Posted - 2008-02-19 : 16:31:58
|
quote: Originally posted by sodeep Change the owner of DB to USer who has SYSADMIN rights.
yeah I did that,I ran sp_MSforeachdb 'sp_changedbowner ''sa'''and got the following message for each oneThe dependent aliases were mapped to the new database owner.Database owner changed.But the owner hasn't changed when I check the properties page for the individual databases.But the good news is that builtin\administrators does not show up when I run sp_helpsrvrolemember |
|
|
rmiao
Master Smack Fu Yak Hacker
7266 Posts |
Posted - 2008-02-19 : 23:03:46
|
>> But the owner hasn't changed when I check the properties page for the individual databases.Did you refresh the display? |
|
|
cat_jesus
Aged Yak Warrior
547 Posts |
Posted - 2008-02-20 : 09:37:37
|
quote: Originally posted by rmiao >> But the owner hasn't changed when I check the properties page for the individual databases.Did you refresh the display?
Yes, I refreshed the display and I've even restarted the SQL services and killed my client EM app. |
|
|
lesley-marshall
Starting Member
1 Post |
Posted - 2008-02-21 : 09:17:47
|
I had the exact same problem and got round it by issuing sp_revokelogin 'BUILTIN\Administrators' from Query Analyzer (instead of trying to delete using Enterprise Manager). Hope it works for you too. |
|
|
|