I'm trying to make my SQL Server a tad more secure, but I'm unable to remove
SA (I'm running Mixed mode) -- can the SA account only be removed when using
windows Authentication? When I try to remove SA I get "selected user
cannot be dropped because the user owns objects". When I try to delect
xp_cmdshell I get the following error "You tried to delete one or more
system objects. They were not deleted."
I must admit, I'm a little confused, I'm trying to implement Microsofts
security recommendations, but either the documention is not
detailed/accurate or I'm missing something?
Any suggestions?
Thanks, Rob.Hi
You can not remove the SA account. Set a very complicated password for it,
write it down and put it in a safe.
For the xp_ look at
http://support.microsoft.com/defaul...kb;en-us;891984
Regards
--
Mike Epprecht, Microsoft SQL Server MVP
Zurich, Switzerland
MVP Program: http://www.microsoft.com/mvp
Blog: http://www.msmvps.com/epprecht/
"Rob R. Ainscough" wrote:
> I'm trying to make my SQL Server a tad more secure, but I'm unable to remo
ve
> SA (I'm running Mixed mode) -- can the SA account only be removed when usi
ng
> windows Authentication? When I try to remove SA I get "selected user
> cannot be dropped because the user owns objects". When I try to delect
> xp_cmdshell I get the following error "You tried to delete one or more
> system objects. They were not deleted."
> I must admit, I'm a little confused, I'm trying to implement Microsofts
> security recommendations, but either the documention is not
> detailed/accurate or I'm missing something?
> Any suggestions?
> Thanks, Rob.
>
>
>|||> I'm trying to make my SQL Server a tad more secure, but I'm unable to
> remove SA (I'm running Mixed mode) -- can the SA account only be removed
> when using windows Authentication? When I try to remove SA I get
> "selected user cannot be dropped because the user owns objects". When I
> try to delect xp_cmdshell I get the following error "You tried to delete
> one or more system objects. They were not deleted."
The sa login account cannot be deleted or renameed, nor it can't be revoked
any permission.
> I must admit, I'm a little confused, I'm trying to implement Microsofts
> security recommendations, but either the documention is not
> detailed/accurate or I'm missing something?
I don't think MS ever mentioned droping the sa account (as it can't be
done). Here are recommendations from Operations Guide: "
The sa account in a production environment should be given a complex
password, made up of uppercase and lowercase letters, symbols, spaces, and
numbers. The sa account should have a complex password, even if the SQL
Server is running in only Windows Authentication Mode. A complex password
protects SQL Server from someone easily getting administrative access to SQL
Server. This also protects the server in the event that an administrator
changes the security authentication mode to Mixed Mode.
Do not use the sa login account in a production environment. Instead, place
each DBA's network user account into a Windows group, create a single SQL
Server login account for the group then add the login account to the
sysadmin fixed server role. "
(http://www.microsoft.com/technet/pr...in/sqlops3.mspx
).
Dejan Sarka, SQL Server MVP
Associate Mentor
www.SolidQualityLearning.com|||Thank you for the information.
The book I was reading is Microsoft Press and the authors are Ed Robinson
and Michael James Bond.
I have the SA password complex so no worries there.
I guess I'll leave the xp_cmdshell alone as it seems to be more trouble that
it is worth to remove it.
Should I think about installing URLScan ?
"Dejan Sarka" <dejan_please_reply_to_newsgroups.sarka@.avtenta.si> wrote in
message news:%23BAAU89pFHA.3112@.TK2MSFTNGP12.phx.gbl...
> The sa login account cannot be deleted or renameed, nor it can't be
> revoked any permission.
>
> I don't think MS ever mentioned droping the sa account (as it can't be
> done). Here are recommendations from Operations Guide: "
> The sa account in a production environment should be given a complex
> password, made up of uppercase and lowercase letters, symbols, spaces, and
> numbers. The sa account should have a complex password, even if the SQL
> Server is running in only Windows Authentication Mode. A complex password
> protects SQL Server from someone easily getting administrative access to
> SQL Server. This also protects the server in the event that an
> administrator changes the security authentication mode to Mixed Mode.
> Do not use the sa login account in a production environment. Instead,
> place each DBA's network user account into a Windows group, create a
> single SQL Server login account for the group then add the login account
> to the sysadmin fixed server role. "
> (http://www.microsoft.com/technet/pr...ityLearning.com
>|||> Should I think about installing URLScan ?
Why don't you ask this in some IIS group, with explanation why do you think
you need it?
Dejan Sarka, SQL Server MVP
Associate Mentor
www.SolidQualityLearning.com
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment