MSDE and SQL SA security?

[pinkpanther56]

Hi all.

Can anyone tell me if the SA account on MSDE is also a member of the local administrators group, if this is the case then would it be a member of domain admins if it was installed on a DC?

If this account was compromised on a member server what dangers would this pose to the domain or is the risk mainly to the member server?

Also does the SA account in the full SQL server have more rights than on MSDE?

Thanks for any input.

 

[rdandrade]

The SA account is a SQL account which is seperate from the Windows domain. SQL has its own security which sa is automatically a part of. You can install SQL different ways:
1) Windows Only: Only uses windows domain users and group to assign permissions to databases
2) SQL Authentication and Windows: You can have both SQL accounts which are managed within SQL only, and you can setup permissions based on your Windows Domain.

You should always use a "strong" password for the sa account and treat it exactly as you would the Windows Administrator account.

SA account has the same permissions in MSDE as full SQL server.

Ray D'Andrade

http://www.raydandrade.com

 

[pinkpanther56]

The reason i'm asking is an app that we have installed has a password that is set by the software during setup (it's 8 charectors but single case), i'm not happy about this and will be contacting them about it.

If the SA password was compromised could that allow someone to gain admin access to the server itself or just control of MSDE/SQL server?

Thanks.

 

[SQLBill]

Just SQL Server.....SA is the 'GOD' account for SQL Server only.

Want to test it? Try to log on to your computer using the SA account. It won't work.

There is one other issue....with the SA account you can run the xp_cmdshell procedure on SQL Server. This lets you run operating system commands. The operating system command(s) will run with the permissions that SQL Server service is running with. (From the BOL).


-SQLBill

Posting advice: FAQ481-4875

 

[pinkpanther56]

Ah ok so potentially someone that knows what they are doing could run commands with system level access which might make it easier to take over the box.

Cheers.

 

[mrdenny]

Correct. If they could get onto your SQL Server with sysadmin rights they could grant them selves acces to the OS. Anyone who connects to a SQL Server with sysadmin rights also gets the same rights that the account which is running SQL Server has on the server and the domain.

Denny
MCSA (2003) / MCDBA (SQL 2000)

--Anything is possible. All it takes is a little research. (Me)

http://www.mrdenny.com

 

[pinkpanther56]

So thats why its best not to run it on a DC then? If a member server is compromised they only own that box not the domain.

Thanks.

 

[SQLBill]

It's also not a good idea to run it on the DC since SQL Server is designed to use almost all the memory available. The default is to 'grab' all but what would be needed by the operating system. You can adjust the settings for it to use less, but....... So, if you install it on the DC, they (DC and SQL Server) will be 'fighting' for the memory and neither will run at their best.

-SQLBill

Posting advice: FAQ481-4875