Board index MS SQL Server

Security risks of Master dbo role for network?

Security risks of Master dbo role for network?

Post by Bob Duniwa » Sun, 14 Jan 2001 03:50:47



Okay, once again the blind leading the blind here are seeking advice
from some of you with longer vision.  We bought a server and SQL Server
7.0 Enterprise Addition, and had it installed on the campus network.
The network administrator naturally has concerns about keeping the
network running smoothly, and for that reason we decided it might be
best if I could do my job without being in the sysadmin group, and they
are willing to work with me on those occassions where I need something
done that requires sysadmin permissions.

Well, it is quickly becoming apparent that I have more reason to figure
out what can be done with SQL Server than they do, and we are tossing
around ideas about how to expand my access to the functionality of SQL
Server without implementing a policy that may come back to bite the
network if a) I do something really stupid or b) I leave and my
replacement assumes my permissions and does something really
stupid/malicious.

Bottom line, they don't care how much I*up SQL Server (though
obviously I do and plan not to*it up), as long as I can't*
up the network connections to the server itself, or mess with anything
else on the network.  So they don't really want me having local domain
server permissions, but don't care what permissions I have inside SQL
Server.

So here is one idea we are tossing about.  It seems that making me a
member of the db_owner group in Master and MSDN lets me see what is
going on, make configuration changes internal to SQL Server, and use
all the stored procedures and Extended Stored Procedures that ship with
the product.  That would greatly enhance my ability to work with SQL
Server on administrative tasks without needing to meet with one of the
network administrators and have him log in as a sysadmin.  But what
should we be concerned about with this strategy?  Are there things that
should be explicitly denied my account in order to protect the
network?  SQL Server 7.0/Windows 2000 Server/Pure Windows 2000 network
specific comments are particularly helpful.

Thanks in advance for any advice/cautions/reassurances.

--
Bob Duniway - Recovering Gifted Child

Sent via Deja.com
http://www.veryComputer.com/

 
 
 
Top

1. Security risks of Master dbo role for network?

Okay, once again the blind leading the blind here are seeking advice
from some of you with longer vision.  We bought a server and SQL Server
7.0 Enterprise Addition, and had it installed on the campus network.
The network administrator naturally has concerns about keeping the
network running smoothly, and for that reason we decided it might be
best if I could do my job without being in the sysadmin group, and they
are willing to work with me on those occassions where I need something
done that requires sysadmin permissions.

Well, it is quickly becoming apparent that I have more reason to figure
out what can be done with SQL Server than they do, and we are tossing
around ideas about how to expand my access to the functionality of SQL
Server without implementing a policy that may come back to bite the
network if a) I do something really stupid or b) I leave and my
replacement assumes my permissions and does something really
stupid/malicious.

Bottom line, they don't care how much I screw up SQL Server (though
obviously I do and plan not to screw it up), as long as I can't screw
up the network connections to the server itself, or mess with anything
else on the network.  So they don't really want me having local domain
server permissions, but don't care what permissions I have inside SQL
Server.

So here is one idea we are tossing about.  It seems that making me a
member of the db_owner group in Master and MSDN lets me see what is
going on, make configuration changes internal to SQL Server, and use
all the stored procedures and Extended Stored Procedures that ship with
the product.  That would greatly enhance my ability to work with SQL
Server on administrative tasks without needing to meet with one of the
network administrators and have him log in as a sysadmin.  But what
should we be concerned about with this strategy?  Are there things that
should be explicitly denied my account in order to protect the
network?  SQL Server 7.0/Windows 2000 Server/Pure Windows 2000 network
specific comments are particularly helpful.

Thanks in advance for any advice/cautions/reassurances.

--
Bob Duniway - Recovering Gifted Child

Sent via Deja.com
http://www.deja.com/

2. oracle ODBC driver on solaris

3. db_ddladmin database role and dbo security

4. SBT and Laser Forms...

5. Need help changing passwords (Old DBA may be a security risk)

6. script to create data warehouse

7. Security Risk question for SQL Server 7

8. ADO in IDL file

9. Multiple SQL statements - SECURITY RISK ON ASP!

10. Why are absolute paths considered a security risk?

11. running root.sh - a security risk?

12. Typical DB install - security risk?

13. SECURITY RISKS - executive summary


All times are UTC
Board index