locked
Domain account without a SQL login account RRS feed

  • Question

  • I have a situation that I have discovered in our QA database that I need to resolve.  When I looked at the Activity Monitor for our server, I discovered that a process is running under a domain user account for one of our .Net applications.  The problem is that that domain user account has not been created as a SQL login account on the server.  I am trying to figure out how someone can log in to the database server with a domain user account that has not been added to SQL Server as a login account.

     

    Does anyone have any insight on this?  I don't like the idea of someone being able to create domain account that can access the database without me granting them specific access.

     

    - Larry

    Wednesday, April 25, 2007 2:24 PM

Answers

  •   Most likely the Windows user has permission to connect via a Windows group membership. If the user belongs to one or more of such group and it has CONNECT SERVER permission, the Windows user will have access to connect to SQL Server.

     

      -Raul Garcia

      SDE/T

      SQL Server Engine

    Wednesday, April 25, 2007 6:16 PM
  •  Here is a link to a different forum question on how to remove local administrators from the sysadmin group. http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=1559584&SiteID=1

     

      Be aware that this helps to keep honest people honest and prevent misuse by mitake, but it is only a speed-bump in case the machine administrator is truly malicious and determined to get to your data. As the machine administrator has full control over the machine and files stored there as well as any process running on it. I would strongly recommend a establishing a security policy so you can monitor and audit activity on both SQL Server as well as on the machine itself.

     

    -Raul Garcia

      SDE/T

      SQL Server Engine

    Monday, May 7, 2007 9:58 PM

All replies

  • It could be working under the guest account, it could be included in a domain group account that has database access, it could be under an ALIAS (a deprecated feature -and still dangerous).
    Wednesday, April 25, 2007 3:09 PM
  •   Most likely the Windows user has permission to connect via a Windows group membership. If the user belongs to one or more of such group and it has CONNECT SERVER permission, the Windows user will have access to connect to SQL Server.

     

      -Raul Garcia

      SDE/T

      SQL Server Engine

    Wednesday, April 25, 2007 6:16 PM
  • Apparently, the account in question  was a member of the WIndows local admin group.  It makes me rather nervous that an ID could be created that basically has unlimited access to my databases and, as the DBA, I can't do a whole lot about this.  Is there a good way that I can mitigate this risk?

    Monday, May 7, 2007 5:34 PM
  •  Here is a link to a different forum question on how to remove local administrators from the sysadmin group. http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=1559584&SiteID=1

     

      Be aware that this helps to keep honest people honest and prevent misuse by mitake, but it is only a speed-bump in case the machine administrator is truly malicious and determined to get to your data. As the machine administrator has full control over the machine and files stored there as well as any process running on it. I would strongly recommend a establishing a security policy so you can monitor and audit activity on both SQL Server as well as on the machine itself.

     

    -Raul Garcia

      SDE/T

      SQL Server Engine

    Monday, May 7, 2007 9:58 PM