Securing Windows for SQL Management RRS feed

  • Question

  • Hi Group,


    Our scenario is that we have a department full of database administrators who require limited access to our db servers ranging from sql 2000 to 2008 on windows 2000, 2003 and 2008 (about 60 or so). We need to allow these dba’s access to restart the sql services without the ability to have administator rights on the servers. We have assigned them sysadmin rights for enterprise manager so they have full access to sql related tasks and currently they have administrator rights to the servers just to accommodate mmc access to restart services but we have restricted rdc access.

    This still poses a large security risk since anyone who has knowledge of unc to hidden shares can still manipulate the file system as well as using psexec or a number of other remote admin tools, heck even using mmc to re-add themselves in users and groups, etc. We have created various shares on the servers to allow them access to manipluate only the sql related information, such as databases, logs, a backup directory, a replication directory, etc.

    The issue I discovered is this. If the dba’s do not have admin rights on the servers then they do not have access to use mmc, services snap-in against the remote servers. I have used group policy to assign them access only to the services they need and they can stop and restart sql services without admin rights but they must use sc or netsvc commands in order to do so. They don’t like this and want mmc access at the least (since we have prevented them rdc access, I think that’s fair).

    So what I need to understand is how to allow them access to an mmc snap-in (services specifically) without  making them a member of the local administrators groups. From everything I have read this dosent seem possible, but I cannot believe Microsoft would have this oversight. You can not tell me that Microsoft expects a database administrator to have full control over a server in order to manage SQL. I understand they can restart services through enterprise manager but this still requires admin access on the remote host and still keeps open the possibility of manipulating the servers with fc access remotely.

    Hoping for some advice and suggestions here. Thanks guys

    Saturday, May 9, 2009 12:58 PM