patternsqlModerate
Restrict access for Windows administrator
Viewed 0 times
forwindowsadministratorrestrictaccess
Problem
As the SQL Server best practices says, "Windows Authentication mode is more secure than SQL Authentication". And now I want to know: is there a way to protect SQL Server from user with Windows administrator rights?
Solution
No.
If a user is a Windows Administrator of a box, assume that they own everything on the box (including SQL Server). With Windows Administrator rights it is trivial to bypass any targeted protection you apply (such as a logon trigger that identifies their user name), by impersonating someone else (including
If you don't trust someone, don't give them Windows Administrator rights, period.
If a user is a Windows Administrator of a box, assume that they own everything on the box (including SQL Server). With Windows Administrator rights it is trivial to bypass any targeted protection you apply (such as a logon trigger that identifies their user name), by impersonating someone else (including
NT AUTHORITY\SYSTEM, which gets de facto admin rights on all local SQL Server instances). Auditing won't help much either, because they can easily turn that off, but you should have it just in case.If you don't trust someone, don't give them Windows Administrator rights, period.
Context
StackExchange Database Administrators Q#34684, answer score: 15
Revisions (0)
No revisions yet.