HiveBrain v1.2.0
Get Started
← Back to all entries
patternsqlModerate

Restrict access for Windows administrator

Submitted by: @import:stackexchange-dba··
0
Viewed 0 times
forwindowsadministratorrestrictaccess

Problem

As the SQL Server best practices says, "Windows Authentication mode is more secure than SQL Authentication". And now I want to know: is there a way to protect SQL Server from user with Windows administrator rights?

Solution

No.

If a user is a Windows Administrator of a box, assume that they own everything on the box (including SQL Server). With Windows Administrator rights it is trivial to bypass any targeted protection you apply (such as a logon trigger that identifies their user name), by impersonating someone else (including NT AUTHORITY\SYSTEM, which gets de facto admin rights on all local SQL Server instances). Auditing won't help much either, because they can easily turn that off, but you should have it just in case.

If you don't trust someone, don't give them Windows Administrator rights, period.

Context

StackExchange Database Administrators Q#34684, answer score: 15

Revisions (0)

No revisions yet.