SQL Server 2005 删除Windows 管理员"BUILTIN/Administrators"
2010-12-02 21:52
239 查看
SQL Server 2005 上禁用Windows系统管理员,禁用Windows身份认证。
http://support.microsoft.com/kb/932881/en-us/Microsoft SQL Server 2005 安装程序创建一个您安装的每个服务的本地 Windows 组。 SQL Server 2005 安装程序将为每个服务服务帐户添加到其各自的组。 SQL Server 故障转移群集安装的 Windows 域组使用相同的方式。 由域管理员身份运行 SQL Server 2005 安装程序之前,必须创建这些域的组。 所有 Windows NT 权限和所需的特定服务的权限由系统访问控制列表 (SACL) 为每个 Windows 组都添加。域管理员不授予直接给服务帐户的权限。
此外,SQL Server 2005、 SQL Server 代理和 BUILTIN/Administrators 组创建的 Windows 组被授予 SQL Server 2005 SYSADMIN 固定的服务器角色中提供的 SQL Server 2005 登录。 此配置使是通过使用 Windows NT 身份验证连接登录到 SQL Server 2005 这些组的成员的任何帐户。 因为用户具有 SQL Server SYSADMIN 固定的服务器角色中的组成员身份,用户登录到 SQL Server 2005 作为 SQL Server 2005 系统管理员。(用户已登录通过使用 sa 帐户)。 不受然后,用户都有限制的访问到 SQL Server 2005 安装,并对其数据。 此外,任何用户都知道的 SQL Server 2005 实例或 SQL Server 代理服务帐户密码可以使用服务帐户登录到计算机上。然后,用户可以对 Windows NT 身份验证的连接 SQL Server 2005 作为 SQL Server 管理员。
此外将在您创建的 SQL Server 2005 报告服务 (SSRS) 和全文本搜索服务的 Windows 组被授予 SQL Server 登录名。 但是,不是报表服务和全文本搜索服务中 SYSADMIN 固定的服务器角色设置。
某些 SQL Server 2005 管理员需功能的角色和操作系统的系统管理员联系,以进行严格地分隔的数据库管理员联系。 这些管理员想要 SQL Server 2005 防止不需要由操作系统的系统管理员的访问。
The Microsoft SQL Server 2005 Setup program creates a local Windows group for each service that you install. The SQL Server 2005 Setup program adds the service account for each service to its respective group. For a SQL Server failover cluster installation, Windows domain groups are used in the same manner. These domain groups must be created by a domain administrator before you run the SQL Server 2005 Setup program. All the Windows NT rights and permissions that are required by a specific service are added by the system access control list (SACL) to each Windows group. The domain administrator does not grant permissions directly to the service account.
In addition, the Windows groups that you created for SQL Server 2005, for SQL Server Agent, and for the BUILTIN/Administrators group are granted SQL Server 2005 logins that are provisioned in the SQL Server 2005 SYSADMIN fixed server role. This configuration makes it possible for any account that is a member of these groups to log on to SQL Server 2005 by using a Windows NT authenticated connection. Because the user has a group membership in the SQL Server SYSADMIN fixed server role, the user is logged into SQL Server 2005 as a SQL Server 2005 systems administrator. (The user is logged in by using the sa account). Then, the user has unrestricted access to the SQL Server 2005 installation and to its data. Also, any user who knows the password for the instance of SQL Server 2005 or for the SQL Server Agent service account can use the service account to log on to the computer. Then, the user can make a Windows NT authenticated connection to SQL Server 2005 as a SQL Server administrator.
The Windows groups that you created for SQL Server 2005 Reporting Services (SSRS) and for the full-text search service are also granted SQL Server logins. However, Reporting Services and the full-text search service are not provisioned in the SYSADMIN fixed server role.
Some SQL Server 2005 administrators want the functional roles of the database administrator and of the operating system administrator to be strictly separated. These administrators want to protect SQL Server 2005 against unwanted access by the operating system administrator.
如何对操作系统的系统管理员 SQL Server 2005 更难进行不需要的访问
The NT AUTHORITY/SYSTEM account is also granted a SQL Server login. The NT AUTHORITY/SYSTEM account is provisioned in the SYSADMIN fixed server role. Do not delete this account or remove it from the SYSADMIN fixed server role. The NTAUTHORITY/SYSTEM account is used by Microsoft Update and by Microsoft SMS to apply service packs and hotfixes to a SQL Server 2005 installation. The NTAUTHORITY/SYSTEM account is also used by the SQL Writer Service.Also, if SQL Server 2005 is started in single-user mode, any user who has membership in the BUILTIN/Administrators group can connect to SQL Server 2005 as a SQL Server administrator. The user can connect regardless of whether the BUILTIN/Administrators group has been granted a server login that is provisioned in the SYSADMIN fixed server role. This behavior is by design. This behavior is intended to be used for data recovery scenarios.
For more information about security best practices for SQL Server 2005, see the "Security Considerations for a SQL Server Installation" topic in SQL Server 2005 Books Online.
相关文章推荐
- SQL Server 禁用Windows 管理员"BUILTIN/Administrators"
- 不小心把帐号BUILTIN\Administrators和Administrator删除了,管理员无法登录到SQL服务器
- SQL SERVER 2005删除维护作业报错:The DELETE statement conflicted with the REFERENCE constraint "FK_subplan_jo
- VS 2005 & SQL Server 2005 on Windows Vista
- 重装SQL Server 2005遇到的" 计数器错误 "问题及解决方法两则
- SQL 2008,忘记SA密码,又删除了sysadmin中删除了builtin\Administrators帐号
- VS 2005 & SQL Server 2005 on Windows Vista
- "Problem Steps Recorder" - The new tool in Windows 7
- 关于SQLServer2000中windows身份验证Builtin/Administrator用户误删除,引发的关于MSSQLSERVER服务的启动权限联想
- VS 2005 & SQL Server 2005 on Windows Vista
- VS 2005 & SQL Server 2005 on Windows Vista
- 向 Excel 的 FIX: 错误消息,当您试图导出 SQL Server 2005 报告:"索引超出范围"
- "Internal Error 2203. C:\WINDOWS\Installer\inprogressinstallinfo.ipi" &"0x80070643" 安装程序报错问题解决
- VS 2005 & SQL Server 2005 on Windows Vista
- 转载 :sql server 2005 无法删除数据库 "#Test",因为该数据库当前正在使用
- sql 2005 "用户 sa 登录失败,该用户与可信SQL Server连接无关联 "解决方案总结
- More about “PartitionKey”&"RowKey” in windows azure table storage
- 在执行一个 CLR 例程或 SQL Server 2005 中使用程序集时的错误消息:"在主机存储区中的组件在 GAC 中有一个不同的签名比程序集。
- VS 2005 & SQL Server 2005 on Windows Vista
- SQL Server 2005如何起用"xp_cmdshell"