How to lock out everyone but me?

I'm working with SQL Server Express, and I want to configure a named instance so that only the 'sa' user and a specified SQL Server user with a specified password have access. In particular, I'm trying to lock out BUILTIN\Administrators. Furthermore, I need to be able to do this from a command-line, since I want to configure it in a script. Nothing I do seems to work.

I've attempted to use sqlcmd and the T-SQL call ALTER LOGIN [BUILTIN\Administrators] DISABLE, but that returns the error "Cannot alter the login 'BUILTIN\Administrators' because it does not exist or you do not have permission."

What I can (apparently) successfully do is run DENY CONTROL TO [BUILTIN\Administrators]. This runs without reporting an error. However, after running it against the 'master' database and the specific database in my named instance I care about, I can still run the following:

sqlcmd -S (local)\MyInstance -d MyDB -Q "select * from my_table"

and see the contents of my_table.

What do I need to do to restrict access exclusively to 'sa' and other SQL users I designate?

Have you tried simply dropping the builtin\administrators login?

"Drop login [builtin\administrators]"

You can check sys.server_principals for a list of all logins. This seemed to work for me, although I tested this on Developer Edition and not Express Edition.

Sung

|||

I think the right expression would be to deny connection to builtin administrator under normal circumstances.

I want to clarify that actually stopping a box administrator from accessing SQL Server instance (and any other service for that matter) is practically impossible as your adversary has control over the OS and most likely the hardware.

You need to trust the box admin to some extent, and a proper channel and policies to monitor unauthorized activities (i.e. company policies, box auditing, etc.) should be in place to keep a box administrator honest. If you are hosting any data on a machine where you don’t trust the box administrator, make sure you don’t store (and I would even say don’t manipulate) any valuable information in clear text on the system you don’t trust.

If your objective is to keep an honest box administrator honest and deter her from accessing SQL Server, revoking access as Sung mentioned should be enough. In SQL Express you additionally would have to drop the [Builtin\users] account. SQL Express is designed OOB to grant access to the instance (with low privileges) to any user in the system in order to take advantage of some SQL Express-specific features.

BTW. Keep in mind that in SQL Server 2005 it is sufficient to start the server in single user mode. The reason for this is to allow a box admin to recover the system in case of emergency.

I hope this information will be useful.

-Raul Garcia

SDE/T

SQL Server Engine

How to know if user have access to a specified DB

Hi !

I'm searching a way to know if a specified user have access to a

specified database. For sure I may look with Enterprise Manager, but

I'm searching a way by looking in System Table, or using StoreProc

Where the Info about user and is Database access are store?

Any idea?

I'm using MSDE

Zak

select [name] from sysusers where [name]='userName'|||That tell me that the user exist on SQL but not if the user have access to a specified Database ...
|||Oh ! Sorry you are right !!!

Thanks for the info !! |||

Actually, when I went outside for a walk I realized that this doens't completely answer the question. A user could be aliased. Hang on and I will get you some more information. Sorry about rushing the answer.

Dave

|||

I don't use Alias in my project only SQL Account

|||Then you should be good. Good luck, Zakary!|||Thanks body!

How to know a server is running on a specified port?

Dear all,
How to know that whether a server is running on a specified port?
For example, server A is running on port 1888. For a client, how to know
this?
Thanks,
GordonHi ,
Easy way is to check the SQL Server Error Log.
Thanks
Hari
MCDBA
"Gordon" <sdgwedh@.hotmail.com> wrote in message
news:#fyAagwyDHA.2620@.TK2MSFTNGP09.phx.gbl...

quote:

---

> Dear all,
> How to know that whether a server is running on a specified port?
> For example, server A is running on port 1888. For a client, how to know
> this?
> Thanks,
> Gordon
>

---

|||You can check :
1. SQL Errorlog
2. NT application log
3. Run netstat -an
Thanks,
Kevin McDonnell
Microsoft Corporation
This posting is provided AS IS with no warranties, and confers no rights.|||Thanks. But my question is for a client, how to know this.
A client doesn't have permission to check the items you list.
"Kevin McDonnell [MSFT]" <kevmc@.online.microsoft.com> wrote in message
news:nX$xzv9yDHA.3532@.cpmsftngxa07.phx.gbl...

quote:

---

> You can check :
> 1. SQL Errorlog
> 2. NT application log
> 3. Run netstat -an
> Thanks,
> Kevin McDonnell
> Microsoft Corporation
> This posting is provided AS IS with no warranties, and confers no rights.
>
>

---

|||Hey Gordon,
Our MDAC 2.6 and greater clients will send a UDP packet to the server to
determine what port the server's listening on as long as it's a Named
Instance.
Otherwise, the NT admin or SQL Admin would have to tell the client what
port they're listening on. Typically, if you were to roll out an
application that was listening on an alternate port, you would either
instruct the clients how to connect or configure an alias for them. The
only other way a client could find this information out would be to port
scan the remote machine.
265808 INF: How to Connect to an SQL Server 2000 Named Instance with the
http://support.microsoft.com/?id=265808
286303 INF: Behavior of SQL Server 2000 Network Library During Dynamic Port
http://support.microsoft.com/?id=286303
Thanks,
Kevin McDonnell
Microsoft Corporation
This posting is provided AS IS with no warranties, and confers no rights.