Hi Folks,
We have some inhouse applications developed using microsoft technologies
like C#.net,asp.net and sql server 2000 and we have third party applicatio
ns
using sql server 2000.
In all our sql servers we configured as below.
we created domain level user accounts(service accounts) like SA_Server1.
we made that SA_server1 as member of local administrator group on the
server where SQLserver2000 software got installed.
we are using SA_server1 account to run mssqlserver service (windows
service).
All our proudction sql server are windows clusters with 2 nodes.
we have mixed mode authentication. And all users in Builtin/Administrators
group are sql users.
Using that domain level service account (SA_Server1) credentials,we can
login to that particualr sql server locally to check everything is working
fine.
Everything is working fine.
Recently Sarbanes-Oxley Audit conducted in our company.
One of the questions they asked is as given below.
1.why Interactive log-in is turned ON for that mssqlservice accounts? (for
SA_Server1) ?
They don't want any one to login to that server locally using that domain
account credentials.
2.Why builtin/administrators are part of sql users?
How can we prevent anyone logging in to that sql server locally using that
service account credentials?
we will be giving that credentials for the 2,3 administrative people only.
But we don't want them also to login to that server locally using service
account credentials.
They should login to that server using their own windows accounts.
How can we turn OFF that interactive log-on?
is it in group policy or local policy or Active directory member profile?
What are the best security practices for sql server 2000 configuration
mainly with service accounts?
Any kind of help is greatly appreciated.
--KumarDeny Logon locally right to the account used to start sql server services is
recommended to prevent someone from using sql server service account to logi
n
to the sql server.
Hope this hepls
"Kumar" wrote:
> Hi Folks,
> We have some inhouse applications developed using microsoft technologies
> like C#.net,asp.net and sql server 2000 and we have third party applicat
ions
> using sql server 2000.
> In all our sql servers we configured as below.
> we created domain level user accounts(service accounts) like SA_Server1.
> we made that SA_server1 as member of local administrator group on the
> server where SQLserver2000 software got installed.
> we are using SA_server1 account to run mssqlserver service (windows
> service).
> All our proudction sql server are windows clusters with 2 nodes.
> we have mixed mode authentication. And all users in Builtin/Administrators
> group are sql users.
> Using that domain level service account (SA_Server1) credentials,we can
> login to that particualr sql server locally to check everything is working
> fine.
> Everything is working fine.
>
> Recently Sarbanes-Oxley Audit conducted in our company.
> One of the questions they asked is as given below.
> 1.why Interactive log-in is turned ON for that mssqlservice accounts? (fo
r
> SA_Server1) ?
> They don't want any one to login to that server locally using that doma
in
> account credentials.
> 2.Why builtin/administrators are part of sql users?
>
> How can we prevent anyone logging in to that sql server locally using that
> service account credentials?
> we will be giving that credentials for the 2,3 administrative people only
.
> But we don't want them also to login to that server locally using service
> account credentials.
> They should login to that server using their own windows accounts.
>
> How can we turn OFF that interactive log-on?
> is it in group policy or local policy or Active directory member profile
?
>
> What are the best security practices for sql server 2000 configuration
> mainly with service accounts?
>
>
> Any kind of help is greatly appreciated.
>
> --Kumar
>
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment