RE: What Local Server Rights are needed for SQL DBAs?

["Jason Hurst" <Jason.Hurst () PandaRG com>]

Hi everyone,

Microsoft publishes a security best practices document that can be found on the Microsoft website.

It is called:

SQL Server 2005 Security Best Practices - Operational and Administrative Tasks

http://download.microsoft.com/download/8/5/e/85eea4fa-b3bb-4426-97d0-7f7151b2011c/SQL2005SecBestPract.doc

That may be what you are looking for.
 
Jason Hurst
Sr. Network Security Administrator
Panda Restaurant Group
jason.hurst () pandarg com
Please consider the environment before printing this email

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of craig.wilson () redtray co 
uk
Sent: Wednesday, September 16, 2009 12:06 AM
To: Eggleston, Mark; listbounce () securityfocus com; security-basics () securityfocus com
Subject: Re: What Local Server Rights are needed for SQL DBAs?

Hi mark

Depends how draconian you want to be and the setup of your teams.  If you have a DBA team and also server and 
infrastructure teams then I would normally have any config changes on the servers themselves go to the server team.

For DBA work they only need rights to make changes to the database, not to the underlying OS.
The rights you described abové, save local admins, are enough for that.

In my experience the problem with app and DB developers having local admins rights is that corners are often cut in 
order to make something work.  

That leads to another point: assuming you are employing a dev\uat\live architecture and any amendments go via change 
management then access to dev should generally allow for local admin rights.

Craig
 
 
Sent from my BlackBerry® wireless device

-----Original Message-----
From: "Eggleston, Mark" <meggleston () healthpart com>
Date: Fri, 11 Sep 2009 14:15:22 
To: <security-basics () securityfocus com>
Subject: What Local Server Rights are needed for SQL DBAs?

Hello Colleagues,

I need some help finding good documentation (i.e. best or standard
practice) for deciding what appropriate rights are really needed for a
DBA to perform his or her duties (Win 2003, SQL 2005/8).  Can anyone
point me to a good reference as my google searches have not provided an
authoritative conclusion.

Currently we have our Database Administration Group as local admins on
those servers hosting SQL... However, is the serveradmin role required?
Our Manager of this group has indicated that DBA certainly require these
server specific roles: setupadmin; processadmin; dbcreator.  

Thanks in advance for sharing how you may have tackled this issue at
your company or a methodology on how to pursue.

Thanks,

Mark Eggleston
Manager, Security and Business Continuity 

 
This message, together with any attachments, is intended only for
the use of the individual or entity to which it is addressed. It
may contain information that is confidential and prohibited from
disclosure. If you are not the intended recipient, you are hereby
notified that any dissemination or copying of this message or any
attachment is strictly prohibited. If you have received this
message in error, please notify the original sender immediately by
telephone or by return e-mail and delete this message along with
any attachments, from your computer.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------