RE: What Local Server Rights are needed for SQL DBAs?

["Eggleston, Mark" <meggleston () healthpart com>]

They are mostly doing SQL work from their desktops, but are moving in a direction to perform client-server application 
dev work now too.

So I believe we'll move forward with making the DBA group part of the local remote users group but not part of the 
local admin group.

Thanks again,

Mark

-----Original Message-----
From: craig.wilson () redtray co uk [mailto:craig.wilson () redtray co uk] 
Sent: Wednesday, September 16, 2009 2:38 PM
To: Eggleston, Mark; security-basics () securityfocus com
Subject: Re: What Local Server Rights are needed for SQL DBAs?

Hi Mark,

Might be pertinent to ask what they are looking to do on the servers.  DBA work would normally only require rights to 
the db which would normally be performed on a pc other than the server.  Are they doing application development too 
where software runs on the server or interacts with it?

Craig

Sent from my BlackBerry® wireless device

-----Original Message-----
From: "Eggleston, Mark" <meggleston () HEALTHPART COM>
Date: Wed, 16 Sep 2009 13:16:09
To: <craig.wilson () redtray co uk>; <security-basics () securityfocus com>
Subject: RE: What Local Server Rights are needed for SQL DBAs?

Thank you Craig - very helpful.

We indeed do have a DBA Team and a Network/server team.  We do also have a dev/uat/live environment for some SQL 
instances.  Anyone else care to comment regarding documentations on how to set up appropriate rights in SQL and/or 
servers?

Regards,

Mark

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of craig.wilson () redtray co 
uk
Sent: Wednesday, September 16, 2009 3:06 AM
To: Eggleston, Mark; listbounce () securityfocus com; security-basics () securityfocus com
Subject: Re: What Local Server Rights are needed for SQL DBAs?

Hi mark

Depends how draconian you want to be and the setup of your teams.  If you have a DBA team and also server and 
infrastructure teams then I would normally have any config changes on the servers themselves go to the server team.

For DBA work they only need rights to make changes to the database, not to the underlying OS.
The rights you described abové, save local admins, are enough for that.

In my experience the problem with app and DB developers having local admins rights is that corners are often cut in 
order to make something work.  

That leads to another point: assuming you are employing a dev\uat\live architecture and any amendments go via change 
management then access to dev should generally allow for local admin rights.

Craig
 
 
Sent from my BlackBerry® wireless device

-----Original Message-----
From: "Eggleston, Mark" <meggleston () healthpart com>
Date: Fri, 11 Sep 2009 14:15:22
To: <security-basics () securityfocus com>
Subject: What Local Server Rights are needed for SQL DBAs?

Hello Colleagues,

I need some help finding good documentation (i.e. best or standard
practice) for deciding what appropriate rights are really needed for a DBA to perform his or her duties (Win 2003, SQL 
2005/8).  Can anyone point me to a good reference as my google searches have not provided an authoritative conclusion.

Currently we have our Database Administration Group as local admins on those servers hosting SQL... However, is the 
serveradmin role required?
Our Manager of this group has indicated that DBA certainly require these server specific roles: setupadmin; 
processadmin; dbcreator.  

Thanks in advance for sharing how you may have tackled this issue at your company or a methodology on how to pursue.

Thanks,

Mark Eggleston
Manager, Security and Business Continuity 

 
This message, together with any attachments, is intended only for the use of the individual or entity to which it is 
addressed. It may contain information that is confidential and prohibited from disclosure. If you are not the intended 
recipient, you are hereby notified that any dissemination or copying of this message or any attachment is strictly 
prohibited. If you have received this message in error, please notify the original sender immediately by telephone or 
by return e-mail and delete this message along with any attachments, from your computer.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and 
who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell 
if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your 
Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing 
management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------