Welcome to dbFreaks.com!
FAQFAQ    SearchSearch      ProfileProfile    Private MessagesPrivate Messages   Log inLog in

Functional Account SA No Connection

  
   Database Help (Home) -> Security RSS
Next:  change text by validation  
Author Message
Joe K.

External


Since: Apr 10, 2007
Posts: 16



(Msg. 1) Posted: Wed Oct 07, 2009 8:12 am
Post subject: Functional Account SA No Connection
Archived from groups: microsoft>public>sqlserver>security (more info?)
I have SQL Server 2005 database server that I have set up to running several
SSIS packages and other processes.

How can I modify this account by t-sql script or using SSMS to make sure no
user has the ability to log with this account?

I have SQL Server 2000 database server that I have set up to running several
DTS packages and other processes.

How can I modify this account by t-sql script or using SQL Server Enterprise
Manager to make sure no user has the ability to log with this account?

Thanks,

 >> Stay informed about: Functional Account SA No Connection 
Back to top
Login to vote
Uri Dimant

External


Since: Aug 24, 2003
Posts: 1744



(Msg. 2) Posted: Wed Oct 07, 2009 12:25 pm
Post subject: Re: Functional Account SA No Connection [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Joe

create trigger AuditLogin_sa
/* server means instance level*/
on all server
/* We specify the logon event at this stage
– If there are more than one connections of sa,
– Issue a rollback*/
for logon
as begin
IF ORIGINAL_LOGIN()= 'sa' AND
(SELECT COUNT(*) FROM sys.dm_exec_sessions
WHERE is_user_process = 1 AND
original_login_name = 'sa') > 1
ROLLBACK;

end
go


"Joe K." wrote in message

>
> I have SQL Server 2005 database server that I have set up to running
> several
> SSIS packages and other processes.
>
> How can I modify this account by t-sql script or using SSMS to make sure
> no
> user has the ability to log with this account?
>
> I have SQL Server 2000 database server that I have set up to running
> several
> DTS packages and other processes.
>
> How can I modify this account by t-sql script or using SQL Server
> Enterprise
> Manager to make sure no user has the ability to log with this account?
>
> Thanks,

 >> Stay informed about: Functional Account SA No Connection 
Back to top
Login to vote
Joe K.

External


Since: Apr 10, 2007
Posts: 16



(Msg. 3) Posted: Wed Oct 07, 2009 12:25 pm
Post subject: Re: Functional Account SA No Connection [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Miss understanding the functional has sysadmin security permission within
SQL Server. Need to make sure this account cannot be log into SQL Server
database server but can used to run SSIS packages.

Please help me resolve this issue.

Thanks


"Uri Dimant" wrote:

> Joe
>
> create trigger AuditLogin_sa
> /* server means instance level*/
> on all server
> /* We specify the logon event at this stage
> – If there are more than one connections of sa,
> – Issue a rollback*/
> for logon
> as begin
> IF ORIGINAL_LOGIN()= 'sa' AND
> (SELECT COUNT(*) FROM sys.dm_exec_sessions
> WHERE is_user_process = 1 AND
> original_login_name = 'sa') > 1
> ROLLBACK;
>
> end
> go
>
>
> "Joe K." wrote in message
>
> >
> > I have SQL Server 2005 database server that I have set up to running
> > several
> > SSIS packages and other processes.
> >
> > How can I modify this account by t-sql script or using SSMS to make sure
> > no
> > user has the ability to log with this account?
> >
> > I have SQL Server 2000 database server that I have set up to running
> > several
> > DTS packages and other processes.
> >
> > How can I modify this account by t-sql script or using SQL Server
> > Enterprise
> > Manager to make sure no user has the ability to log with this account?
> >
> > Thanks,
>
>
>
 >> Stay informed about: Functional Account SA No Connection 
Back to top
Login to vote
Erland Sommarskog2

External


Since: May 30, 2004
Posts: 2061



(Msg. 4) Posted: Wed Oct 07, 2009 6:25 pm
Post subject: Re: Functional Account SA No Connection [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Joe K. (JoeK@discussions.microsoft.com) writes:
> I have SQL Server 2005 database server that I have set up to running
> several SSIS packages and other processes.
>
> How can I modify this account by t-sql script or using SSMS to make
> sure no user has the ability to log with this account?
>
> I have SQL Server 2000 database server that I have set up to running
> several DTS packages and other processes.
>
> How can I modify this account by t-sql script or using SQL Server
> Enterprise Manager to make sure no user has the ability to log with this
> account?

In SQL 2005, you could do this with a login trigger as Uri suggestion,
but you would have to do it differently, you would need to check if the
application is SSIS. Then again, it's trivial to forge the application
name you login, as this is just part of the connection string.

In SQL 2000 there is definitely no way to do this.

--
Erland Sommarskog, SQL Server MVP, esquel.DeleteThis@sommarskog.se

Links for SQL Server Books Online:
SQL 2008: http://msdn.microsoft.com/en-us/sqlserver/cc514207.aspx
SQL 2005: http://msdn.microsoft.com/en-us/sqlserver/bb895970.aspx
SQL 2000: http://www.microsoft.com/sql/prodinfo/previousversions/books.mspx
 >> Stay informed about: Functional Account SA No Connection 
Back to top
Login to vote
Display posts from previous:   
Related Topics:
Set Sql Agent Proxy Account to Local Account - Hi- I'm trying to set the Proxy Account for Sql Server agent to a local windows account. The account is NOT in a domain; yet a domain is required to set the proxy. I have tried machine name, workgroup name, ., \, etc. to no avail. We have tried from..

SQL Services account question... - OK, here's my problem. I have a SQL 2005 Server that is part of a domain. The SQL services start with a local account and not a domain account. The issue I am seeing is that when I go to backup a database that is owned by a Domain account the..

Little database user account script need help... - Hi there, I found this script on Microsoft's site for creating a Database, User, and Account in SQL 2005, it works really well and I like it alot, does anyone know how I can modify it to allow that user to view/edit their database via the Microsoft SQ...

SQL2005 non-administrator Service Account - On server BOB, the SQL Services are running under an ID that by default was added to the SQL server groups SQLServer2005MSFTEUser$-ServerName-$MSSQLSERVER etc. However, the ID is also under the administrators group and I would like to remove it from..

AD account permissions required to access SQL Server host - Hi What permissions are required by an AD account/login to access a SQL Server host? For example, if my login - [mydomain\myuserid] needs trusted access to remote databases on the host MYSQLSERVER, does my account require "connect to machine&qu...
   Database Help (Home) -> Security All times are: Pacific Time (US & Canada)
Page 1 of 1

 
 You can post new topics in this forum
You can reply to topics in this forum
You can edit your posts in this forum
You can delete your posts in this forum
You can vote in polls in this forum



[ Contact us | Terms of Service/Privacy Policy ]