Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
CanadaDBA
583 Posts |
 Posted - 2005-08-31 : 14:56:12
|
| I want to suggest a security model and change our current logins. For example, (1) I need a domain ID only use for SQL Server service and the DTS packages (and/or for wherever that needs access to both SQL box and file server). (2) I need a Windows local ID for access to the box (Should this access be read only?)...I want to know how you suggest to implement the security on mine. I have two file servers and one SQL box.Canada DBA |
|
|
CanadaDBA
583 Posts |
Posted - 2005-09-02 : 12:00:52
|
| It's more than 48 hours passed and no reply! Come on folks it is not that much confusing question.In fact the problem is that I use same userid to RDC to the server that starts the SQL service or logins to the File Servers. Once, the userid was locked by the domain and a DTS failed because it was not able to access to the File server. So, it came to my mine that create another user id only for RDC to server. And create a seperate user id for DTS packages, and so on...Imagin a site with 1 SQL box and 1 File server, 2 databases and some DTS packages. What is the suggestion for user ids for this site?thanks,Canada DBA |
 |
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
Posted - 2005-09-02 : 13:19:42
|
| All userids should be domain ids not local. The SQL Server service accounts should be members of the local admin group. This account should not be used by anyone. It should only be used by the service or to troubleshoot a problem, such as a DTS package failing as a job.Each person needing access to the SQL Server should use Windows Authentication and their ids should be on the domain. DBAs should have local admin on the database server.Tara |
|
|
|
Thrasymachus
Constraint Violating Yak Guru
483 Posts |
Posted - 2005-09-02 : 13:25:15
|
| EDIT: SNIPEDno one likes tipping their hand on security. i would use windows authentication. my sql and sql agent service account would run under a windows network account that was not a network admin account and the password would never expire. i would perhaps add this account to the BUILTIN Admin local group Finally I would give this windows account permissions over any network folder the DTS account needs to access.====================================================Regards,Sean Roussy"pimpin ain't easy, but someone has to do it" -- Pimpin Whitefolks(?) |
|
|
|
|
|
|
Suggest a security model