I was monitoring some SQL calls using SQL Server Profiler and noticed a Domain Admin account accessing SQL quite a bit. We do not have a DBA at this point. There are two developers and I am one of them. Is this a bad practice and/or a security risk? I ask because the latest rash of ransomware attacks have a strong emphasis on hijacking Domain Admin account privileges so I am concerned.
Sql-server – Domain Admin Account Accessing SQL Server
Securitysql server
Related Question
- SQL Server – SysAdmin Role and Active Directory Groups
- SQL Server Security – Risks of Sharing a Service Account on Multiple Servers
- Grant Admin to Active Directory Account in SQL Server
- SQL Server Express 2012 SP1 Login Issue – Security Concerns
- Sql-server – Why use domain account for SQL Server service
- Sql-server – Should I use a Domain User account to manage SQL Server (or other services)
Best Answer
You could use the following query to provide some quick details about the domain admin:
It'll show the name of the client machine where they are connecting from, and the last statement they executed.
In general, you probably want to explicitly control who has access to the SQL Server, especially for security-sensitive accounts such as members of the
sysadmin
andsecurityadmin
server roles. The principle of least privilege applies.This query will show you the members of each server-level role:
In general, this list should be as small as possible. Pay particular attention to the securityadmin and sysadmin roles.
As an aside, you want to limit the number of people who have access to the Domain Admins AD group since members of that group could restart your SQL Server in such a way that they can gain access to it, even if they haven't been explicitly granted access. There are a lot of security implications to be aware of domain-wide for highly privileged groups such as the Domain Admins.