As the SQL Server best practices says, "Windows Authentication mode is more secure than SQL Authentication". And now I want to know: is there a way to protect SQL Server from user with Windows administrator rights?
SQL Server Security – How to Restrict Access for Windows Administrator?
Securitysql serversql-server-2008
Related Question
- SQL Express 2008 – How to Gain Admin Access
- Sql-server – Login Failed for User
- Postgresql – Restrict access for Windows administrator in PostgreSQL
- Sql-server – If the users need INSERT/UPDATE/DELETE permissions, is Windows auth still more secure than SQL Server auth
- Sql-server – SQL Server 2014 All Administrator Accounts Disabled
Best Answer
No.
If a user is a Windows Administrator of a box, assume that they own everything on the box (including SQL Server). With Windows Administrator rights it is trivial to bypass any targeted protection you apply (such as a logon trigger that identifies their user name), by impersonating someone else (including
NT AUTHORITY\SYSTEM
, which gets de facto admin rights on all local SQL Server instances). Auditing won't help much either, because they can easily turn that off, but you should have it just in case.If you don't trust someone, don't give them Windows Administrator rights, period.