I went to register for the webcasts and something seems to be wrong with the webcast page. I browse to http://msdn.microsoft.com/SQL/2005Webcasts/default.aspx and it keeps redirecting me to http://msdn.microsoft.com/vstudio/support. I was finally able to register using the direct registration links from Kent's blog (thanks Kent).
Registration is closed on the first webcast, there goes the T-shirt...
This tip comes from a customer support incident I worked on this week. The requirement was to lock down SQL Server to prevent regular domain administrators from looking at the data. You may run into a similar scenario where you need to secure SQL Server as tightly as possible and keep away even the groups of people that are involved in network administration and troubleshooting. For example, if a SQL Server database contains employee salary information or other sensitive data, it's probably not desirable to allow anybody with admin privileges on the SQL Server machine to be able to browse the data. The problem is that by default it's possible. SQL Server sets up a login called BUILTIN\Administrators. This account grants sysadmin privileges to local administrators. On many networks the local Administrators group also contains the Domain Admins group, so all members of these groups can do whatever they please in all databases.
You can follow these steps to prevent this:
- Create a Windows group for SQL Server administrators only (domain or local)
- Add only accounts that should be allowed unlimited access to one or more SQL Servers
- Create a new login for the SQL admin group, grant the group sysadmin privileges
- Delete the BUILTIN\Administrators login
If you have a SQL Server cluster, you should first read the How to impede Windows NT administrators from administering a clustered instance of SQL Server article in the KB.