Should Windows “Built-In\Administrators” Group be SQL Server SysAdmins?

Should Windows “Built-In\Administrators” Group be SQL Server SysAdmins?

Should Windows “Built-In\Administrators” Group be SQL Server SysAdmins?

If you worked -or still working- with SQL Server 2005 (or even earlier), you must have noticed that when you installed these SQL Server versions, the local Windows group “Built-In\Administrators” was automatically included in the SQL Server instance along with getting the role “SysAdmin” server role.

However, since SQL Server 2008 this has stopped. One of the security changes in SQL Server 2008 (and later) was to stop automatically adding “Built-In\Administrators” as SQL Server SysAdmins during the SQL Server installation, thus leaving this decision to the person who performed the installation/setup of SQL Server and/or the Database Administrator (DBA).

The above short introduction can easily lead us to the question: Should Windows “Built-In\Administrators” group be also SQL Server SysAdmins?

The above question has a definite answer based on SQL Server security best practices and that is No!

The above statement does not necessarily mean that a DBA cannot also have administrative access to the underlying machine onto which SQL Server is installed, but it basically suggests that the entire “Built-in\Administrators” group should never be included as “SysAdmins” in SQL Server. That is why SQL Server 2008 (and later) installation wizard does not automatically adds “Built-in\Administrators” as SQL Server SysAdmins anymore because in the end of the day, machine administrators and SQL Server administrators are two different roles that should not be mixed “by default”.

Another way to express the above concept in a single sentence is: A DBA can also be a machine administrator on a machine that has SQL Server installed on, but a machine administrator should not be a SQL Server SysAdmin.

*Important Note: At this point it is important to note that when installing SQL Server or handling security to never lock yourself out of the SQL Server instance. Always ensure that there is at least one active SysAdmin login mapped to a physical person (i.e. the DBA).

One of the available security checks in our SQL Server security tool “DBA Security Advisor“, is “Built-In\Administrators” access which checks and reports if there are any server roles assigned to the “Built-In\Administrators” group for the specified SQL Server instances.

Screenshot examples of checking the Built-In\Administrators access on a SQL Server 2017 instance:

DBA Security Advisor - Example: Check Built-In\Administrators Access

Select one or more SQL Server instances to scan

 

DBA Security Advisor - Example: Check Built-In\Administrators Access

Select security check

 

DBA Security Advisor - Example: Check Built-In\Administrators Access

Security Assessment Results

 

Check out DBA Security Advisor. The Community Edition is free to download.

 

Rate this article: 1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)

Loading...

Reference: SQLNetHub (https://www.sqlnethub.com)

© SQLNetHub

 


Recommended eBooks on SQL Server:

Developing with SQL Server: eBook by SQL Server MVP Artemakis Artemiou
Developing SQL Server: eBook by SQL Server MVP Artemakis Artemiou
Administering SQL Server: eBook by SQL Server MVP Artemakis Artemiou
Administering SQL Server: eBook by SQL Server MVP Artemakis Artemiou
Tuning SQL Server: eBook by SQL Server MVP Artemakis Artemiou
Tuning SQL Server: eBook by SQL Server MVP Artemakis Artemiou
Artemakis Artemiou
Artemakis Artemiou is a Senior SQL Server Architect, Author, Software Developer and a Microsoft Data Platform MVP. He has over 15 years of experience in the IT industry in various roles. Among other, via his initiative SQLEBooks.com, Artemakis authors and publishes eBooks on different topics on SQL Server. Artemakis currently serves as the President of the Cyprus .NET User Group (CDNUG) and the International .NET Association Country Leader for Cyprus (INETA). Additionally he is the founder of the SQLArtBits initiative that aims to provide the technical community with simple, yet powerful and high-quality SQL Server tools. Currently, the highlights of these tools are DBA Security Advisor and In-Memory OLTP Simulator. Artemakis's official website can be found at aartemiou.com. Artemakis's blogs can be found at: SQLNetHub.com and TechHowTos.com.