Restricting Computer Administrator Access To Named SQL Instance
Jan 18, 2008
This is a slight re-stating from an older thread, which I think warrants some new discussion. The answer has always been that system administrators should have full access to everything on a system, including databases.
Although that is a logical position for internal IT departments it doesn't quite fit the model of systems with outsourced or external system support.
"If you don't trust your DBA, then you need a new DBA. They are in a position of authority for a reason and restricting that authority makes it impossible for them to do the job they are hired to do."
What about scenarios where you have local machine administrators that should NOT be given access to private data in a secured database, even though they need to be able to access and maintain everything else? And unfortunately some regulations are written about access to stored data whether encrypted or not...
In the modern world of Sarbanes-Oxley and PCI-DSS/CISP it is no longer so cut and dried. Especially where companies have software/hardware support contracts with third parties that require administrative access to other aspects of the systems.
So accepting that you might need someone to have administrative level access to the box but they should not be able to view the contents of a database installed on that box, what would you do?
Is there a way to create an adminstrative group that does not allow access to a specific named instance of SQL?
Is there a way to revoke access for one member of the administrators group only?
I have installed and configured a 2nd instance of SSRS 2005 Standard Edition SP1 on a Windows Server 2003 Standard Edition SP2. The 2nd instance is using it's own database and virtual directories under the default website. All configuration steps ran without error. I have no problem accessing the 2nd instance virtual directories via IE. When I connect to Reporting Services via Management Studio, it gives me no options for which instance to access and connects to the default instance. How do I connect to a 2nd named instance of SSRS via Management Studio? I've found no documentation in BOL related to this.
I am creating a SQL Named instance as a testing environment. This instance is on the same physical box as my Development environment, both are SQL 2005 standard edition. From the server in Management Studio, I can load, and interact with both instances. From a remote connection (e.g., my pc) I cannot access the named instance. I am getting the following:
Connect to Server
X Cannot connect to <server><named instance>
Additional Information
An error has occured while establishing a connection to the server. When connecting to SQL Sever 2006, this failure may be caused by the fact that under the default settings SQL Server does not allow remote connections (provider: SQL Network Interfaces, error: 26 - Error Locating Server/Instance Specified)(Microsoft SQL Server) I have checked, and rechecked the server settings for this named instance, and remote connections are set to "allow" I have enabled TCPIP and Named Pipes prototocals, and have ensured that my firewall is allowing the "listenting port" for the named instance, and have even tried turning off my XP firewall during testing. I am sure that I have probably missed something, and have searched the community but only have been able to find resolutions that I have already tried. Is there more? Thanks in advance for any help and guidance you can provide.
I try to connect from a pc to a SQL Server on another pc. Both pc’s are in a workgroup. I want to connect from a Windows Forms application to a named instance on the other computer. By now I have been able to connect from one pc to SQL Server on the other with tcp:smurfin, 52782.
I want to be able to use servernameinstancename (instead of portnumber) to make a connection in a Windows Forms application.
I’ve checked / tried te following:
•In the properties of the instance, tab Connections, the option Allow Remote Connections is enabled •In Configuration Manager: TCP is enabled •The service SQL Server Browser is started •On the tab IPAddresses, in the section IPAll, there is NO portnumber for TCP Port. And TCP Dynamic Ports has the nummer 52782 •I have created un inbound rule for port 52782 and also for 1434 (SQL Server Browser). And to be on the save side: a rule for 1433 as well. •Restarted the service
If I run the following code in SQL Server, that same port number (52782) is returned:
EXEC xp_ReadErrorLog 0, 1, N'Server is listening on', N'any', NULL, NULL, 'DESC' GO SELECT local_tcp_port FROM sys.dm_exec_connections WHERE session_id = @@SPID
I've two instances(Default, Named[dynamicsFINANCE]) running on SQL server 2014. However, when I try to connect to named instance say (dynamicsFINANCE) using SQL authentication from local SSMS, I get below error message:
A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: SQL Network Interfaces, error: 26 - Error Locating Server/Instance Specified) (Microsoft SQL Server, Error: -1)
I assigned a static port number to the named instance [dynamicsFINANCE] 1450. I also setup the firewall rule to allow access to Port 1450.
I have a 3 node cluster on which I have installed SSAS as it's own insntance. I have created this as a named instance and can connect to it by serverinstance if I'm on the server itself. However from my desktop I get the error saying instance was not found on server name.
I have defined an alternate port and setup firewall rules and can connect via server:port but not serverinstance. Prior to making this change SSAS was running on default port of 2383 and I could connect just by servername.
I have read many articles for previous versions saying that clustered SSAS will always use 2383 and that you must connect just using servername. However and this is were it gets strange. I have a 2 node UAT cluster with SSAS setup exactly the same way I've described above and I can connect from my desktop as serverinstance.
Should I be able to connect as serverinstances for a named clustered instance in 2012 ?
Hi, I have a task in hand to migrate (upgrade) from SQL2K named instance to SQL2K5 default instance. There are many intranet applications touching current SQL2K. I would like to perform this upgrade such that I don't have to touch any application code - meaning I don't have to change the connectionstring to point to new Default instance. How can I achieve this?
So, in otherwords, here is what I want to achieve:
Current Server: SQL2K: SERVER_AINSTANCE_A (named instance)
If I have both default, I could achive this by setting up DNS alias after migration done so that any call for SERVER_A would point to SERVER_B. But in my case, I don't have SERVER_A, I have named instance. Is there any solution?
I am trying to set up a Named Instance of SQL 2000 on the same machine that has a default instance of SQL 7.0. The setup always completes and I am able to register the Named Instance of the SQL Server with which it was installed on. However, when I try to connect the users to the database, with both windows and SQL authentication, I receive a SQL server not found error. I have tried an alias setup as well as physically specifying the port number in settup up an ODBC connection. Has anyone ran into similar problems? Also, has anyone been able to successfully complete the process as mentioned above?
I have a server with sql server 2005 installed as the default instance -- I have a piece of software that needs SQL2000 to be the default instance. Is there a way other than install new sql2005 named instance and move databases to rename my SQL2005 instance from <machinename> to <machinename>sql05 for example?
I installed SQL Server 2005 recently on a cluster. I didn't go for the default instance and instead I named the instance option. Now I would like to migrate everything from the named instance to the default instance, which I haven't yet installed.
Is this an easy process? What about the logins and the maintenance plans and jobs? Is there anything else I need to be aware of?
I've never had to do this, but when I downloaded the Web Workflow Approvals Starter Kit, it requested that I install the database into a User Instance of .SQLEXPRESS.
Now the problem is, I've installed it onto a default instance, so I was wondering whether you can create a named instance on top of a default instance... and if so, how would you do that?
First some explaination then the question. I have some users that legally or otherwise have gotten copies of SQL 2000 and installed it on thier local PC's. They are now using Enterprise Manager to connect to my database servers via IP and server name. They are using thier regular user id and passwords that they would use to log into the HR and Finance applications. For obvious reasons this is not a good thing. Now the question, can I some how restrict connections via EM to just thoses with an sa role? Or am I doing something else wrong or missed some hidden configuration.
I wish to setup a database that can be viewed only by a few users. How do I stop other users and the general public from seeing the database and its structures.
I have a user who I only want to provide access to a single folder within RS2005. I don't seem to be able todo this, they can either see everything or nothing at all.
Certain people in our company want to use Crystal Reports for data-processing. Problem is we want them to NOT be able to access data in databases within the live server.
Given that we use trusted connection to validate all kind of data-access, I am wondering if there is a way so that (via NT administration or via some SQL Server security features) the live-server can refuse any connection request from the Crystal Reports application. At the moment the same group of people are allowed access to database (and should remain to be so) on this "live" server via some other applications (e.g. Microsoft Access).
I'm going through the SQLSecurity Checklist I found at sqlsecurity.com. One of the points it says to "Restrict to sysadmins-only access to stored procedures and extended stored procedures that you believe could pose a threat." It also lists a bunch of stored procs and extended stored procs that you should consider restricting to sysadmins only. I was wondering if someone could give me some pointers on how to do this? I would like to write a script that I could run on every sql server 2000 install that would do this. How could I ensure that every user does not have access except the sysadmins?
I have a design problem which I am hoping somebody can shed some light on.
I am running SQL Server 2000 using SQL authenticaiton (due to be changed to Windows authentication in the next 6 months). I have a table in my database which we shall call monthly. I want to restrict the ability to insert to the monthly table to 2 stored procedures (proc_abc & proc_xy) which I have written which do various other validation checks before it inserts the data into monthly.
Users with the Foo function assigned are able to execute proc_abc & proc_xy
I have written a VB application which can be used by users who are not familiar with SQL to be able to execute these stored procedures. (Must have Foo function in order to login to this application).
I want to restrict the ability to execute the stored procedures to users using the VB application only, and thus not be able to execute the stored procedure using Query Analyzer or such like for any Foo user.
Is there anyway I can do this?
One suggestion put to me is two split the functions. Have one function lets call it Top which can access the VB application and then have another function called Bottom which is able to execute the stored procedures. Only the VB app would have access to the Bottom credentials. But is this secure? Would I just hard code the credentials for the Bottom function user within the VB app? This doesn's seem a secure way of doing things to me.
The box I am trying to connect to is running two instances of SQL Server. There is a SQL Server 2005 instance which is the default. There is a SQL Server 2000 instance which is named 'SQLSERVER'. I can connect to the SQL Server 2000 instance no problem:<add key="ConnectionString" value="server=MYPCSQLSERVER;database=mydatabase;user id=****;password=****" /> However, I am having trouble connecting to the Default SQL Server 2005 instance. I have tried: <add key="ConnectionString" value="server=MYPC;database=mydatabase;user id=****;password=****" /> but it doesn't work. I have tried explicitly setting SQL Server 2005 to use port 1434 (as SQL Server 2000 is running on port 1433), and then used: <add key="ConnectionString" value="server=MYPC,1434;database=mydatabase;user id=****;password=****" /> but this doesn't work either.
Am I mssing something here? Any help much appreciated Thanks...
If you were asked to install SQL 2005 on a machine, would u install a default instance or a named one? And why would u choose one over the other?? Also, r there any issues with using a default instance?
Hi I'm building a data warehouse - my end users connect using Access via ODBC Microsoft SQL Server driver (2000.85.1117.00).
However, whenever they connect using Access via ODBC they get a huge list of sys and INFORMATION_SCHEMA views, in addition to the data warehouse tables they need to access.
How can I remove these sys and INFORMATION_SCHEMA views from the list of tables/views presented to the end user?
I've tried denying access by changing permissions to deny in the public role of the master database - I have also changed permissions in the public role in the data warehouse database. When I do this, the ODBC connection fails to retrieve any objects because it doesn't have access to sys.databases (and various other unspecified objects). I'm stuck - help!
We have 10+ MSDE 2000 installations on the same network. Each install has a named instance and the machines connect to eachother via VB application. We have a couple SQL 2000 Standard boxes and a SQL 2005 box all running on the same network with no issues. The problem we have recently run into is with a SQL Express box. When the box is on the network OSQL stops finding the MSDE 2000 named instances on the network and only the SQL Express named instance appears in the list. The second the SQL Express box is removed from the network the named instances are visible. I monitored the UDP traffic and suspect there is an issue with the response from SQL Express to OSQL. Can't find any issues for this problem only report I found is if MSDE and Express are on the same machine.
We have 10+ MSDE 2000 installations on the same network. Each install has a named instance and the machines connect to eachother via VB application. We have a couple SQL 2000 Standard boxes and a SQL 2005 box all running on the same network with no issues. The problem we have recently run into is with a SQL Express box. When the box is on the network OSQL stops finding the MSDE 2000 named instances on the network and only the SQL Express named instance appears in the list. The second the SQL Express box is removed from the network the named instances are visible. I monitored the UDP traffic and suspect there is an issue with the response from SQL Express to OSQL. Can't find any issues for this problem only report I found is if MSDE and Express are on the same machine.
I am still trying to figure some last issues before installing sql 2005 standard edition. vista issues, sql 2005 sql sp2 etc My question is simple actually, It is about configuring administrative accounts on my computer. I wish to use configure the administrative account? I wish to use a third party in deploying sql reporting services Do I need to set up a local account in report manager? the article in setting up reporting services in vista uses domain/instance name or computer name/instance name how do I do correctly set this up? I will be using july 2007 dvd for sp2 ( I believe) is their any article explaining the steps in sql sp2 some people seem to have trouble in the restore step.....Thanks I just want to be prepared....can I install cd's without the use of the internet....
How would I set permission for SQL Server 2005 "User A" to prevent access to System and other user databases, also How to hide the databases that "User A" has no rights to. I mean, when User A logs in, All other user databases are not visible to him/her.
Not sure if this is the right place for my question but here goes anyway.
I have an instance of SQL Server 2005 installed on my DEV PC. A colleague of mine wants to access my server from his machine which connected to the same network.
I logged on to SSMS and added him as a new login.
Will he be able to connect to it now or do I have to do more than just that?
I have SQL server 2005 on a Windows 2003 machine. The machine is old and I need to move the entire SQL server to a new machine. There are many databases and users that need to move across to the new server. Detaching and attaching the databases would be tedious due to the large number of databases. Is there a way of moving the DB's and SQL users to the new machine without having to do each db one at a time?
Additional info that might be helpful: The new server's IP address and name must also change to that of the old server. The old server initially had SQL 2000 on it and was upgraded to SQL 2005. The new server was installed with SQL 2005 only. Hence the Database and log paths differ between the old and new server.
Hello, PLEASE Help me.I have just installed the Quick Starts on my local machine, and it mentions that you will need a new instance of SQL called (local)/NetSDK.I already have the MS Personal Edition and the tutorials say to download the MS Desktop Engine. So what do i need to do in order to get teh Quick Start samples to work locally???Can i not just use my own instance and use the Grocer and other Databases there???Please Help
I am running SQL2k SP3 with a default instance. I have recently added a second, named instance. When I try to connect to the named instance through Enterprise manager, it often times out. I never get a timeout accessing the default instance. Is there something I missed when setting up the second instance that is causing this access delay?