SQL Server 2005 上禁用Windows系统管理员,禁用Windows身份认证。
http://support.microsoft.com/kb/932881/en-us/
Microsoft SQL Server 2005 安装程序创建一个您安装的每个服务的本地 Windows 组。 SQL Server 2005 安装程序将为每个服务服务帐户添加到其各自的组。 SQL Server 故障转移群集安装的 Windows 域组使用相同的方式。 由域管理员身份运行 SQL Server 2005 安装程序之前,必须创建这些域的组。 所有 Windows NT 权限和所需的特定服务的权限由系统访问控制列表 (SACL) 为每个 Windows 组都添加。域管理员不授予直接给服务帐户的权限。
此外,SQL Server 2005、 SQL Server 代理和 BUILTIN/Administrators 组创建的 Windows 组被授予 SQL Server 2005 SYSADMIN 固定的服务器角色中提供的 SQL Server 2005 登录。 此配置使是通过使用 Windows NT 身份验证连接登录到 SQL Server 2005 这些组的成员的任何帐户。 因为用户具有 SQL Server SYSADMIN 固定的服务器角色中的组成员身份,用户登录到 SQL Server 2005 作为 SQL Server 2005 系统管理员。(用户已登录通过使用 sa 帐户)。 不受然后,用户都有限制的访问到 SQL Server 2005 安装,并对其数据。 此外,任何用户都知道的 SQL Server 2005 实例或 SQL Server 代理服务帐户密码可以使用服务帐户登录到计算机上。然后,用户可以对 Windows NT 身份验证的连接 SQL Server 2005 作为 SQL Server 管理员。
此外将在您创建的 SQL Server 2005 报告服务 (SSRS) 和全文本搜索服务的 Windows 组被授予 SQL Server 登录名。 但是,不是报表服务和全文本搜索服务中 SYSADMIN 固定的服务器角色设置。
某些 SQL Server 2005 管理员需功能的角色和操作系统的系统管理员联系,以进行严格地分隔的数据库管理员联系。 这些管理员想要 SQL Server 2005 防止不需要由操作系统的系统管理员的访问。
The Microsoft SQL Server 2005 Setup program creates a local Windows group for each service that you install. The SQL Server 2005 Setup program adds the service account for each service to its respective group. For a SQL Server failover cluster installation, Windows domain groups are used in the same manner. These domain groups must be created by a domain administrator before you run the SQL Server 2005 Setup program. All the Windows NT rights and permissions that are required by a specific service are added by the system access control list (SACL) to each Windows group. The domain administrator does not grant permissions directly to the service account.
In addition, the Windows groups that you created for SQL Server 2005, for SQL Server Agent, and for the BUILTIN/Administrators group are granted SQL Server 2005 logins that are provisioned in the SQL Server 2005 SYSADMIN fixed server role. This configuration makes it possible for any account that is a member of these groups to log on to SQL Server 2005 by using a Windows NT authenticated connection. Because the user has a group membership in the SQL Server SYSADMIN fixed server role, the user is logged into SQL Server 2005 as a SQL Server 2005 systems administrator. (The user is logged in by using the sa account). Then, the user has unrestricted access to the SQL Server 2005 installation and to its data. Also, any user who knows the password for the instance of SQL Server 2005 or for the SQL Server Agent service account can use the service account to log on to the computer. Then, the user can make a Windows NT authenticated connection to SQL Server 2005 as a SQL Server administrator.
The Windows groups that you created for SQL Server 2005 Reporting Services (SSRS) and for the full-text search service are also granted SQL Server logins. However, Reporting Services and the full-text search service are not provisioned in the SYSADMIN fixed server role.
Some SQL Server 2005 administrators want the functional roles of the database administrator and of the operating system administrator to be strictly separated. These administrators want to protect SQL Server 2005 against unwanted access by the operating system administrator.
如何对操作系统的系统管理员 SQL Server 2005 更难进行不需要的访问
Also, if SQL Server 2005 is started in single-user mode, any user who has membership in the BUILTIN/Administrators group can connect to SQL Server 2005 as a SQL Server administrator. The user can connect regardless of whether the BUILTIN/Administrators group has been granted a server login that is provisioned in the SYSADMIN fixed server role. This behavior is by design. This behavior is intended to be used for data recovery scenarios.
For more information about security best practices for SQL Server 2005, see the "Security Considerations for a SQL Server Installation" topic in SQL Server 2005 Books Online.