0

Situation: We recently had a consultant company build new Lync 2013 Servers in a mirror setup. There are two security principles set, SA (disabled), and a AD group that is only associated with the Public server role.

Setup: - 6 x Windows Server 2012 R2 Standard 64-bit - 4 x SQL Server 2012 Standard w/SP1 64-bit (11.0.3128) - - 2 x SQL Server Express 2012 64-bit(Witness) - All servers are VMware VMs

Questions: - Is there a Jedi trick to gain SysAdmin access or will I have to contact our consultant? - How does this happen? I thought there was some sort of failsafe to keep this from happening.

Sean Perkins
  • 1,355
  • 4
  • 25
  • 37
  • The duplicate addresses resetting the SA password, but basically once you are in as sysadmin you can do whatever you like (including creating a different sysadmin account). Why people disable sa I'll never understand... it's not like people can't discover other accounts with the same rights and brute force password attack those. If they don't want to use SQL Server authentication then just turn SQL authentication off. Otherwise don't disable sa, just set a secure password for it. – Aaron Bertrand Jul 16 '14 at 15:04
  • Thank you Aaron, I didn't think to ask about resetting the SA password. – Sean Perkins Jul 16 '14 at 15:04
  • I thought I remember reading that disabling the SA account was a best practice, is that not the case? – Sean Perkins Jul 16 '14 at 15:05
  • @Aron what if user searched on net but was not able to find the thread. If you can please take my suggesstion instead of marking duplicate can we have functionality to merge thread. A transaction log got filled error can have many causes and two such similar threads cannot be marked as duplicate. Can we discuss it on chat if you like ? :) – Shanky Jul 16 '14 at 15:08
  • @Shanky closing it as a duplicate does not remove the question, it just prevents duplication and splintering of effort. Both "threads" will still be found by Google. Also an important distinction: this is not a discussion forum, so there are no "threads;" it is a Q & A resource, so there are questions, answers, and commentary. – Aaron Bertrand Jul 16 '14 at 15:45
  • @Sean It is only a best practice if you think that security through obscurity is valuable. If you are going to create a different SQL auth account that has full access, there is not much to be gained by giving that account a different name - how long do you think that will stop a determined enemy? And if you aren't going to use a different SQL auth account for sa-type tasks, then why bother leaving SQL authentication enabled at all? – Aaron Bertrand Jul 16 '14 at 15:46

1 Answers1

2

Yes there is please follow below Microsoft web resource.It requires you to have admin access to windows machine and then start SQL server with -m option and create login in SQL server and grant it admin privileges.

http://msdn.microsoft.com/en-us/library/dd207004.aspx

Hope this helps

Shanky
  • 18,018
  • 4
  • 31
  • 54
  • Nice, that looks like that'll cause me to create a change request since these servers are now production. Don't want to cause an outage :/ Thanks again for the assist, Shanky. – Sean Perkins Jul 16 '14 at 15:01
  • Well apart from that I am not aware about any other method :) – Shanky Jul 16 '14 at 15:04