A very interesting paragraph from a Microsoft KB article about NT AUTHORITY\SYSTEM and BUILTIN\Administrators logins

The original article is here and the quoted text is as follows:

The NT AUTHORITY\SYSTEM account is also granted a SQL Server login. The NT AUTHORITY\SYSTEM account is provisioned in the SYSADMIN fixed server role. Do not delete this account or remove it from the SYSADMIN fixed server role. The NTAUTHORITY\SYSTEM account is used by Microsoft Update and by Microsoft SMS to apply service packs and hotfixes to a SQL Server 2005 installation. The NTAUTHORITY\SYSTEM account is also used by the SQL Writer Service.

Also, if SQL Server 2005 is started in single-user mode, any user who has membership in the BUILTIN\Administrators group can connect to SQL Server 2005 as a SQL Server administrator. The user can connect regardless of whether the BUILTIN\Administrators group has been granted a server login that is provisioned in the SYSADMIN fixed server role. This behavior is by design. This behavior is intended to be used for data recovery scenarios.

As for the argument whether or not to delete login “BUILTIN\Administrators”, this article basically anwsers it all. Since all local administrators can still access database engine during single user mode which only occurs during disaster recovery situations, it is very safe to remove “BUILTIN\Administrators” to reduce hackers’ attack vector. However, the second bold part sounds a little bit ambiguous and I am planning to test it out myself on a text box soon.

Update on April 13, 2011

I just carried a test about the default Built-in administrators’ ability to log on to SQL Server as sysadmin when the SQL Server servcie is running under single user mode. And the test result is positive. You actually can delete the login “BUILTIN\Administrtors” and still use a local admin account to log on to SQL Server as a sysadmin under single user mode. Once the SQL Server service is backup to multiple user mode, the local admin account failed to log in.

Therefore, to have a super compliant and secure management on SQL Server sysadmin accounts, the best thing to do is to put all user accounts in an AD group and assign this group as sysadmin role and delete BUILTIN\Administrators from the list of logins in SQL Server.


About Nick Xu

Not a DBA anymore
This entry was posted in SQL Server. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s