Monday, April 21, 2008

How to login to SQL Server as SA while running Windows Authentiaction only mode

A colleague of mine ran into following situation:
My Company polocies enforce that domain-admins group be removed from sysadmin role in production SQL Server and windows authentication mode should only be used.
He removed the domain-admin group from sysadmin roles , then set windows authentication only and restarted the server at night.
When he tried to log in back with his domain user account (which was part of domain admin group too) he could only log on to master db with public role only!!!!!!!!!!!!!!!!!!!!!
He forgot to add his own account explicitly in SQL Server before removing domain-admins group.

Interesting situation:

  • Domain-admins removed from SQL sysadmin role
  • SQL running Windows Authentication only Mode.
  • No windows user exist in SQL with sysadmin role.
Steps to log in back to SQL with sysadmin rights using SA?
Besides my colleague was planning to run rebuildm.exe utility to rebuild the master db , and then setting up logins and all user databases using scripts.
I tried something on my local test machine and found that there's a way!

I opened Enterprise Manager and tried to connect using SA with SQL authentication; Error: Login Failed for user 'sa'. Reason: Not associated with a trusted SQL Server connection.
hmmmm! OK
Solution:
  • I logged into the operating system running production SQL machine using local admin account.
  • Checked that NAMED-PIPES are enabled under the Server network utility.
  • Start --> Program Files --> Microsoft SQL Server --> SQL Server Client Network Utility
  • Goto Alias, Select Add.
  • Under network libaries , selected NAMED PIPES
  • Gave server alias prod1
  • Under Server Name typed the actual SQL instance name (in our case PRODUK1)
  • Clicked OK.
  • Open the Enterprise manager again
  • New SQL Server Registration.
  • Under the server, typed the alias: prod1
  • Selected, Use SQL Server authentication
  • user name : SA
  • password : typed the password
  • clicked OK.
Successfully connected using sa account! :)

This isn't a security breach; since you already logged in to the machine locally, that means your are an authenticated user to the system. NamedPipes library only supports connections that are valid windows logins. You can not connect using NamedPipes over the WAN or out of a trusted domain. Your Windows login must be authenticated on the machine running SQL Server before in order to use NamedPipes!


Cheers!

1 comment:

TalaT said...

There's a smarter way of doing so in SQL 2005.

http://sqlblog.com/blogs/uri_dimant/archive/2010/02/08/think-before-unchecking-sysadmin-rights-of-builtin-administrators.aspx