SQL Local System Account Privledges

Consider the following:

SQL server and agent services run under the local system account
A user has db_owner of all databases other than system
User has local admin rights on the box
SQL builtin\administrator has been removed
User also has SQLAgentReaderRole rights
User does not have 'sa' password

Can the user in any way initiate a job that runs as 'sa'? Also, can the user create a job that runs against the master or msdb databases?

Thanks
barnescoAsked:
Who is Participating?
 
Marten RuneConnect With a Mentor SQL Expert/Infrastructure ArchitectCommented:
Quote: "User has local admin rights on the box"

Yes he can do all of this with a little knowledge.

//Marten
0
 
Vitor MontalvãoMSSQL Senior EngineerCommented:
barnesco, for security reasons you shouldn't use Local System Account for SQL Server services.
Check this http://msdn.microsoft.com/en-us/library/ms191543.aspx

Cheers
0
 
8080_DiverCommented:
If the Pkg owner is sa, then I believe that the user will have to know the sa password in order to execute the package.  That is the nature of sceurity. ;-)  If you don't have sufficient rights, you can't do it and sa rights are a super set of the local admin rights.
0
 
barnescoAuthor Commented:
I know, but it's not my call.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.