DBA accounts best practice

pma111
pma111 used Ask the Experts™
on
Is there any major security benefit/other benefit in setting up DBA's with a separate AD account for day to day activities and then an elevated account for when they do their DBA work? I can understand the logic when it comes to tasks such as browsing the Internet as if you got some nasty malware as a domain admin for example it could cause carnage, but if a standard user account is added SYSADMIN privileges to live DB servers is that really a dangerous thing or should they have a second account for doing their DBA duties. Do you use multiple accounts in your role as a DBA?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Exec Consultant
Distinguished Expert 2018
Commented:
First off is good to identify trails of the specific Dba hence sharing of account is not advised. Unique account is critical.

Hence, create an AD Group and add the individual DBA accounts into the AD group and grant the Sysadmin access to that AD group (Granting lesser access than Sysadmin for those who are performing the DBA tasks is practically not going to work. For even the simpler administrative tasks they will required admin access).

Now comes the problem, the SQL Server is under our control but what if, someone manage to add them to the AD group, the AD is not in our control. Create a custom script to query the members of the AD group and configure an alert, if there is change in group members. There are actually technology such as database access monitoring that can monitor and analyse the activities in the database to alert on unauthorized events

Strengthen your security either by DDL or Policy based managment and monitor those account. Technology like Privileged Access Management which serves as the central gatekeeper to record and enforce specific login regime which include multi factor authentication. The target database will then deny access on direct access unless it is a break glass situation where the gatekeeper is not available due to unforeseen circumstances.
Shaun VermaakSenior Consultant
Awarded 2017
Distinguished Expert 2018

Commented:
Yes, don't do it.

You cannot tier isolate it
You should apply PSO with stronger password to elevated accounts
You might leak the hash which can then be offline cracked or checked on hashkiller
Should not be able to do admin from a user session without explicitly elevating
Elevated accounts should have more rigorous auditing
etc.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial