Question :
How can I system admin let it be me, but another users and admins must be cannot access my database.
My database located on customer server. I deleted all sql users, there’s only sa user. This persons don’t know my sa password. But this persons created sa similar users, and can access my database. I want block this users to my db.
Answer :
You can only really hope to log this and raise alerts. Users who can administer the hardware can always stop the service and bring a database up in single user mode etc. They can give themselves elevated permissions etc.
It’s a common requirement to segregate administrative duties so that server admins cannot see confidential files or confidential data.
However, because every administrative role can typically elevate their rights or create other users, requiring users to use least privilege accounts for their daily work and auditing what is done with elevated accounts is really the only way to deal with it.
-
Ensure there are no unwanted groups like BUILT-INADMINISTRATOR granted rights to the server & therefore your database, as that is a common backdoor for your windows Admin to get into your databases.
-
Explicitly deny the user access to your database
use [PrivateDatabaseName];
revoke connect from guest;
revoke connect from user1;
revoke connect from user2;