SQL Server

时间:2016-02-26 14:59:24

标签: sql sql-server database-administration

我的客户正在开发一个安全项目,其中DBA tean之外的任何用户都拥有数据库或服务器级别/ dbo所有者权限的sysadmin,并删除所有SQL Server中提升的权限。在这样做之前,我们希望备份安全性以防万一有问题。任何人都可以帮助脚本吗?我有sp_rev_login用于备份登录,但考虑使用非常简单和直接的解决方案。欢迎任何想法。谢谢

2 个答案:

答案 0 :(得分:1)

取自Technet脚本中心,此脚本为我们提供了用户,角色,对象权限

**--Server level Logins and roles**
SELECT sp.name AS LoginName,sp.type_desc AS LoginType, sp.default_database_name AS DefaultDBName,slog.sysadmin AS SysAdmin,slog.securityadmin AS SecurityAdmin,slog.serveradmin AS ServerAdmin, slog.setupadmin AS SetupAdmin, slog.processadmin AS ProcessAdmin, slog.diskadmin AS DiskAdmin, slog.dbcreator AS DBCreator,slog.bulkadmin AS BulkAdmin
FROM sys.server_principals sp  JOIN master..syslogins slog
ON sp.sid=slog.sid 
WHERE sp.type  <> 'R' AND sp.name NOT LIKE '##%'

--Databases users and roles
DECLARE @SQLStatement VARCHAR(4000) 
DECLARE @T_DBuser TABLE (DBName SYSNAME, UserName SYSNAME, AssociatedDBRole NVARCHAR(256)) 
SET @SQLStatement='
SELECT ''?'' AS DBName,dp.name AS UserName,USER_NAME(drm.role_principal_id) AS AssociatedDBRole 
FROM ?.sys.database_principals dp
LEFT OUTER JOIN ?.sys.database_role_members drm
ON dp.principal_id=drm.member_principal_id 
WHERE dp.sid NOT IN (0x01) AND dp.sid IS NOT NULL AND dp.type NOT IN (''C'') AND dp.is_fixed_role <> 1 AND dp.name NOT LIKE ''##%'' AND ''?'' NOT IN (''master'',''msdb'',''model'',''tempdb'') ORDER BY DBName'
INSERT @T_DBuser
EXEC sp_MSforeachdb @SQLStatement
SELECT * FROM @T_DBuser ORDER BY DBName

--Get objects permission of specified user database 
USE <Database Name>
GO
DECLARE @Obj VARCHAR(4000)
DECLARE @T_Obj TABLE (UserName SYSNAME, ObjectName SYSNAME, Permission NVARCHAR(128))
SET @Obj='
SELECT Us.name AS username, Obj.name AS object,  dp.permission_name AS permission 
FROM sys.database_permissions dp
JOIN sys.sysusers Us 
ON dp.grantee_principal_id = Us.uid 
JOIN sys.sysobjects Obj
ON dp.major_id = Obj.id '
INSERT @T_Obj 
EXEC sp_MSforeachdb @Obj

SELECT * FROM @T_Obj

示例输出: 

DBName  UserName    AssociatedDBRole
PerformanceV3   public  NULL
PerformanceV3   dbo db_owner
PerformanceV3   guest   NULL

答案 1 :(得分:0)

使用生成脚本任务并选择用户。将脚本另存为文件作为备份。

查找具有不应该的SA的登录。

SELECT  'ALTER SERVER ROLE [sysadmin] DROP MEMBER [' + syslogins.name + '] GO;'
FROM    sys.syslogins
WHERE syslogins.name NOT IN (<dba GROUP/logins>)

这应该足以生成删除SA。如果您不想复制/粘贴,可以将输出粘贴到临时表中并在其上运行光标以执行删除。

相关问题
最新问题