115
Most hardening guides, including those from Microsoft, asks for renaming and blocking the SA user in MSSQL databases. We have a DAM system monitoring the Database activity and have noticed that the SA user perform several activities such as Update and Insert. Is it posible to know what exactly are the activities the SA user does in the database?. If it is a misconfiguration problem, could anybody please tell me how to fix that?. Thank you.
*This post is locked for comments
To clarify Naga's points on GP Power User, Power User does not have all rights in GP as SA does. There is a second, 'quasi-SA' if you will, in GP called DYNSA (Dynamics SA) which has nearly all rights as SA does, but still not full SA rights. DYNSA user is created when you install GP. There are some tools in the PSTL toolbox that require SA to execute (or you can assign full SQL SA rights to another user). However, for day-to-day operation and administration of GP, DYNSA has the necessary rights.
Just make sure you don't have any other processes running in conjunction with GP that depend on SA for execution.
Also please go through the below link which will give you more info on this,
dynamicsgpblogster.blogspot.in/.../microsoft-dynamics-gp-10-poweruser-role.html
I agree with Chad. There are certain things in GP (like PSTL tools) which are documented to be run as an SA user. What exactly the intention here is to run the tool as a POWERUSER, where 'sa' is considered as the default POWERUSER.
I don't think it would be a problem with disabling SA user with users in GP created with appropriate security roles in regular usage. Infact SQAs in our team don't use 'SA' user for testing a customization.
Below is a document which can help you in this regard,
pinnacleofindiana.com/.../MinimizingTheUseOfSAInMicrosoftDynamicsGP1.pdf
Hope this helps.
The SA "shouldn't" be doing anything on it's own without someone actually logging in as the SA. But if someone set the user up as a service account then it may stop that program from functioning. This could be Management Report, Business Portal or any other third party application.
There are some functions in GP that ONLY the SA can do (run PSTL tools for example), so you would need someone with the exact same GP and SQL security to do these actions.
Hope this helps.
Many thanks form the answer Naga, but my question was intended to know if I am going to have problems with Dynamics GP if I disable SA user. The question is because I have seen a lot of application activities performed by SA User. I am not using this user, but I am affraid the application does. Could you please explain it to me?. Thank you.
Hi Javier,
As far as I know, 'sa' user has complete control over all the SQL Server databases, users, roles, permissions etc., and can perform any database activity without restriction.
Yes you can disable 'sa' user by using below query.
ALTER LOGIN [sa] DISABLE
GO
But make sure you setup a different user with correct administrative rights before you disable 'sa'.
In Dynamics GP, an user with administrative privileges can be created by using POWERUSER role.
Hope this helps.
#1
Almas Mahfooz
3
User Group Leader
Share
Report
All responses (
Answers (
