Well, I'm not too sure about that as I'm able to retrieve Windows
account-information from a system through an anonymous account which
is enabled by default... So it seems to be able that there is some
kind of equal mechanism to retrieve role members from SQL-server as
well...
My question points to the direction of what the MBSA (Microsoft
Baseline Security Analyzer) does, to retrieve exactly such information
as members of certain roles etc., and this piece of software won't be
supplied with login-information for SQL-servers from the user, so
there must be a standard-way to be able to retrieve this information
(but keeping in mind that the MBSA runs with local admin rights on
every scanned system).
I've posted my question here as in the mbsa newsgroup you usually only
get the answer that such questions won't be supported / answered which
isn't really helpfull...
Thanks anyway,
Tim
[quoted text, click to view] > Information about security permissions in SQL Server is stored inside system
> tables, so you have to log on to SQL Server to be able to retrieve them.
> Don't you think it would be a big hole in the security of a system if you
> would be able to retrieve security information about that system without
> authenticating yourself with that system first, which it what it seems you
> would like to do?
>
> --
> Jacco Schalkwijk
> SQL Server MVP
>
>
> "Tim Gorgs" <google@supertimmy.com> wrote in message
> news:afa954a3.0403232347.7ba58611@posting.google.com...
> > Hi all, is there a way to retrieve the members of the Sysadmin (or any
> > other) role via a certain API-call?
> >
> > Or is my only chance to connect to the SQL server? If so, how can I
> > connect without any information about users / passwords that are
> > allowed to connect to the server? Is there something like an always
> > open "query account"?
> >
> > My problem is that I have to retrieve the members of the mentioned
> > role preferably without connecting to the server.
> >
> > Any help is very welcome, thanks in advance
> >
The Windows local administrators group is a member of the sysadmin SQL
Server role by default, so MBSA will have enough permissions to detect and
change all security settings on SQL Server. You can get the information
about the members of the server roles with EXEC sp_helpsrvrolemember,
regardless of the permissions of your login, but you still need to login
first.
--
Jacco Schalkwijk
SQL Server MVP
[quoted text, click to view] "Tim Gorgs" <google@supertimmy.com> wrote in message
news:afa954a3.0403250017.5a74bdca@posting.google.com...
> Well, I'm not too sure about that as I'm able to retrieve Windows
> account-information from a system through an anonymous account which
> is enabled by default... So it seems to be able that there is some
> kind of equal mechanism to retrieve role members from SQL-server as
> well...
>
> My question points to the direction of what the MBSA (Microsoft
> Baseline Security Analyzer) does, to retrieve exactly such information
> as members of certain roles etc., and this piece of software won't be
> supplied with login-information for SQL-servers from the user, so
> there must be a standard-way to be able to retrieve this information
> (but keeping in mind that the MBSA runs with local admin rights on
> every scanned system).
>
> I've posted my question here as in the mbsa newsgroup you usually only
> get the answer that such questions won't be supported / answered which
> isn't really helpfull...
>
> Thanks anyway,
>
> Tim
> > Information about security permissions in SQL Server is stored inside
system
> > tables, so you have to log on to SQL Server to be able to retrieve them.
> > Don't you think it would be a big hole in the security of a system if
you
> > would be able to retrieve security information about that system without
> > authenticating yourself with that system first, which it what it seems
you
> > would like to do?
> >
> > --
> > Jacco Schalkwijk
> > SQL Server MVP
> >
> >
> > "Tim Gorgs" <google@supertimmy.com> wrote in message
> > news:afa954a3.0403232347.7ba58611@posting.google.com...
> > > Hi all, is there a way to retrieve the members of the Sysadmin (or any
> > > other) role via a certain API-call?
> > >
> > > Or is my only chance to connect to the SQL server? If so, how can I
> > > connect without any information about users / passwords that are
> > > allowed to connect to the server? Is there something like an always
> > > open "query account"?
> > >
> > > My problem is that I have to retrieve the members of the mentioned
> > > role preferably without connecting to the server.
> > >
> > > Any help is very welcome, thanks in advance
> > >
> > > Tim
