This is an old issue, but I want to see whether there are new tricks.

If I want to start the SQL instance in a single user mode and I don't want
any app to get into it before I do, I can start it to listen on a different
port and disable SQL Browser. I think this is pretty safe. Another trick is
to disable named pipes and TCP, and let the instance listen on shared memory
only. The problem is that if there are apps running locally, they may still
get in before the DBA does.

Any thoughts?

Linchi

Turning off the browser wont if there are apps connecting via the IP
and port.

--
Andrew J. Kelly SQL MVP
Solid Quality Mentors


"Linchi Shea" <linchiDOTsheaATgmailDOTcom> wrote in message
news:eIT0P%234tIHA.5168@TK2MSFTNGP04.phx.gbl...
> This is an old issue, but I want to see whether there are new tricks.
>
> If I want to start the SQL instance in a single user mode and I don't want
> any app to get into it before I do, I can start it to listen on a
> different port and disable SQL Browser. I think this is pretty safe.
> Another trick is to disable named pipes and TCP, and let the instance
> listen on shared memory only. The problem is that if there are apps
> running locally, they may still get in before the DBA does.
>
> Any thoughts?
>
> Linchi
>
>

Andy;
But I did say change the port and turn off SQL Browser. They can connect via
IP and port, but they won't get to the right port without the of SQL
Browser.

Linchi

"Andrew J. Kelly" wrote:

> Turning off the browser wont if there are apps connecting via the IP
> and port.
>
> --
> Andrew J. Kelly SQL MVP
> Solid Quality Mentors
>
>
> "Linchi Shea" <linchiDOTsheaATgmailDOTcom> wrote in message
> news:eIT0P%234tIHA.5168@TK2MSFTNGP04.phx.gbl...
> > This is an old issue, but I want to see whether there are new tricks.
> >
> > If I want to start the SQL instance in a single user mode and I don't want
> > any app to get into it before I do, I can start it to listen on a
> > different port and disable SQL Browser. I think this is pretty safe.
> > Another trick is to disable named pipes and TCP, and let the instance
> > listen on shared memory only. The problem is that if there are apps
> > running locally, they may still get in before the DBA does.
> >
> > Any thoughts?
> >
> > Linchi
> >
> >
>
>

Ah yes you did, I misread it the first time. How about disconnecting the
network cable.

--
Andrew J. Kelly SQL MVP
Solid Quality Mentors


"Linchi Shea" <LinchiShea@discussions.microsoft.com> wrote in message
news:E4DF93F1-3CD2-4F91-9C88-F0D9D84F7CEB@microsoft.com...
> Andy;
> But I did say change the port and turn off SQL Browser. They can connect
> via
> IP and port, but they won't get to the right port without the of SQL
> Browser.
>
> Linchi
>
> "Andrew J. Kelly" wrote:
>
>> Turning off the browser wont if there are apps connecting via the IP
>> and port.
>>
>> --
>> Andrew J. Kelly SQL MVP
>> Solid Quality Mentors
>>
>>
>> "Linchi Shea" <linchiDOTsheaATgmailDOTcom> wrote in message
>> news:eIT0P%234tIHA.5168@TK2MSFTNGP04.phx.gbl...
>> > This is an old issue, but I want to see whether there are new tricks.
>> >
>> > If I want to start the SQL instance in a single user mode and I don't
>> > want
>> > any app to get into it before I do, I can start it to listen on a
>> > different port and disable SQL Browser. I think this is pretty safe.
>> > Another trick is to disable named pipes and TCP, and let the instance
>> > listen on shared memory only. The problem is that if there are apps
>> > running locally, they may still get in before the DBA does.
>> >
>> > Any thoughts?
>> >
>> > Linchi
>> >
>> >
>>
>>

That would not be feasible in any modern data center as you won't be
physically next to the machine, and pulling the cable would cut yourself from
accessing the machine.

Linchi

"Andrew J. Kelly" wrote:

> Ah yes you did, I misread it the first time. How about disconnecting the
> network cable.
>
> --
> Andrew J. Kelly SQL MVP
> Solid Quality Mentors
>
>
> "Linchi Shea" <LinchiShea@discussions.microsoft.com> wrote in message
> news:E4DF93F1-3CD2-4F91-9C88-F0D9D84F7CEB@microsoft.com...
> > Andy;
> > But I did say change the port and turn off SQL Browser. They can connect
> > via
> > IP and port, but they won't get to the right port without the of SQL
> > Browser.
> >
> > Linchi
> >
> > "Andrew J. Kelly" wrote:
> >
> >> Turning off the browser wont if there are apps connecting via the IP
> >> and port.
> >>
> >> --
> >> Andrew J. Kelly SQL MVP
> >> Solid Quality Mentors
> >>
> >>
> >> "Linchi Shea" <linchiDOTsheaATgmailDOTcom> wrote in message
> >> news:eIT0P%234tIHA.5168@TK2MSFTNGP04.phx.gbl...
> >> > This is an old issue, but I want to see whether there are new tricks.
> >> >
> >> > If I want to start the SQL instance in a single user mode and I don't
> >> > want
> >> > any app to get into it before I do, I can start it to listen on a
> >> > different port and disable SQL Browser. I think this is pretty safe.
> >> > Another trick is to disable named pipes and TCP, and let the instance
> >> > listen on shared memory only. The problem is that if there are apps
> >> > running locally, they may still get in before the DBA does.
> >> >
> >> > Any thoughts?
> >> >
> >> > Linchi
> >> >
> >> >
> >>
> >>
>
>

Come on Linchi, it was a joke


--
Andrew J. Kelly SQL MVP
Solid Quality Mentors


"Linchi Shea" <LinchiShea@discussions.microsoft.com> wrote in message
news:5C12E841-3606-4E8C-8877-02F008338935@microsoft.com...
> That would not be feasible in any modern data center as you won't be
> physically next to the machine, and pulling the cable would cut yourself
> from
> accessing the machine.
>
> Linchi
>
> "Andrew J. Kelly" wrote:
>
>> Ah yes you did, I misread it the first time. How about disconnecting the
>> network cable.
>>
>> --
>> Andrew J. Kelly SQL MVP
>> Solid Quality Mentors
>>
>>
>> "Linchi Shea" <LinchiShea@discussions.microsoft.com> wrote in message
>> news:E4DF93F1-3CD2-4F91-9C88-F0D9D84F7CEB@microsoft.com...
>> > Andy;
>> > But I did say change the port and turn off SQL Browser. They can
>> > connect
>> > via
>> > IP and port, but they won't get to the right port without the of
>> > SQL
>> > Browser.
>> >
>> > Linchi
>> >
>> > "Andrew J. Kelly" wrote:
>> >
>> >> Turning off the browser wont if there are apps connecting via the
>> >> IP
>> >> and port.
>> >>
>> >> --
>> >> Andrew J. Kelly SQL MVP
>> >> Solid Quality Mentors
>> >>
>> >>
>> >> "Linchi Shea" <linchiDOTsheaATgmailDOTcom> wrote in message
>> >> news:eIT0P%234tIHA.5168@TK2MSFTNGP04.phx.gbl...
>> >> > This is an old issue, but I want to see whether there are new
>> >> > tricks.
>> >> >
>> >> > If I want to start the SQL instance in a single user mode and I
>> >> > don't
>> >> > want
>> >> > any app to get into it before I do, I can start it to listen on a
>> >> > different port and disable SQL Browser. I think this is pretty safe.
>> >> > Another trick is to disable named pipes and TCP, and let the
>> >> > instance
>> >> > listen on shared memory only. The problem is that if there are apps
>> >> > running locally, they may still get in before the DBA does.
>> >> >
>> >> > Any thoughts?
>> >> >
>> >> > Linchi
>> >> >
>> >> >
>> >>
>> >>
>>
>>

One way would be to create server login trigger and rollback any user
connections except the user account you will use. Then enable and disable
the trigger as need.
http://www.sqljunkies.com/WebLog/kte.../09/25306.aspx
http://technet.microsoft.com/en-us/l.../bb326598.aspx

HTH,

Plamen Ratchev
http://www.SQLStudio.com

An interesting topic here.

How about simply disabling all the Logins except for the DBA' s special
Login?

Note:
I assume there is a decent Login planning in this ideal environment. By
saying "decent Login planning" I mean creating Logins using Windows
Groups\Accounts.

--
Ekrem Önsoy



"Linchi Shea" <linchiDOTsheaATgmailDOTcom> wrote in message
news:eIT0P%234tIHA.5168@TK2MSFTNGP04.phx.gbl...
> This is an old issue, but I want to see whether there are new tricks.
>
> If I want to start the SQL instance in a single user mode and I don't want
> any app to get into it before I do, I can start it to listen on a
> different port and disable SQL Browser. I think this is pretty safe.
> Another trick is to disable named pipes and TCP, and let the instance
> listen on shared memory only. The problem is that if there are apps
> running locally, they may still get in before the DBA does.
>
> Any thoughts?
>
> Linchi
>
>

The problem there is that the solution is not 100% robust. When you need to
start the SQL instance in single user mode, it maybe in a state where it
can't be started any other way. So now, how do you go about disabling the
logins?

This applies to using logon triggers as well.

Linchi

"Ekrem Önsoy" wrote:

> An interesting topic here.
>
> How about simply disabling all the Logins except for the DBA' s special
> Login?
>
> Note:
> I assume there is a decent Login planning in this ideal environment. By
> saying "decent Login planning" I mean creating Logins using Windows
> Groups\Accounts.
>
> --
> Ekrem nsoy
>
>
>
> "Linchi Shea" <linchiDOTsheaATgmailDOTcom> wrote in message
> news:eIT0P%234tIHA.5168@TK2MSFTNGP04.phx.gbl...
> > This is an old issue, but I want to see whether there are new tricks.
> >
> > If I want to start the SQL instance in a single user mode and I don't want
> > any app to get into it before I do, I can start it to listen on a
> > different port and disable SQL Browser. I think this is pretty safe.
> > Another trick is to disable named pipes and TCP, and let the instance
> > listen on shared memory only. The problem is that if there are apps
> > running locally, they may still get in before the DBA does.
> >
> > Any thoughts?
> >
> > Linchi
> >
> >
>