question

WilliamD avatar image
WilliamD asked

Security considerations for BUILTIN\Users

I have been paring down the logins and users on my database, but still have some hanging around that don't do anything as far as I can see. BUILTIN\\Users is one particular group that has no special permissions or role memberships. I have read many a page on google talking about the other BUILTIN group (administrators - not writing full name in the hope google will pick up on BUILTIN\\Users instead), but nothing talks directly about BUILTIN\\Users. I would like to remove this group, both as a DB user and as a login. I have separate AD Groups for admin and standard access to the SQL server. So basically, is it safe to remove BUILTIN\\Users as a user and login?
securityloginbest-practice
10 |1200 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

K. Brian Kelley avatar image
K. Brian Kelley answered
BUILTIN\\Users is not a normal, default addition to the logins. That means someone either put it there knowingly or unknowingly. The key is to determine which. You'll need to audit logins to your SQL Server and determine if they're coming in via other means. You can do that by getting with your AD admins and checking the other Windows logins (especially groups) which are being used.
2 comments
10 |1200 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

@K. Brian Kelley I just added an extra backslash to "escape the escape". Otherwise, the **BUILTIN\\Users** comes as **BUILTIN\Users**. I hope you don't mind :)
0 Likes 0 ·
@K. Brian Kelley - the group was probably added unknowingly. As I mentioned, I don't have other users/groups that shouldn't be there - logins are audited too. I will remove both the user and login then, thanks for your help.
0 Likes 0 ·
KenJ avatar image
KenJ answered
As long as nobody is accessing the server via that group, I think you'll be fine. We don't have any of the BUILTIN groups authorized as logins on our servers and haven't had any issues.
10 |1200 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.