asked
Security considerations for BUILTIN\Users
I have been paring down the logins and users on my database, but still have some hanging around that don't do anything as far as I can see. BUILTIN\\Users is one particular group that has no special permissions or role memberships. I have read many a page on google talking about the other BUILTIN group (administrators - not writing full name in the hope google will pick up on BUILTIN\\Users instead), but nothing talks directly about BUILTIN\\Users. I would like to remove this group, both as a DB user and as a login. I have separate AD Groups for admin and standard access to the SQL server. So basically, is it safe to remove BUILTIN\\Users as a user and login?
BUILTIN\\Users is not a normal, default addition to the logins. That means someone either put it there knowingly or unknowingly. The key is to determine which. You'll need to audit logins to your SQL Server and determine if they're coming in via other means. You can do that by getting with your AD admins and checking the other Windows logins (especially groups) which are being used.
As long as nobody is accessing the server via that group, I think you'll be fine. We don't have any of the BUILTIN groups authorized as logins on our servers and haven't had any issues.
