Why RDP'ing into a SQL machine is a bad idea
- General , Tipstricks
- November 28, 2019
Table of Contents
Guys, you should stop doing this, there are reasons if it’s not recommended to log into the SQL Server Machine via RDP as opposed to using a client on your PC (or another machine).
PS: These recommendations are valid for any DMBS, not only SQL Server
You’re stealing resources from SQL Server
Probably you’re logging into your server because there is a problem, do you really want to steal precious RAM and CPU time by launching SSMS (or any other tool) and making the situation even worse?
If your tool crashes, you could bring down the instance with you
Tools are evolving faster day after day, it’s not uncommon that there are bugs left unchecked by the product team; do you really want to risk bringing down the entire server because your tool is bugged?
If things are really bad, you won’t be able to log in, regardless of where you are
When there are SERIOUS performance problems, i.e. your instance is totally pinned as far as resources go, the only way to log into the instance to do something about it is using DAC
; even if you are on the same machine, if you’re trying to log in, as usual, it won’t make any difference.
Enable Remote DAC
and save yourself from future troubles, now.
Why letting someone else RDP into the SQL Machine even worse
Oh hoy, here we go; supposing you don’t restrict them in any way, other than the one above they could (i mean, you could too, but why would you?):
Modify the data files and/or corrupt the database
If the data files are accessible and editable, a malicious user can just go in and modify them, the database will immediately become corrupt, or worse if they know what they’re doing they could actually change data in tables they shouldn’t have access to.
That’s because data files aren’t encrypted by default, so if you want encryption you have to ask for it, or don’t allow anybody to come near the files.
Delete everything
Technically this is still data modification as above, but scarier written in this way.
Steal Data
Even scarier than losing everything, for the guys in security, is letting someone have your data.
Whoever has access to the machine, and the data files, even if the account on the instance itself is super locked down, will be able to just read anything he pleases, just like it.
Just Crash the machine
Why not? Just like that, deliberately.