Password management options for the SQL Server sa login


By:   |   Updated: 2007-01-10   |   Comments   |   Related: More > Auditing and Compliance

Preparing Your SQL Servers for an Audit

Free MSSQLTips Webinar: Preparing Your SQL Servers for an Audit

In this webinar we will cover how an auditor typically approaches auditing a system in general and apply this to an audit of a SQL Server environment.


Problem

In earlier tips from the sa series we outlined 'When not to use the sa password' and 'When was the last time the sa password changed?'.  In this installment of the sa series we will be outlining options for password management.  In a nutshell, depending on the security needs of the organization dictates how the sa password should be managed.  Although at a certain level, the sa login needs to be protected even in environments without specific legal or regulatory requirements.  As the security needs increase, then it is necessary to implement additional measures to manage and protect the most privileged (out of the box) login in SQL Server, the sa login.

Solution

As a DBA\Developer it is necessary to handle any privileged account's password with great care.  As such, here are some techniques to do so:

  • Do not use the sa login unless necessary and when you think it is necessary research other options to validate no other options exist
  • Do not let any applications get promoted to the production environment if they use the sa login
  • Use an electronic or physical password safe to manage the passwords to ensure they are stored in a secure location as opposed to a sticky note or some other easily accessible location
  • Create a password with 20+ characters (mixed case), numbers, symbols
  • Have a limited number of DBAs\Developers know the password or have access to the password to limit the potential exposure
  • Audit the login usage to the SQL Server error log or capture the usage with Profiler or a third party tool

SQL Server 2005 - Login Audits

  • Change the password on a regular basis whether that is monthly, quarterly, semi-annually
  • Ensure that changing the password is not a chore
  • Change the password when a DBA\Developer who knows the sa password leaves the organization
  • If you are in a secure environment, split the password between 2 DBAs so 1 DBA knows the first half of the password and another DBA knows the second half of the password
  • If you are using SQL Server 2005, leverage the new password options of 'Enforce password policy' and 'Enforce password expiration'

SQL Server 2005 Password Management Options

 

Next Steps


Last Updated: 2007-01-10


get scripts

next tip button



About the author
MSSQLTips author Jeremy Kadlec Jeremy Kadlec is the Co-Founder, Editor and Author at MSSQLTips.com, CTO @ Edgewood Solutions and a six time SQL Server MVP.

View all my tips
Related Resources





Comments For This Article





download


Recommended Reading

Auditing Failed Logins in SQL Server

Auditing your SQL Server database and server permissions

Identify SQL Server databases that are no longer in use

SQL Server Login Properties to Enforce Password Policies and Expiration

Audit SQL Server Logins without filling up the Error Log





get free sql tips
agree to terms


Learn more about SQL Server tools