mssqltips logo
giveaway
 

Tutorials          DBA          Dev          BI          Career          Categories          Webcasts          Whitepapers          Today's Tip          Join

Tutorials      DBA      Dev      BI      Categories      Webcasts

DBA    Dev    BI    Categories

 

Password management options for the SQL Server sa login


By:   |   Read Comments   |   Related Tips: More > Auditing and Compliance

Problem
In earlier tips from the sa series we outlined 'When not to use the sa password' and 'When was the last time the sa password changed?'.  In this installment of the sa series we will be outlining options for password management.  In a nutshell, depending on the security needs of the organization dictates how the sa password should be managed.  Although at a certain level, the sa login needs to be protected even in environments without specific legal or regulatory requirements.  As the security needs increase, then it is necessary to implement additional measures to manage and protect the most privileged (out of the box) login in SQL Server, the sa login.

Solution
As a DBA\Developer it is necessary to handle any privileged account's password with great care.  As such, here are some techniques to do so:

  • Do not use the sa login unless necessary and when you think it is necessary research other options to validate no other options exist
  • Do not let any applications get promoted to the production environment if they use the sa login
  • Use an electronic or physical password safe to manage the passwords to ensure they are stored in a secure location as opposed to a sticky note or some other easily accessible location
  • Create a password with 20+ characters (mixed case), numbers, symbols
  • Have a limited number of DBAs\Developers know the password or have access to the password to limit the potential exposure
  • Audit the login usage to the SQL Server error log or capture the usage with Profiler or a third party tool

SQL Server 2005 - Login Audits

  • Change the password on a regular basis whether that is monthly, quarterly, semi-annually
  • Ensure that changing the password is not a chore
  • Change the password when a DBA\Developer who knows the sa password leaves the organization
  • If you are in a secure environment, split the password between 2 DBAs so 1 DBA knows the first half of the password and another DBA knows the second half of the password
  • If you are using SQL Server 2005, leverage the new password options of 'Enforce password policy' and 'Enforce password expiration'

SQL Server 2005 Password Management Options

 

Next Steps



Last Update:






About the author
MSSQLTips author Jeremy Kadlec Since 2002, Jeremy Kadlec has delivered value to the global SQL Server community as an Edgewood Solutions SQL Server Consultant, MSSQLTips.com co-founder and Baltimore SSUG co-leader.

View all my tips
Related Resources





More SQL Server Solutions











Post a comment or let the author know this tip helped.

All comments are reviewed, so stay on subject or we may delete your comment. Note: your email address is not published. Required fields are marked with an asterisk (*).

*Name    *Email    Notify for updates 


Get free SQL tips:

*Enter Code refresh code     



Learn more about SQL Server tools