By: Jeremy Kadlec | Comments | Related: > Auditing and Compliance
Problem
One of the simplest security best practices is changing passwords on a regular basis. For some organizations that could be quarterly while others may have a more aggressive policy. Regardless of the policy, the issue remains the same, how can I enforce SQL Server 2000 password changes for my logins?
Solution
Scoping out the environment is the first place to start. What will probably be found is that you have user (logins for specific users), application (logins for an application to access SQL Server), system logins (the sa login) and administrative logins (logins used by DBAs). Of those logins, SQL Server 2000 standard and Windows (Domain\UserName) authenticated logins probably exist. Each of these require a different approach and offer a various level of password automation. Let's see what options are available to address these needs.
ID | Login Purpose | Login Type | Approach to Change Passwords |
1 | User Login - Login a business user would enter with their password to access the web based or desktop application | SQL Server Standard Login |
|
Windows Login |
| ||
Custom Account and Password Solution |
| ||
2 | Application Login - Login an application would use from a connection string | SQL Server Standard Login |
|
Windows Login |
| ||
3 | System Logins - The notorious system login in SQL Server is 'sa' which has the highest level of rights in the environment | SQL Server Standard Login |
|
Windows Login |
| ||
4 | Administrative Logins - Administrative logins for DBAs and System Admins | SQL Server Standard Login |
|
Windows Login |
|
Next Steps
-
If you are unfamiliar with your organization's password policies, revisit them and ensure the SQL Server's you manage are making the grade.
-
If your organization does not have password policies, review the type of work your organization conducts and assess the sensitivity of the data to determine:
-
How frequently the passwords should be changed i.e. 30, 60, 90 days?
-
Should the passwords have a minimum length, letters, numbers, capitalization, special characters, etc.?
-
Should the passwords be passwords or pass phrases?
-
Should the passwords become inactive after a finite number of login failures?
-
-
Stay tuned for new options available with SQL Server 2005 to improve standard login password complexity and expiration capabilities.
About the author
This author pledges the content of this article is based on professional experience and not AI generated.
View all my tips