<a href="http://g.adspeed.net/ad.php?do=clk&zid=15220&wd=468&ht=60&pair=as" target="_blank"><img style="border:0px;" src="http://g.adspeed.net/ad.php?do=img&zid=15220&wd=468&ht=60&pair=as" alt="i" width="468" height="60"/></a>
Log in
::
Register
::
Not logged in
Home
Tags
Articles
Editorials
Stairways
Forums
Scripts
Videos
Blogs
QotD
Books
Ask SSC
SQL Jobs
Training
Authors
About us
Contact us
Newsletters
Write for us
<a href="http://g.adspeed.net/ad.php?do=clk&zid=15491&wd=120&ht=300&pair=as" target="_top"><img style="border:0px;" src="http://g.adspeed.net/ad.php?do=img&zid=15491&wd=120&ht=300&pair=as" alt="i" width="120" height="300"/></a>
Recent Posts
Recent Posts
Popular Topics
Popular Topics
Home
Search
Members
Calendar
Who's On
Home
»
SQL Server 2008
»
Security (SS2K8)
»
Disable & Rename 'SA'
18 posts, Page 1 of 2
1
2
»»
Disable & Rename 'SA'
Rate Topic
Display Mode
Topic Options
Author
Message
abo_moaaz
abo_moaaz
Posted Tuesday, March 05, 2013 7:51 AM
SSC Rookie
Group: General Forum Members
Last Login: Sunday, May 19, 2013 1:30 AM
Points: 30,
Visits: 256
Hi All,
Our SQL risk assessment determined that 'sa' should be renamed and disabled. As a fallback readiness, i gathered all objects owned by 'sa', but noted some system packages such as : PerfCountersCollect, PerfCountersUpload, QueryActivityCollect,SqlTraceCollect, TSQLQueryUpload, SqlTraceUpload. Any impact ananticipated post 'sa rename & disable on existing SQL2K8 R2 instances, or during SP1 to SP2 upgrade.
A good workwork-around was posted earlier for SQL2K5 (http://www.sqlservercentral.com/Forums/Topic560965-391-1.aspx) , but not sure if same applies to SQL2K8 R2.
Thanks
Othman.
Post #1426840
opc.three
opc.three
Posted Tuesday, March 05, 2013 10:48 PM
SSCertifiable
Group: General Forum Members
Last Login: Yesterday @ 6:57 PM
Points: 6,724,
Visits: 11,771
Disabling sa should be enough. I would forego the rename.
__________________________________________________________________________________________________
There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato
Believe you can and you're halfway there.
--Theodore Roosevelt
Everything Should Be Made as Simple as Possible, But Not Simpler
--Albert Einstein
The significant problems we face cannot be solved at the same level of thinking we were at when we created them.
--Albert Einstein
1 apple is not exactly 1/8 of 8 apples. Because there are no absolutely identical apples.
--Giordy
Post #1427174
GilaMonster
GilaMonster
Posted Wednesday, March 06, 2013 12:25 AM
SSC-Dedicated
Group: General Forum Members
Last Login: Today @ 12:25 AM
Points: 37,734,
Visits: 29,999
I would also not rename the account.
Renaming it makes the account harder for hackers to locate and try to crack, but if the account's disabled there's no way to log in with it and hence it doesn't matter what the name is. Also there have been upgrade problems in the past with a renamed account. I would hope MS has learnt better, but I won't bet on it.
Gail Shaw
Microsoft Certified Master: SQL Server 2008, MVP
SQL In The Wild
: Discussions on DB performance with occasional diversions into recoverability
We walk in the dark places no others will enter
We stand on the bridge and no one may pass
Post #1427204
abo_moaaz
abo_moaaz
Posted Wednesday, March 06, 2013 4:17 AM
SSC Rookie
Group: General Forum Members
Last Login: Sunday, May 19, 2013 1:30 AM
Points: 30,
Visits: 256
Thanks Gail & opc for your reply.
Post #1427292
kevaburg
kevaburg
Posted Wednesday, March 20, 2013 3:51 AM
SSC-Enthusiastic
Group: General Forum Members
Last Login: Today @ 12:45 AM
Points: 159,
Visits: 192
Additionally, and where possible, I would leave the database with Integrated Security only. I know of very few instances where there is an absolute need to have an SQL Server Login ability. By having all your database user and group management controlled through Active Directory there is absolutely no chance of a SQL Server login being compromised.
Post #1433100
opc.three
opc.three
Posted Wednesday, March 20, 2013 7:41 AM
SSCertifiable
Group: General Forum Members
Last Login: Yesterday @ 6:57 PM
Points: 6,724,
Visits: 11,771
kevaburg (3/20/2013)
Additionally, and where possible, I would leave the database with Integrated Security only.
I know of very few instances where there is an absolute need to have an SQL Server Login ability
. By having all your database user and group management controlled through Active Directory there is absolutely no chance of a SQL Server login being compromised.
That is the exqct opposite to my experience. In fact, having contributed in some really large corporate Enterprises as well as some one-instance shops, and lots in between, I can count on one hand the number instances
not
running in mixed-mode.
__________________________________________________________________________________________________
There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato
Believe you can and you're halfway there.
--Theodore Roosevelt
Everything Should Be Made as Simple as Possible, But Not Simpler
--Albert Einstein
The significant problems we face cannot be solved at the same level of thinking we were at when we created them.
--Albert Einstein
1 apple is not exactly 1/8 of 8 apples. Because there are no absolutely identical apples.
--Giordy
Post #1433209
kevaburg
kevaburg
Posted Wednesday, March 20, 2013 7:53 AM
SSC-Enthusiastic
Group: General Forum Members
Last Login: Today @ 12:45 AM
Points: 159,
Visits: 192
The focus for my answer was actually based around the phrase "the absolute need to have SQL Server Logins". Are they truly necessary? In the vast majority of cases I have worked on, an AD-based account was quite capable of doing the job of the SQL Server account. Where it wasn't capable of replacing it, it was only because the software had been hard-coded NOT to accept AD credentials.
One of my first questions to vendors is whether or not an SQL Server login is necessary. If so, why? Normally the answer is one that offers me the ability to create an equivalent AD-based login. An unfortunate fact as well is that a lot of vendors tend to understand their software and their own underlying database but not the server on which it runs and the security models available.
So in answer to my own question "are SQL Server Logins truly necessary"? I would say very rarely.
Post #1433224
opc.three
opc.three
Posted Wednesday, March 20, 2013 8:07 AM
SSCertifiable
Group: General Forum Members
Last Login: Yesterday @ 6:57 PM
Points: 6,724,
Visits: 11,771
That's fair, and you're right to challenge that point in an attempt to keep instances out of mixed-mode, I do the same. The reality is that it just takes one legacy app, or one client that cannot support Windows Auth, to cause it to be enabled.
__________________________________________________________________________________________________
There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato
Believe you can and you're halfway there.
--Theodore Roosevelt
Everything Should Be Made as Simple as Possible, But Not Simpler
--Albert Einstein
The significant problems we face cannot be solved at the same level of thinking we were at when we created them.
--Albert Einstein
1 apple is not exactly 1/8 of 8 apples. Because there are no absolutely identical apples.
--Giordy
Post #1433239
kevaburg
kevaburg
Posted Wednesday, March 20, 2013 8:50 AM
SSC-Enthusiastic
Group: General Forum Members
Last Login: Today @ 12:45 AM
Points: 159,
Visits: 192
And that is my argument for at least two instances on each database server.....one with and one without! :)
Post #1433272
opc.three
opc.three
Posted Wednesday, March 20, 2013 10:25 AM
SSCertifiable
Group: General Forum Members
Last Login: Yesterday @ 6:57 PM
Points: 6,724,
Visits: 11,771
kevaburg (3/20/2013)
And that is my argument for at least two instances on each database server.....one with and one without! :)
Yikes! You must print money over there...can you send me some
I won;t say never, but I cannot imagine a scenario when I would argue that needing mixed-mode should provoke spinning up a new instance to isolate those databases that have clients that require it. I am thinking memory management becomes harder and less efficient, licensing costs go up, maintenance costs go up for applying SPs and CUs, and you still have an instance with SQL Logins so what do you get in return? I would love to hear your reasoning behind such a position.
__________________________________________________________________________________________________
There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato
Believe you can and you're halfway there.
--Theodore Roosevelt
Everything Should Be Made as Simple as Possible, But Not Simpler
--Albert Einstein
The significant problems we face cannot be solved at the same level of thinking we were at when we created them.
--Albert Einstein
1 apple is not exactly 1/8 of 8 apples. Because there are no absolutely identical apples.
--Giordy
Post #1433333
« Prev Topic
|
Next Topic »
18 posts, Page 1 of 2
1
2
»»
Permissions
You
cannot
post new topics.
You
cannot
post topic replies.
You
cannot
post new polls.
You
cannot
post replies to polls.
You
cannot
edit your own topics.
You
cannot
delete your own topics.
You
cannot
edit other topics.
You
cannot
delete other topics.
You
cannot
edit your own posts.
You
cannot
edit other posts.
You
cannot
delete your own posts.
You
cannot
delete other posts.
You
cannot
post events.
You
cannot
edit your own events.
You
cannot
edit other events.
You
cannot
delete your own events.
You
cannot
delete other events.
You
cannot
send private messages.
You
cannot
send emails.
You
may
read topics.
You
cannot
rate topics.
You
cannot
vote within polls.
You
cannot
upload attachments.
You
may
download attachments.
You
cannot
post HTML code.
You
cannot
edit HTML code.
You
cannot
post IFCode.
You
cannot
post JavaScript.
You
cannot
post EmotIcons.
You
cannot
post or upload images.
Copyright © 2002-2013 Simple Talk Publishing. All Rights Reserved.
Privacy Policy.
Terms of Use.
Report Abuse.
