Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase ««123»»

sa removal Expand / Collapse
Author
Message
Posted Monday, May 26, 2008 10:07 AM


Say Hey Kid

Say Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey Kid

Group: General Forum Members
Last Login: Sunday, January 29, 2012 1:45 AM
Points: 710, Visits: 1,284
for the time being we r in a transetion period and things needs some time to be done.
any way, if i disable the sa account i still can enable it again, i need some way to make the sa account disapper, vanech or some thing like this..


..>>..

MobashA
Post #506523
Posted Monday, May 26, 2008 4:40 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: General Forum Members
Last Login: Today @ 10:11 AM
Points: 36,994, Visits: 31,513
So, delete the SA account just like any other account... just make sure that SOME account has SA privs.

Still, I'd rather get the users used to the idea of the word "NO"... transitive period or not. ;) What are you going to do when they start asking for the sysadmin role instead of just "SA"? Answer will need to be "NO".


--Jeff Moden
"RBAR is pronounced "ree-bar" and is a "Modenism" for "Row-By-Agonizing-Row".

First step towards the paradigm shift of writing Set Based code:
Stop thinking about what you want to do to a row... think, instead, of what you want to do to a column."

(play on words) "Just because you CAN do something in T-SQL, doesn't mean you SHOULDN'T." --22 Aug 2013

Helpful Links:
How to post code problems
How to post performance problems
Post #506601
Posted Monday, May 26, 2008 11:39 PM


Say Hey Kid

Say Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey Kid

Group: General Forum Members
Last Login: Sunday, January 29, 2012 1:45 AM
Points: 710, Visits: 1,284
can i just delete it i dont think i could!

..>>..

MobashA
Post #506672
Posted Monday, May 26, 2008 11:58 PM


SSC-Forever

SSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-Forever

Group: General Forum Members
Last Login: Today @ 7:53 AM
Points: 42,822, Visits: 35,952
Don't think so, but you can rename it. Not as good, but it does make it less obvious. Call it something like guest_user_testing or something like that and give it a rediculous password that even you don't know (3 guids cast to varchar and put together work well)

As I said before, no amount of tweaking sa's properties will help you here. You need to tell the user that the cannot have the sa password of sysadmin privilidges. End of Story.



Gail Shaw
Microsoft Certified Master: SQL Server 2008, MVP
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

We walk in the dark places no others will enter
We stand on the bridge and no one may pass

Post #506678
Posted Tuesday, May 27, 2008 11:57 AM
SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: Friday, January 6, 2012 2:39 PM
Points: 954, Visits: 683
The better approach would be to disable SQL Server accounts and just use windows authentication.

I agree with Jeff here, this is a bad idea. Your asking to do something that the product I am sure never expected anyone to do. Don't expect to successfully apply a patch in the future (without some serious help for support $$)

Go see the Wizard and get some courage.
Post #507140
Posted Tuesday, May 27, 2008 12:28 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Today @ 3:27 PM
Points: 33,202, Visits: 15,347
If you're really concerned, give it a long, one-time password that you don't write down. Randomly bang on 20 keys to get it.

Don't rename it or delete it. You'll get into trouble later. If you can go to Windows auth only, still set a strong password for SA. Never know when someone will change it back.







Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #507173
Posted Tuesday, May 27, 2008 12:48 PM
SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: Friday, January 6, 2012 2:39 PM
Points: 954, Visits: 683
Steve Jones - Editor (5/27/2008)
If you're really concerned, give it a long, one-time password that you don't write down. Randomly bang on 20 keys to get it.


I like that You will honestly be able to say you don't know the password.
Post #507189
Posted Tuesday, May 27, 2008 1:12 PM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Today @ 9:28 AM
Points: 7,139, Visits: 15,190
Steve Jones - Editor (5/27/2008)
If you're really concerned, give it a long, one-time password that you don't write down. Randomly bang on 20 keys to get it.

Don't rename it or delete it. You'll get into trouble later. If you can go to Windows auth only, still set a strong password for SA. Never know when someone will change it back.


You could also go the extra mile, and mark it as disabled for logins, and deny it access to the DB engine.


----------------------------------------------------------------------------------
Your lack of planning does not constitute an emergency on my part...unless you're my manager...or a director and above...or a really loud-spoken end-user..All right - what was my emergency again?
Post #507208
Posted Wednesday, May 28, 2008 10:44 AM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Monday, August 18, 2014 8:24 AM
Points: 6,634, Visits: 1,871
Piggy-backing on what's already been said here:

Introduce your users to The Principle of Least Privilege. It's a security principle that says you give the users the rights they need and no more. Now, if an end user can justify needing be able to create databases, manage security on the server, shutdown the SQL Server, etc., then they get the appropriate rights. They can't. You should be able to get backing from your security personnel or auditors if you're in a large enough organization.

Show them the tons of documentation which all state "Don't use the sa account, ever." This is a well known security practice not to use. You can rename and you can disable, but as Steve says, you'll likely get into trouble later. I've written a blog post about a security company that requires it for one of their security products, okay, a rant, but generally, this is a no-brainer.

As previously said, set a strong password. Use a password generator to ensure it is complex and long. 20 characters or more. Make two copies of the password. One sealed and stored on-site in the event of an emergency and one sealed and stoerd off-site with your backups in the event of a disaster. Do this even if you can go to Windows authentication only mode. It's a simple registry change to flip it to mixed mode and then the next time the service restarts, such as when the server reboots due to security patches, you're in mixed mode.

If possible, switch to Windows authentication only mode. SQL Server logins have known weaknesses travelling across the wire and besides, if you can go to Windows auth mode, that means you have one source for security: Active Directory.


K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #507846
Posted Wednesday, May 28, 2008 10:50 AM


Say Hey Kid

Say Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey Kid

Group: General Forum Members
Last Login: Sunday, January 29, 2012 1:45 AM
Points: 710, Visits: 1,284
thanks gues for the info and for ur help..its going to happen but things must go slowly.one step at a time.

..>>..

MobashA
Post #507853
« Prev Topic | Next Topic »

Add to briefcase ««123»»

Permissions Expand / Collapse