Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 

Running as SysAdmin

By Andy Warren,

Today we have a guest editorial from Andy Warren.

After all these years I still find applications that are running under the SA account, though thankfully most of them have a strong password. Invariably when I find it and raise the issue they hang their heads in shame. Clearly they knew it was wrong, yet they did it anyway. Does that signal laziness? A contempt for security? Why would smart people take such a risk?

I think it stems from two different issues. One is that there is such a rush to ‘get to market’ that no one wants to make time to implement security, and the other is that they don’t understand how the security system works so they avoid it altogether. I think the second one is the real culprit, and that brings us to the next question – why don’t they understand security in SQL?

I don’t view the security options in SQL as overly complex, but having taught logins and users and roles for a few years I can tell you that few newbies find it intuitive and few DBA’s are good at explaining it to the newbies. Humans tend to avoid what they don’t know, and in the rush to market, getting bogged down learning the arcane art of SQL security just doesn’t seem like the right thing to do.

Hopefully at some point security will be a required course for anyone working with data and they’ll be taught by someone who can explain the concepts and dangers clearly. Until then, if you see someone abusing the sysadmin role, see it as an opportunity to show them how to do it. They know they are supposed, they just need a coach to fix it and teach them – and that’s our job to do.

No good editorial should wrap up without a good discussion, so the question is – what’s the worst usage of a sysadmin login you’ve seen?

Total article views: 336 | Views in the last 30 days: 2
 
Related Articles
FORUM

Security issue

Security issue

FORUM

security setting

change default security setting

FORUM

Database Security

User security rights

ARTICLE

Responsibility for Security

Steve Jones talks about security, and the developer's role in ensuring secure code.

FORUM

security control

Discretionary and Mandatory security control

Tags
editorial    
security    
 
Contribute

Join the most active online SQL Server Community

SQL knowledge, delivered daily, free:

Email address:  

You make SSC a better place

As a member of SQLServerCentral, you get free access to loads of fresh content: thousands of articles and SQL scripts, a library of free eBooks, a weekly database news roundup, a great Q & A platform… And it’s our huge, buzzing community of SQL Server Professionals that makes it such a success.

Join us!

Steve Jones
Editor, SQLServerCentral.com

Already a member? Jump in:

Email address:   Password:   Remember me: Forgotten your password?
Steve Jones