SQL Clone
SQLServerCentral is supported by Redgate
Log in  ::  Register  ::  Not logged in

Running as SysAdmin

By Andy Warren,

Today we have a guest editorial from Andy Warren as Steve is on vacation. This was originally published on May 4, 2011.

After all these years I still find applications that are running under the SA account, though thankfully most of them have a strong password. Invariably when I find it and raise the issue they hang their heads in shame. Clearly they knew it was wrong, yet they did it anyway. Does that signal laziness? A contempt for security? Why would smart people take such a risk?

I think it stems from two different issues. One is that there is such a rush to ‘get to market’ that no one wants to make time to implement security, and the other is that they don’t understand how the security system works so they avoid it altogether. I think the second one is the real culprit, and that brings us to the next question – why don’t they understand security in SQL?

I don’t view the security options in SQL as overly complex, but having taught logins and users and roles for a few years I can tell you that few newbies find it intuitive and few DBA’s are good at explaining it to the newbies. Humans tend to avoid what they don’t know, and in the rush to market, getting bogged down learning the arcane art of SQL security just doesn’t seem like the right thing to do.

Hopefully at some point security will be a required course for anyone working with data and they’ll be taught by someone who can explain the concepts and dangers clearly. Until then, if you see someone abusing the sysadmin role, see it as an opportunity to show them how to do it. They know they are supposed, they just need a coach to fix it and teach them – and that’s our job to do.

No good editorial should wrap up without a good discussion, so the question is – what’s the worst usage of a sysadmin login you’ve seen?

Total article views: 503 | Views in the last 30 days: 1
Related Articles

Security issue

Security issue


security setting

change default security setting


Database Security

User security rights


Security Convenience

Security is always a hot topic, and Steve Jones notes that we should be specific when we work with s...


Responsibility for Security

Steve Jones talks about security, and the developer's role in ensuring secure code.