Today we have a guest editorial from Andy Warren as Steve is on vacation. This was originally published on May 4, 2011.
After all these years I still find applications that are running under the SA account, though thankfully most of them have a strong password. Invariably when I find it and raise the issue they hang their heads in shame. Clearly they knew it was wrong, yet they did it anyway. Does that signal laziness? A contempt for security? Why would smart people take such a risk?
I think it stems from two different issues. One is that there is such a rush to ‘get to market’ that no one wants to make time to implement security, and the other is that they don’t understand how the security system works so they avoid it altogether. I think the second one is the real culprit, and that brings us to the next question – why don’t they understand security in SQL?
I don’t view the security options in SQL as overly complex, but having taught logins and users and roles for a few years I can tell you that few newbies find it intuitive and few DBA’s are good at explaining it to the newbies. Humans tend to avoid what they don’t know, and in the rush to market, getting bogged down learning the arcane art of SQL security just doesn’t seem like the right thing to do.
Hopefully at some point security will be a required course for anyone working with data and they’ll be taught by someone who can explain the concepts and dangers clearly. Until then, if you see someone abusing the sysadmin role, see it as an opportunity to show them how to do it. They know they are supposed, they just need a coach to fix it and teach them – and that’s our job to do.
No good editorial should wrap up without a good discussion, so the question is – what’s the worst usage of a sysadmin login you’ve seen?