SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Password policy for system logins


Password policy for system logins

Author
Message
Casper101
Casper101
SSCrazy
SSCrazy (2.2K reputation)SSCrazy (2.2K reputation)SSCrazy (2.2K reputation)SSCrazy (2.2K reputation)SSCrazy (2.2K reputation)SSCrazy (2.2K reputation)SSCrazy (2.2K reputation)SSCrazy (2.2K reputation)

Group: General Forum Members
Points: 2243 Visits: 1484
Hi,
I would like to hear your opinion on password policy for system accounts. (not the service accounts)
For our staff members who have access to SQL, we have the standard policy in place with regards to complexity and in our case,
they have to change their passwords every 90 days. (Until we move onto a domain, where I will rather use domain accounts).
But what about the SQL logins for our front-end systems that connect to SQL? (our websites, applications, etc). Yes we have the complexity of the password in place,
but what about expiration? Should these passwords also expire and be changed, and more importantly, how often?
I don't believe it should also be 90 days like our staff logins....
Thom A
Thom A
SSC-Forever
SSC-Forever (48K reputation)SSC-Forever (48K reputation)SSC-Forever (48K reputation)SSC-Forever (48K reputation)SSC-Forever (48K reputation)SSC-Forever (48K reputation)SSC-Forever (48K reputation)SSC-Forever (48K reputation)

Group: General Forum Members
Points: 48624 Visits: 16183
If the account is being used by a application, website, etc, then they are service accounts, not System Accounts. Generally, service account passwords aren't set to expire; otherwise, when they do things can fall over unless you have a very robust system in that can automatically change all the references to that password in the right places, at the right time. With Service Accounts, you need to endeavour that the account only has access to do what it's allowed to/should do, and just that. On a website, this might mean that the account only has access to run Stored Procedures; anything else after that are inherited.

For your System Administrators, then yes, expiry is a good practice. A lot of places as well have it so that System Administrators have 2 accounts. 1 for day to day, and a second which has sysadmin privs. This means that they can't "accidentally" do something they normally could as an SA but also, should their normal account be compromised, the other is not.


Thom~
Excuse my typos and sometimes awful grammar. My fingers work faster than my brain does :-P

Please always remember to encapsulate your code in IFCode Markup. For example [code=sql] [/code].
Click here to read Jeffs Guide on how to post SQL questions, and get swift and helpful answers from the community
Alexander Zhang
Alexander Zhang
SSC-Enthusiastic
SSC-Enthusiastic (117 reputation)SSC-Enthusiastic (117 reputation)SSC-Enthusiastic (117 reputation)SSC-Enthusiastic (117 reputation)SSC-Enthusiastic (117 reputation)SSC-Enthusiastic (117 reputation)SSC-Enthusiastic (117 reputation)SSC-Enthusiastic (117 reputation)

Group: General Forum Members
Points: 117 Visits: 92
Interesting. My confusion is, what the system logins are. Generally, I consider them some built-in logins such as sa, NT SERVICE\xxx, etc.
In the company I'm working for, Service Account means the account which is used by MSSQL Services, and Application Accounts are for applications( such as Website and other applications ).

GASQL.com - Focus on Database and Cloud
Davis H
Davis H
SSC-Enthusiastic
SSC-Enthusiastic (161 reputation)SSC-Enthusiastic (161 reputation)SSC-Enthusiastic (161 reputation)SSC-Enthusiastic (161 reputation)SSC-Enthusiastic (161 reputation)SSC-Enthusiastic (161 reputation)SSC-Enthusiastic (161 reputation)SSC-Enthusiastic (161 reputation)

Group: General Forum Members
Points: 161 Visits: 332
My guess is the reference is to machine accounts. Created on the "system". i.e. MYSERVER\MYUSER
Sue_H
Sue_H
SSC-Dedicated
SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)

Group: General Forum Members
Points: 36320 Visits: 10377
Alexander Zhang - Monday, February 12, 2018 8:50 AM
Interesting. My confusion is, what the system logins are. Generally, I consider them some built-in logins such as sa, NT SERVICE\xxx, etc.
In the company I'm working for, Service Account means the account which is used by MSSQL Services, and Application Accounts are for applications( such as Website and other applications ).


The user was asking about system accounts (not logins) and then asked about SQL logins. Two very different things that Thom explained well.
NT SERVICE\xxx - those are generally virtual accounts, not built in logins. Virtual accounts explained in this documentation:
Configure Windows Service Accounts and Permissions

Sue



Alexander Zhang
Alexander Zhang
SSC-Enthusiastic
SSC-Enthusiastic (117 reputation)SSC-Enthusiastic (117 reputation)SSC-Enthusiastic (117 reputation)SSC-Enthusiastic (117 reputation)SSC-Enthusiastic (117 reputation)SSC-Enthusiastic (117 reputation)SSC-Enthusiastic (117 reputation)SSC-Enthusiastic (117 reputation)

Group: General Forum Members
Points: 117 Visits: 92
Sue_H - Monday, February 12, 2018 12:40 PM
Alexander Zhang - Monday, February 12, 2018 8:50 AM
Interesting. My confusion is, what the system logins are. Generally, I consider them some built-in logins such as sa, NT SERVICE\xxx, etc.
In the company I'm working for, Service Account means the account which is used by MSSQL Services, and Application Accounts are for applications( such as Website and other applications ).


The user was asking about system accounts (not logins) and then asked about SQL logins. Two very different things that Thom explained well.
NT SERVICE\xxx - those are generally virtual accounts, not built in logins. Virtual accounts explained in this documentation:
Configure Windows Service Accounts and Permissions

Sue

Thanks for your explanation and correction. Glad to learn something:-)


GASQL.com - Focus on Database and Cloud
Sue_H
Sue_H
SSC-Dedicated
SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)

Group: General Forum Members
Points: 36320 Visits: 10377
Alexander Zhang - Wednesday, February 14, 2018 1:26 PM
Sue_H - Monday, February 12, 2018 12:40 PM
Alexander Zhang - Monday, February 12, 2018 8:50 AM
Interesting. My confusion is, what the system logins are. Generally, I consider them some built-in logins such as sa, NT SERVICE\xxx, etc.
In the company I'm working for, Service Account means the account which is used by MSSQL Services, and Application Accounts are for applications( such as Website and other applications ).


The user was asking about system accounts (not logins) and then asked about SQL logins. Two very different things that Thom explained well.
NT SERVICE\xxx - those are generally virtual accounts, not built in logins. Virtual accounts explained in this documentation:
Configure Windows Service Accounts and Permissions

Sue

Thanks for your explanation and correction. Glad to learn something:-)


It doesn't help that they keep modifying things with the accounts and how MS implements it on just about every release. Smile
It's all good though, gets more secure on every change. It's just hard to remember which version uses what.

Sue



Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum








































































































































































SQLServerCentral


Search