SQL Server 2005 Logins

Question

SQL Server 2005 Logins

K. Brian Kelley

SSC Guru

Points: 114562
More actions
June 22, 2006 at 1:48 pm

#94468

Comments posted to this topic are about the content posted at http://www.sqlservercentral.com/columnists/bkelley/sqlserver2005logins.asp
K. Brian Kelley
@kbriankelley

Viewing 15 posts - 1 through 15 (of 35 total)

You must be logged in to reply to this topic. Login to reply

Frank Buchan Default port Points: 1405 More actions · Answer 1

I hope one of the series of articles deals with the horrifying interface mess in SQL Studio and how it affects security. While I think SQL Server 2005 did enhance security, the way it makes one manage it is a step backward, and makes me wonder if a lot of "default" security will become the normal because of how overly complicated the interface can be.

K. Brian Kelley SSC Guru Points: 114562 More actions · Answer 2

I can look at doing that. I prefer to manage the security on my servers through the T-SQL instead of through the SSMS interface, but you make a good point.

K. Brian Kelley
@kbriankelley

Yelena Varshal SSC-Dedicated Points: 34286 More actions · Answer 3

Brian,

Great Article, good examples. I like a lot that it points out differences between 7/2000 and 2005.

As a comment, there was probably one typo:

"............In order to turn on policy checking and password expiration, additional options must be specified. Those additional options are:

SID = SID
DEFAULT_DATABASE = default database
DEFAULT_LANGUAGE = default language
CHECK_EXPIRATION = { ON | OFF}
CHECK_POLICY = { ON | OFF}
CREDENTIAL = credential name

................"

I think you meant to say that in order to turn on policy checking and password expiration SOME of the additional options should be specified. Please, correct me if I am not right and ALL of the above options should be specified for pasword expiration check.

Regards,Yelena Varsha

K. Brian Kelley SSC Guru Points: 114562 More actions · Answer 4

No, you are most certainly right. Good catch. I had a couple of guys around the office proofread and none of saw that.

K. Brian Kelley
@kbriankelley

David.Poole SSC Guru Points: 75896 More actions · Answer 5

Hope the article on Symetric Keys and Certificates comes soon!

LinkedIn Profile

K. Brian Kelley SSC Guru Points: 114562 More actions · Answer 6

What I'm thinking of is I'm going to do the database users article, a primer on crypto (what a DBA needs to know), and then go into the encryption within SQL Server 2005. How does that sound?

K. Brian Kelley
@kbriankelley

tejas parikh Old Hand Points: 321 More actions · Answer 7

I actually have a question regarding a similar issue. I'm trying to migrate from SQL 2000 to SQL 2005. I need to migrate my windows Logins and SQL logins to SQL 2005 server. I wrote a script to get my SQL logins with their SID's over to SQL 2005 box. Can I also migrate their passwords???

Also, for Windows logins, if I'm trying to migrate them, do I need to care about their SID's? Thank you

Tej

SuzSQL SSC Eights! Points: 927 More actions · Answer 8

Question?

If I disable a Windows login in SQL Server and I happen to have domain admin permissions, does this disable the login on the domain? I tried to disable a group of windows logins in sql and I got permission denied. I am not an admin in the domain which is why I imagine this happened.

This is scary functionality especially if the windows ids and groups are used beyond SQL.

Susan

Bhushan Kalla Default port Points: 1475 More actions · Answer 9

It's really awesome article for the beginners in SQL Server 2005 security.

Bhushan

K. Brian Kelley SSC Guru Points: 114562 More actions · Answer 10

Actions taken in SQL Server have no effect on the domain. If you disable a login or group in SQL Server, it only affects SQL Server. However, changes in the domain, since that is the starting point, does affect SQL Server. So if a particular account is disabled, then it will not be able to access SQL Server, either.

K. Brian Kelley
@kbriankelley

csales Ten Centuries Points: 1219 More actions · Answer 11

I have a large number of logins that have been disabled. I would like to drop these logins and would prefer to script this. I've looked through the syslogins table and can't find an indicator which refers to whether an account is enabled/disabled. Anyone have any ideas as to where this is?

thanks.

K. Brian Kelley SSC Guru Points: 114562 More actions · Answer 12

If you are using SQL Server 2005, don't use syslogins. Instead use the system management view sys.sql_logins. There is a column, is_disabled, which is a flag for whether or not a login is disabled or not. To make it easy on us, there is the name column as well in that one view. That should allow you to script what you want fairly easily.

K. Brian Kelley
@kbriankelley

Tatsu SSCertifiable Points: 7824 More actions · Answer 13

I am looking forward to the article on Certificate logins. I think that will go a long way towards eliminating SQL Logins for cross-platform applications.

[font="Tahoma"]Bryant E. Byrd, BSSE MCDBA MCAD[/font]
Business Intelligence Administrator
MSBI Administration Blog

R M Buda SSCrazy Points: 2225 More actions · Answer 14

Hi Brian,

Great article. When I read it, it reminded me of something I have never understood about windows logins.

Say I have active directory with user "U" who belongs to 2 security groups, "GrpA" and "GrpB". I create 3 windows logins on SQL Server for "U", "GrpA" and "GrpB". Now when "U" logs on to the server which login is being used? And if I drop the login for "U", the user "U" can still access the server via a group, but which one?

Thanks,

Renato