GilaMonster (7/31/2014)
Michael Valentine Jones (7/31/2014)
The last vendor I had to deal with had an application that required the use of a specific SA password to connect to the database on a specifically named (non-default) instance. Having an application use a hard coded SA password is really bad security, but it's just some medical application, so no big deal. :crying:...
Another vendor application (for a building security system) required the use of a blank SA password so I guess it can always get worse.
That's when you rename the sa login to something which sounds useless, disable it and create a new login called 'sa' with just the permissions you want it to have.
Want sa? Sure, just gimme a couple minutes...
The medical application used several databases, so figuring out the permissions that the app required was just too much work to bother with switching the SA account. Since it was on an isolated named instance, I just let it be. Sometimes I just can't bother to care.
I actually liked that anyone with network access would be able to defeat the building security system by giving themselves access by direct updates to the database. 😎 That was a system that I discovered already "in place" running on an ancient notebook computer setting on the back of a rack in the computer room at a remote site.