At present we have separate AD accounts for services on 'logical' groups of servers. These AD service account passwords are changed annually or when staff changes. We are moving further to eliminate 'interactive login' and 'terminal services login' for these accounts as well. As for the sa password, it is 32+ characters long and changed every 30 days.

By about the end of the first or mid second quarter of next year our planned security hardening changes should make thinks extremely secure.

One AD service account for all SQL Server services per physical server or virtual Windows server in the case of clusters. This AD service account will only be allowed login authority on that server only, in addition to having 'interactive login' and 'terminal services login' disabled. Now on to the AD service account password ... it will be 32 characters and be changed every 24 hours !

As for the sa login - well it will be 32 characters and be changed every 24 hours as well.

Sounds like a tall order but it will totally automated in conjunction with password vaulting software for our 2005 instances.

Additionally, Windows Administration and key service and domain functions that require AD service accounts will fall into the same criteria described for the SQL Server AD service.

Oh - just the SQL Server AD accounts hardening affects 270+ instances !!!