Jack_Thiru from chennai (11/25/2009)
If this is correct then security is not there for passwords, if i know a user i can directly login using windows authentication and reset passwords as such...
They can only log in if their windows account has access to the SQL Server. They can only reset passwords if they have sufficient permission. Members of the sysadmin group can reset all passwords. Members of the securityadmin group can reset passwords (though iirc they cannot reset a sysadmin's password)
Anyone granted the ALTER permission on a login can change that login's password.
Logins can change their own passwords
How can we protect passwords from this kind of resets?
Make sure that the only people with the required level of permissions are the ones that are allowed to reset passwords.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability