SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


sa removal


sa removal

Author
Message
mobasha
mobasha
SSCommitted
SSCommitted (1.5K reputation)SSCommitted (1.5K reputation)SSCommitted (1.5K reputation)SSCommitted (1.5K reputation)SSCommitted (1.5K reputation)SSCommitted (1.5K reputation)SSCommitted (1.5K reputation)SSCommitted (1.5K reputation)

Group: General Forum Members
Points: 1520 Visits: 1284
for the time being we r in a transetion period and things needs some time to be done.
any way, if i disable the sa account i still can enable it again, i need some way to make the sa account disapper, vanech or some thing like this..

..>>..

MobashA
Jeff Moden
Jeff Moden
SSC Guru
SSC Guru (208K reputation)SSC Guru (208K reputation)SSC Guru (208K reputation)SSC Guru (208K reputation)SSC Guru (208K reputation)SSC Guru (208K reputation)SSC Guru (208K reputation)SSC Guru (208K reputation)

Group: General Forum Members
Points: 208133 Visits: 41973
So, delete the SA account just like any other account... just make sure that SOME account has SA privs.

Still, I'd rather get the users used to the idea of the word "NO"... transitive period or not. Wink What are you going to do when they start asking for the sysadmin role instead of just "SA"? Answer will need to be "NO".

--Jeff Moden

RBAR is pronounced ree-bar and is a Modenism for Row-By-Agonizing-Row.
First step towards the paradigm shift of writing Set Based code:
Stop thinking about what you want to do to a row... think, instead, of what you want to do to a column.
If you think its expensive to hire a professional to do the job, wait until you hire an amateur. -- Red Adair

Helpful Links:
How to post code problems
How to post performance problems
Forum FAQs
mobasha
mobasha
SSCommitted
SSCommitted (1.5K reputation)SSCommitted (1.5K reputation)SSCommitted (1.5K reputation)SSCommitted (1.5K reputation)SSCommitted (1.5K reputation)SSCommitted (1.5K reputation)SSCommitted (1.5K reputation)SSCommitted (1.5K reputation)

Group: General Forum Members
Points: 1520 Visits: 1284
can i just delete it i dont think i could!

..>>..

MobashA
GilaMonster
GilaMonster
SSC Guru
SSC Guru (216K reputation)SSC Guru (216K reputation)SSC Guru (216K reputation)SSC Guru (216K reputation)SSC Guru (216K reputation)SSC Guru (216K reputation)SSC Guru (216K reputation)SSC Guru (216K reputation)

Group: General Forum Members
Points: 216617 Visits: 46278
Don't think so, but you can rename it. Not as good, but it does make it less obvious. Call it something like guest_user_testing or something like that and give it a rediculous password that even you don't know (3 guids cast to varchar and put together work well)

As I said before, no amount of tweaking sa's properties will help you here. You need to tell the user that the cannot have the sa password of sysadmin privilidges. End of Story.

Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

We walk in the dark places no others will enter
We stand on the bridge and no one may pass


Bob Fazio
Bob Fazio
SSCrazy
SSCrazy (2.9K reputation)SSCrazy (2.9K reputation)SSCrazy (2.9K reputation)SSCrazy (2.9K reputation)SSCrazy (2.9K reputation)SSCrazy (2.9K reputation)SSCrazy (2.9K reputation)SSCrazy (2.9K reputation)

Group: General Forum Members
Points: 2926 Visits: 683
The better approach would be to disable SQL Server accounts and just use windows authentication.

I agree with Jeff here, this is a bad idea. Your asking to do something that the product I am sure never expected anyone to do. Don't expect to successfully apply a patch in the future (without some serious help for support $$)

Go see the Wizard and get some courage.
Steve Jones
Steve Jones
SSC Guru
SSC Guru (142K reputation)SSC Guru (142K reputation)SSC Guru (142K reputation)SSC Guru (142K reputation)SSC Guru (142K reputation)SSC Guru (142K reputation)SSC Guru (142K reputation)SSC Guru (142K reputation)

Group: Administrators
Points: 142230 Visits: 19424
If you're really concerned, give it a long, one-time password that you don't write down. Randomly bang on 20 keys to get it.

Don't rename it or delete it. You'll get into trouble later. If you can go to Windows auth only, still set a strong password for SA. Never know when someone will change it back.

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
Bob Fazio
Bob Fazio
SSCrazy
SSCrazy (2.9K reputation)SSCrazy (2.9K reputation)SSCrazy (2.9K reputation)SSCrazy (2.9K reputation)SSCrazy (2.9K reputation)SSCrazy (2.9K reputation)SSCrazy (2.9K reputation)SSCrazy (2.9K reputation)

Group: General Forum Members
Points: 2926 Visits: 683
Steve Jones - Editor (5/27/2008)
If you're really concerned, give it a long, one-time password that you don't write down. Randomly bang on 20 keys to get it.


I like that Hehe You will honestly be able to say you don't know the password.
Matt Miller (4)
Matt Miller (4)
One Orange Chip
One Orange Chip (28K reputation)One Orange Chip (28K reputation)One Orange Chip (28K reputation)One Orange Chip (28K reputation)One Orange Chip (28K reputation)One Orange Chip (28K reputation)One Orange Chip (28K reputation)One Orange Chip (28K reputation)

Group: General Forum Members
Points: 28505 Visits: 19000
Steve Jones - Editor (5/27/2008)
If you're really concerned, give it a long, one-time password that you don't write down. Randomly bang on 20 keys to get it.

Don't rename it or delete it. You'll get into trouble later. If you can go to Windows auth only, still set a strong password for SA. Never know when someone will change it back.


You could also go the extra mile, and mark it as disabled for logins, and deny it access to the DB engine.

----------------------------------------------------------------------------------
Your lack of planning does not constitute an emergency on my part...unless you're my manager...or a director and above...or a really loud-spoken end-user..All right - what was my emergency again?
K. Brian Kelley
K. Brian Kelley
Keeper of the Duck
Keeper of the Duck (24K reputation)

Group: Moderators
Points: 24050 Visits: 1917
Piggy-backing on what's already been said here:

Introduce your users to The Principle of Least Privilege. It's a security principle that says you give the users the rights they need and no more. Now, if an end user can justify needing be able to create databases, manage security on the server, shutdown the SQL Server, etc., then they get the appropriate rights. They can't. You should be able to get backing from your security personnel or auditors if you're in a large enough organization.

Show them the tons of documentation which all state "Don't use the sa account, ever." This is a well known security practice not to use. You can rename and you can disable, but as Steve says, you'll likely get into trouble later. I've written a blog post about a security company that requires it for one of their security products, okay, a rant, but generally, this is a no-brainer.

As previously said, set a strong password. Use a password generator to ensure it is complex and long. 20 characters or more. Make two copies of the password. One sealed and stored on-site in the event of an emergency and one sealed and stoerd off-site with your backups in the event of a disaster. Do this even if you can go to Windows authentication only mode. It's a simple registry change to flip it to mixed mode and then the next time the service restarts, such as when the server reboots due to security patches, you're in mixed mode.

If possible, switch to Windows authentication only mode. SQL Server logins have known weaknesses travelling across the wire and besides, if you can go to Windows auth mode, that means you have one source for security: Active Directory.

K. Brian Kelley
@‌kbriankelley
mobasha
mobasha
SSCommitted
SSCommitted (1.5K reputation)SSCommitted (1.5K reputation)SSCommitted (1.5K reputation)SSCommitted (1.5K reputation)SSCommitted (1.5K reputation)SSCommitted (1.5K reputation)SSCommitted (1.5K reputation)SSCommitted (1.5K reputation)

Group: General Forum Members
Points: 1520 Visits: 1284
thanks gues for the info and for ur help..its going to happen but things must go slowly.one step at a time.

..>>..

MobashA
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search