October 10, 2019 at 8:56 am
Dear Experts,
Our security team want to change all passwords of service accounts and application accounts(SQL), is it really advisable to do so? Is there anyway to analyze the impact of this change?
Thanks in Advance.
October 10, 2019 at 7:02 pm
Sure, it's advisable.
I'm assuming that the reason for this is because the users and passwords have slowly got out to the people who shouldn't have them, or they do not have the usernames and passwords stored anyplace?
How many servers?
I suggest that your company invests in a password manager program, if they do not have one, and be very strict in it's use.
Also, i suggest you look into Managed Service Accounts.
Michael L John
If you assassinate a DBA, would you pull a trigger?
To properly post on a forum:
http://www.sqlservercentral.com/articles/61537/
October 13, 2019 at 6:00 am
Sure, it's advisable.
I'm assuming that the reason for this is because the users and passwords have slowly got out to the people who shouldn't have them, or they do not have the usernames and passwords stored anyplace?
How many servers?
I suggest that your company invests in a password manager program, if they do not have one, and be very strict in it's use.
Also, i suggest you look into Managed Service Accounts.
Thanks Michael, both the reasons you mentioned are valid for SQL Accounts but Service Account and Admin Accounts are strictly with DBAs and Windows Admins.
Thanks for suggestions. Will look into those options.
October 13, 2019 at 4:08 pm
Thanks Michael, both the reasons you mentioned are valid for SQL Accounts but Service Account and Admin Accounts are strictly with DBAs and Windows Admins.
If you're sharing the passwords for those accounts across multiple people, I suggest you stop that practice because there's no accountability that way. Yes, there are service accounts, but they should not be used by individuals.
--Jeff Moden
Change is inevitable... Change for the better is not.
October 15, 2019 at 9:53 am
Rechana Rajan wrote:Thanks Michael, both the reasons you mentioned are valid for SQL Accounts but Service Account and Admin Accounts are strictly with DBAs and Windows Admins.
If you're sharing the passwords for those accounts across multiple people, I suggest you stop that practice because there's no accountability that way. Yes, there are service accounts, but they should not be used by individuals.
Agree with you 100% but the situation was like that during initial days .
October 15, 2019 at 2:12 pm
Jeff Moden wrote:Rechana Rajan wrote:Thanks Michael, both the reasons you mentioned are valid for SQL Accounts but Service Account and Admin Accounts are strictly with DBAs and Windows Admins.
If you're sharing the passwords for those accounts across multiple people, I suggest you stop that practice because there's no accountability that way. Yes, there are service accounts, but they should not be used by individuals.
Agree with you 100% but the situation was like that during initial days .
Doing it wrong since the beginning still means it's wrong. They need to change that. Individuals should never be using service accounts to do their work.
--Jeff Moden
Change is inevitable... Change for the better is not.
October 15, 2019 at 5:53 pm
I agree with Jeff. If you want to change passwords, do so though be aware this might mean reboots or restarts. For service accounts, use group service accounts, or strong, unknown passwords. If you have users or apps using this, you are opening up potential audit issues, and perhaps even allowing attack vectors from ransomware and viruses. Don't do this. Give everyone their own account for production work so that you can determine who does what. This is the time to do this as you re-evaluate security.
October 23, 2019 at 4:16 am
Rechana Rajan wrote:Jeff Moden wrote:Rechana Rajan wrote:Thanks Michael, both the reasons you mentioned are valid for SQL Accounts but Service Account and Admin Accounts are strictly with DBAs and Windows Admins.
If you're sharing the passwords for those accounts across multiple people, I suggest you stop that practice because there's no accountability that way. Yes, there are service accounts, but they should not be used by individuals.
Agree with you 100% but the situation was like that during initial days .
Doing it wrong since the beginning still means it's wrong. They need to change that. Individuals should never be using service accounts to do their work.
Thanks Jeff
October 23, 2019 at 4:21 am
I agree with Jeff. If you want to change passwords, do so though be aware this might mean reboots or restarts. For service accounts, use group service accounts, or strong, unknown passwords. If you have users or apps using this, you are opening up potential audit issues, and perhaps even allowing attack vectors from ransomware and viruses. Don't do this. Give everyone their own account for production work so that you can determine who does what. This is the time to do this as you re-evaluate security.
Thanks a lot Steve.
As Michael Suggested earlier we will check the MSA & gMSA . Applications are using separate SQL authentication accounts.
We are using DML audits but it logs only parametrized query and not exact values.
Definitely we will implement the changes.
Thanks Again
Viewing 9 posts - 1 through 8 (of 8 total)
You must be logged in to reply to this topic. Login to reply