Changing Credentials

  • Rechana Rajan

    SSCertifiable

    Points: 7678

    Dear Experts,

    Our security team want to change all passwords of service accounts and application accounts(SQL), is it really advisable to do so? Is there anyway to analyze the impact of this change?

    Thanks in Advance.

  • Michael L John

    One Orange Chip

    Points: 25829

    Sure, it's advisable.

    I'm assuming that the reason for this is because the users and passwords have slowly got out to the people who shouldn't have them, or they do not have the usernames and passwords stored anyplace?

    How many servers?

    I suggest that your company invests in a password manager program, if they do not have one, and be very strict in it's use.

    Also, i suggest you look into Managed Service Accounts.

    https://blogs.technet.microsoft.com/askds/2009/09/10/managed-service-accounts-understanding-implementing-best-practices-and-troubleshooting/

    Michael L John
    If you assassinate a DBA, would you pull a trigger?
    To properly post on a forum:
    http://www.sqlservercentral.com/articles/61537/

  • Rechana Rajan

    SSCertifiable

    Points: 7678

    Michael L John wrote:

    Sure, it's advisable.

    I'm assuming that the reason for this is because the users and passwords have slowly got out to the people who shouldn't have them, or they do not have the usernames and passwords stored anyplace?

    How many servers?

    I suggest that your company invests in a password manager program, if they do not have one, and be very strict in it's use.

    Also, i suggest you look into Managed Service Accounts.

    https://blogs.technet.microsoft.com/askds/2009/09/10/managed-service-accounts-understanding-implementing-best-practices-and-troubleshooting/

    Thanks Michael, both the reasons you mentioned are valid for SQL Accounts but Service Account and Admin Accounts are strictly with DBAs and Windows Admins.

    Thanks for suggestions. Will look into those options.

  • Jeff Moden

    SSC Guru

    Points: 995623

    Rechana Rajan wrote:

    Thanks Michael, both the reasons you mentioned are valid for SQL Accounts but Service Account and Admin Accounts are strictly with DBAs and Windows Admins.

    If you're sharing the passwords for those accounts across multiple people, I suggest you stop that practice because there's no accountability that way.  Yes, there are service accounts, but they should not be used by individuals.

    --Jeff Moden


    RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
    First step towards the paradigm shift of writing Set Based code:
    ________Stop thinking about what you want to do to a row... think, instead, of what you want to do to a column.
    "If you think its expensive to hire a professional to do the job, wait until you hire an amateur."--Red Adair
    "Change is inevitable... change for the better is not."

    Helpful Links:
    How to post code problems
    How to Post Performance Problems
    Create a Tally Function (fnTally)

  • Rechana Rajan

    SSCertifiable

    Points: 7678

    Jeff Moden wrote:

    Rechana Rajan wrote:

    Thanks Michael, both the reasons you mentioned are valid for SQL Accounts but Service Account and Admin Accounts are strictly with DBAs and Windows Admins.

    If you're sharing the passwords for those accounts across multiple people, I suggest you stop that practice because there's no accountability that way.  Yes, there are service accounts, but they should not be used by individuals.

    Agree with you 100% but the situation was like that during initial days .

  • Jeff Moden

    SSC Guru

    Points: 995623

    Rechana Rajan wrote:

    Jeff Moden wrote:

    Rechana Rajan wrote:

    Thanks Michael, both the reasons you mentioned are valid for SQL Accounts but Service Account and Admin Accounts are strictly with DBAs and Windows Admins.

    If you're sharing the passwords for those accounts across multiple people, I suggest you stop that practice because there's no accountability that way.  Yes, there are service accounts, but they should not be used by individuals.

    Agree with you 100% but the situation was like that during initial days .

    Doing it wrong since the beginning still means it's wrong.  They need to change that.  Individuals should never be using service accounts to do their work.

    --Jeff Moden


    RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
    First step towards the paradigm shift of writing Set Based code:
    ________Stop thinking about what you want to do to a row... think, instead, of what you want to do to a column.
    "If you think its expensive to hire a professional to do the job, wait until you hire an amateur."--Red Adair
    "Change is inevitable... change for the better is not."

    Helpful Links:
    How to post code problems
    How to Post Performance Problems
    Create a Tally Function (fnTally)

  • Steve Jones - SSC Editor

    SSC Guru

    Points: 717408

    I agree with Jeff. If you want to change passwords, do so though be aware this might mean reboots or restarts. For service accounts, use group service accounts, or strong, unknown passwords. If you have users or apps using this, you are opening up potential audit issues, and perhaps even allowing attack vectors from ransomware and viruses. Don't do this. Give everyone their own account for production work so that you can determine who does what. This is the time to do this as you re-evaluate security.

  • Rechana Rajan

    SSCertifiable

    Points: 7678

    Jeff Moden wrote:

    Rechana Rajan wrote:

    Jeff Moden wrote:

    Rechana Rajan wrote:

    Thanks Michael, both the reasons you mentioned are valid for SQL Accounts but Service Account and Admin Accounts are strictly with DBAs and Windows Admins.

    If you're sharing the passwords for those accounts across multiple people, I suggest you stop that practice because there's no accountability that way.  Yes, there are service accounts, but they should not be used by individuals.

    Agree with you 100% but the situation was like that during initial days .

    Doing it wrong since the beginning still means it's wrong.  They need to change that.  Individuals should never be using service accounts to do their work.

     

    Thanks Jeff

  • Rechana Rajan

    SSCertifiable

    Points: 7678

    Steve Jones - SSC Editor wrote:

    I agree with Jeff. If you want to change passwords, do so though be aware this might mean reboots or restarts. For service accounts, use group service accounts, or strong, unknown passwords. If you have users or apps using this, you are opening up potential audit issues, and perhaps even allowing attack vectors from ransomware and viruses. Don't do this. Give everyone their own account for production work so that you can determine who does what. This is the time to do this as you re-evaluate security.

    Thanks a lot Steve.

    As Michael Suggested earlier we will check the MSA & gMSA . Applications are using separate SQL authentication accounts.

    We are using DML audits but it logs only parametrized query and not exact values.

    Definitely we will implement the changes.

    Thanks Again

Viewing 9 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic. Login to reply