Jeff Moden wrote: frederico_fonseca wrote: Jeff Moden wrote:
I don't know about CyberArk but I would hope that getting a Password for an SQL Service Account couldn't actually be done in such an easy fashion.
Cyberark if used properly would be more secure than having a DBA retrieving and resetting a SQL instance password (or any other password for that matter).
it can even rotate sql server credentials without intervention from a "human".
for highly privileged accounts (or even not so high) its possible to "force" the retrieval of such passwords only on a particular computer, with a specific IP, when executed by a certain application (using hash fingerprints of the application), by a certain user, and with the application on a certain folder.
Understood. My issue isn't so much with CyberArk... my issue would be with how someone uses it in Power Shell. The OP said he had to write some PoSh to "get password for SQL service account".
My first concern is why does anyone need the password for the SQL Service Account? IMHO, they simply don't need it. They should have an AD login to use.
We used CyberArk to store passwords at my former employer. We had a requirement to change the service ID passwords once a year, and had PowerShell scripts that would retrieve the old password from CyberArk, write the new password there, then change the password in AD. The PowerShell scripts ran under the context of another service ID that had permission to run the scripts. The old password was retrieved in case something failed during the updates.
CyberArk has all sorts of options for storing and retrieving passwords based on who you are, your permissions and such. One of the options is to require approval from some set of approvers before a password is released. It also handles split passwords, will login to an RDP session without the user seeing a password at all. If you have a need for that sort of application, CyberArk works well.