SQL Server 2005 Logins

  • Comments posted to this topic are about the content posted at http://www.sqlservercentral.com/columnists/bkelley/sqlserver2005logins.asp

    K. Brian Kelley

  • I hope one of the series of articles deals with the horrifying interface mess in SQL Studio and how it affects security. While I think SQL Server 2005 did enhance security, the way it makes one manage it is a step backward, and makes me wonder if a lot of "default" security will become the normal because of how overly complicated the interface can be.

  • I can look at doing that. I prefer to manage the security on my servers through the T-SQL instead of through the SSMS interface, but you make a good point.

    K. Brian Kelley

  • Brian,

    Great Article, good examples. I like a lot that it points out differences between 7/2000 and 2005.

    As a comment, there was probably one typo:

    "............In order to turn on policy checking and password expiration, additional options must be specified. Those additional options are:

    • SID = SID
    • DEFAULT_DATABASE = default database
    • DEFAULT_LANGUAGE = default language
    • CHECK_POLICY = { ON | OFF}
    • CREDENTIAL = credential name


    I think you meant to say that in order to turn on policy checking and password expiration SOME of the additional options should be specified.  Please, correct me if I am not right and ALL of the above options should be specified for pasword expiration check.

    Regards,Yelena Varsha

  • No, you are most certainly right. Good catch. I had a couple of guys around the office proofread and none of saw that.

    K. Brian Kelley

  • Hope the article on Symetric Keys and Certificates comes soon!

  • What I'm thinking of is I'm going to do the database users article, a primer on crypto (what a DBA needs to know), and then go into the encryption within SQL Server 2005. How does that sound?

    K. Brian Kelley

  • I actually have a question regarding a similar issue. I'm trying to migrate from SQL 2000 to SQL 2005. I need to migrate my windows Logins and SQL logins to SQL 2005 server. I wrote a script to get my SQL logins with their SID's over to SQL 2005 box. Can I also migrate their passwords???


    Also, for Windows logins, if I'm trying to migrate them, do I need to care about their SID's? Thank you



  • Question?


    If I disable a Windows login in SQL Server and I happen to have domain admin permissions, does this disable the login  on the domain?  I tried to disable a group of windows logins in sql and I got permission denied.  I am not an admin in the domain which is why I imagine this happened.

    This is scary functionality especially if the windows ids and groups are used beyond SQL.



  • It's really awesome article for the beginners in SQL Server 2005 security.



  • Actions taken in SQL Server have no effect on the domain. If you disable a login or group in SQL Server, it only affects SQL Server. However, changes in the domain, since that is the starting point, does affect SQL Server. So if a particular account is disabled, then it will not be able to access SQL Server, either.

    K. Brian Kelley

  • I have a large number of logins that have been disabled. I would like to drop these logins and would prefer to script this. I've looked through the syslogins table and can't find an indicator which refers to whether an account is enabled/disabled. Anyone have any ideas as to where this is?


  • If you are using SQL Server 2005, don't use syslogins. Instead use the system management view sys.sql_logins. There is a column, is_disabled, which is a flag for whether or not a login is disabled or not. To make it easy on us, there is the name column as well in that one view. That should allow you to script what you want fairly easily.

    K. Brian Kelley

  • I am looking forward to the article on Certificate logins. I think that will go a long way towards eliminating SQL Logins for cross-platform applications.

    [font="Tahoma"]Bryant E. Byrd, BSSE MCDBA MCAD[/font]
    Business Intelligence Administrator
    MSBI Administration Blog

  • Hi Brian,

    Great article. When I read it, it reminded me of something I have never understood about windows logins.

    Say I have active directory with user "U" who belongs to 2 security groups, "GrpA" and "GrpB". I create 3 windows logins on SQL Server for "U", "GrpA" and "GrpB". Now when "U" logs on to the server which login is being used? And if I drop the login for "U", the user "U" can still access the server via a group, but which one?



Viewing 15 posts - 1 through 15 (of 35 total)

You must be logged in to reply to this topic. Login to reply