April 12, 2011 at 4:37 am
Yup. Very bad practice.
You need to create an account with minimal permissions, just what the web site needs to run. There is no way that it needs sysadmin-level permissions and that just creates a major security vulnerability, especially if you have a weak password.
Once no one is using sa, you can just disable it. (ALTER LOGIN ... DISABLE)
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
April 12, 2011 at 4:41 am
Okay thanks Gail, I'll do that
April 12, 2011 at 5:40 am
To add on to that if at all possible I would use a Windows authenticated account, versus a SQL Login (what the sa account is). It adds a little bit extra protection for authenticating to your SQL instance.
Shawn Melton
Twitter: @wsmelton
Blog: wsmelton.github.com
Github: wsmelton
April 12, 2011 at 5:42 am
Shawn Melton (4/12/2011)
To add on to that if at all possible I would use a Windows authenticated account, versus a SQL Login (what the sa account is). It adds a little bit extra protection for authenticating to your SQL instance.
Okay, can I still use a Windows authenticated account if the website that's logging in is on a different server to the database?
April 12, 2011 at 5:53 am
If you are in a domain yes. I believe you still can if you are not in a domain. I'm not to sure on that one, it has been a while since I setup a web site for SQL Server.
Shawn Melton
Twitter: @wsmelton
Blog: wsmelton.github.com
Github: wsmelton
Viewing 5 posts - 1 through 6 (of 6 total)
You must be logged in to reply to this topic. Login to reply