Blog Post

Using the sa account -- Just say "NO!"

,

Aunt Kathi knows many of you do things you know are wrong, like rolling through stop signs, littering, and using the sa account in your connection strings. If you're lucky, you won't get caught at the stop sign and you probably don't participate in Alice's Restaurant scale littering. But using the sa account in connection strings and DSNs is an unforgivable offense.

But seriously, it's an unnecessary and very bad practice. Would you use let everyone in your company have the password to the Domain Admin account? Depending on the rights the SQL Server start up account has (future blog), that could essentially be what you are doing. I don't care if you say you are going to get things cleaned up after the software is all configured. I don't care if your vendor says you have to do it for the software to work. I don't care if that is what you have always done. Just don't do it! Cleaning up sa account use after it is established can be a lot of work. It took me two months to track down every instance of its use in one of my company's more complicated systems.

Here is what you should do:

  • Use Windows authentication if at all possible.

  • Set up other accounts with only the required rights and use them instead.

  • Monitor for sa use and reconfigure all connections to use other accounts with only the required permissons.

  • Set a strong sa password and store the password in a password safe.

  • Going forward don't use the sa account for any connection strings or software settings.

  • Nobody, not even you, needs to know the sa password.

 

Rate

You rated this post out of 5. Change rating

Share

Share

Rate

You rated this post out of 5. Change rating