Using the SA account

  • Hi

    Our website uses the sa account to log into the database server. I've been told that this is a bad thing and that the SA account should be disabled, is this the case and if so what do I need to do to disable it?

    Thanks

    Matt

  • Yup. Very bad practice.

    You need to create an account with minimal permissions, just what the web site needs to run. There is no way that it needs sysadmin-level permissions and that just creates a major security vulnerability, especially if you have a weak password.

    Once no one is using sa, you can just disable it. (ALTER LOGIN ... DISABLE)

    Gail Shaw
    Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
    SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

    We walk in the dark places no others will enter
    We stand on the bridge and no one may pass
  • Okay thanks Gail, I'll do that

  • To add on to that if at all possible I would use a Windows authenticated account, versus a SQL Login (what the sa account is). It adds a little bit extra protection for authenticating to your SQL instance.

    Shawn Melton
    Twitter: @wsmelton
    Blog: wsmelton.github.com
    Github: wsmelton

  • Shawn Melton (4/12/2011)


    To add on to that if at all possible I would use a Windows authenticated account, versus a SQL Login (what the sa account is). It adds a little bit extra protection for authenticating to your SQL instance.

    Okay, can I still use a Windows authenticated account if the website that's logging in is on a different server to the database?

  • If you are in a domain yes. I believe you still can if you are not in a domain. I'm not to sure on that one, it has been a while since I setup a web site for SQL Server.

    Shawn Melton
    Twitter: @wsmelton
    Blog: wsmelton.github.com
    Github: wsmelton

Viewing 6 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic. Login to reply