SQL "Worst Practice SA password"

  • Received an email letter that listed "SQL Worst practices". Why was this one included?

    - Running SQL Server in mixed-authentication mode without a NULL

    password for the systems administrator (sa) account.

    Without a NULL? Is he saying the "sa" should be NULL in mixed-mode? I'm mixed up.

    TIA,

    Bill

  • I would hope the without should have been with. Running without a password isn't smart, even in development. There's even been a worm developed to exploit this.

    K. Brian Kelley

    bkelley@sqlservercentral.com

    http://www.sqlservercentral.com/columnists/bkelley/

    K. Brian Kelley
    @kbriankelley

  • Hopefully it wasn't our email newsletter?

    I agree with Brian. In ANY environment, ALL accounts SHOULD HAVE a password.

    Steve Jones

    steve@dkranch.net

  • Steve,

    It was in the January 31st edition of

    ********************

    SQL Server Magazine UPDATE--brought to you by SQL Server Magazine

    http://www.sqlmag.com

    ********************

    1. ==== COMMENTARY ====

    * WORST PRACTICES REVEALED

    Greetings,

    Two weeks ago, I asked for your help in creating a comprehensive list

    of SQL Server "worst practices." I thought this task would be a fun

    twist on the annual tradition of making New Year's resolutions, and I

    hoped that all of us could learn something along the way.

    I know that talking about best practices--what you SHOULD do--is more

    politically correct. But the world would be a happier place to work and

    live in if we found a way to avoid the common mistakes we make day in

    and day out.

    I've received a lot of support for this endeavor, and you've sent a

    great compilation of worst practices. The first group of worst-

    practices items is below. As the list grows, I hope it will serve as a

    reminder to experienced SQL Server professionals to avoid these common

    mistakes. I suspect that the list will also become a resource for SQL

    Server beginners as they learn the ropes. As the list grows, I'll

    occasionally publish some of the latest and greatest worst practices in

    this newsletter. I'll also find a location on the SQL Server Magazine

    Web site to post the list so I can keep it up-to-date.

    The items in the following list appear in no particular order of

    importance, and I've liberally mixed administration and development

    worst practices.

    Worst Practices:

    - Making production changes without testing them in a quality-

    assurance environment just because it's easier and saves time.

    - Running SQL Server in mixed-authentication mode without a NULL

    password for the systems administrator (sa) account.

    - Using inconsistent and arcane naming conventions for tables and

    columns.

    - Assuming someone else is doing the backup.

    - Assuming that the backup can be restored even though you've never

    tested your recovery plan.

    - Allowing NULL columns just because you're too lazy to figure out

    column defaults and constraints.

    - Hard-coding your applications to connect using sa.

    Needless to say, I've never personally made ANY of these horrifying

    mistakes. But I have a friend who admits to making them from time to

    time. This list is far from comprehensive, so keep your suggestions

    coming!

    Brian Moran, SQL Server Magazine UPDATE News Editor, brianm@sqlmag.com

    ~~~~ SPONSOR: SQL SERVER MAGAZINE LIVE! ~~~~

    SQL Server Magazine LIVE! brings to life the industry's most popular

    and authoritative SQL Server publication with more than 50 in-depth

    technical sessions. You'll learn about best practices and the latest

    technologies from such SQL Server Magazine editors as Kalen Delaney,

    Michael Otey, William Vaughn, Brian Moran, and Microsoft's Richard

    Waymire as well as from industry experts such as Mike Hotek, Steve

    Wynkoop, Mark Scott, Craig Utley, and many others. SQL Server Magazine

    LIVE! features sessions about SQL Server development and performance

    tuning, ADO.NET and other key .NET technologies, replication, Data

    Transformation Services (DTS), data warehousing and analysis, the

    future of the DBA, and much more! To register or for more information,

    visit the following URL:

    http://lists.sqlmag.com/cgi-bin3/flo?y=eKX30CObCy0BRZ0pLK0AY

    ~~~~~~~~~~~~~~~~~~~~

  • You are correct, sir. Time to email someone.

    K. Brian Kelley

    bkelley@sqlservercentral.com

    http://www.sqlservercentral.com/columnists/bkelley/

    K. Brian Kelley
    @kbriankelley

  • Shows you which newsletter you SHOULD be watching and which one you SHOULD NOT!

    Steve Jones

    steve@dkranch.net

  • Well, I've sent a message off to Mr. Moran. I'm sure it was a typo.

    BTW, articles by Steve and Andy on Worst Practices start here:

    http://www.sqlservercentral.com/columnists/awarren/worstpracticespart1ofaverylongseries_1.asp

    The latest one (which has links to the predecessors) is the following:

    http://www.sqlservercentral.com/columnists/sjones/wp_encryption.asp

    K. Brian Kelley

    bkelley@sqlservercentral.com

    http://www.sqlservercentral.com/columnists/bkelley/

    K. Brian Kelley
    @kbriankelley

  • From the newest SQL Server Magazine UPDATE newsletter:

    quote:


    A final note: Oops! Last week's worst-practices commentary contained a

    one-word typo that had major ramifications. I listed one of the worst

    practices as "Running SQL Server in mixed-authentication mode without a

    NULL password for the systems administrator (sa) account."

    Fortunately, more than 100 eagle-eyed readers pointed out my error.

    I'm sorry that I wasn't able to respond to everyone individually, but,

    yes, the worst practice should have read "Running SQL Server in mixed-

    authentication mode with a NULL password for the systems administrator

    (sa) account."

    Brian Moran, SQL Server Magazine UPDATE News Editor, brianm@sqlmag.com


    K. Brian Kelley

    bkelley@sqlservercentral.com

    http://www.sqlservercentral.com/columnists/bkelley/

    K. Brian Kelley
    @kbriankelley

  • But isn't so much simpler to remember the password when it is NULL.

  • drowssap is pretty easy, too.

    K. Brian Kelley

    bkelley@sqlservercentral.com

    http://www.sqlservercentral.com/columnists/bkelley/

    K. Brian Kelley
    @kbriankelley

  • lookforanewjob is easy to remember also.

    Steve Jones

    steve@dkranch.net

  • So is nimda but I already dealt with that.

  • Nimda was a pain, but it shouldn't have been as big a problem as it turned out to be. In almost every case if a server had been properly secured after Code Red and Code Red II, there wasn't an issue. As it is, I can review my web logs and still see the tell-tale signs of all three.

    K. Brian Kelley

    bkelley@sqlservercentral.com

    http://www.sqlservercentral.com/columnists/bkelley/

    K. Brian Kelley
    @kbriankelley

Viewing 13 posts - 1 through 12 (of 12 total)

You must be logged in to reply to this topic. Login to reply