Post reply

Windows VS SQL server authentication

  • April 26, 2006 at 4:38 pm

    #89927

    Microsoft recommends in their security checklist that SQL Server should use Windows authentication mode.

    When I suggested this to my boss, he said that he and other people he had worked with believed that SQL Server authentication was the way to go.

    Did something change?

    What are the security risk between the two?

     

    Thanks

    Susan

     

  • April 26, 2006 at 9:11 pm

    #634476

    The use of Windows or Mixed security would depend on the equirements for your environment.

    If you have a seperate web server that accesses a database on a stand-alone SQL Server then you'll need to use a SQL login because the SQL server will not be aware of the windows login on the web server. There could also be cases where client applications that have no knowledge of windows (like a UNIX based Java app) need to connect.

    With mixed security in SQL 2000 the server is more vulnerable to security breaches. Also, passwords for SQL logins are not constrained by Windows policy (strength, expiration, lockout, etc...). This can lead to easily hackable passwords being used.

     

    --------------------
    Colt 45 - the original point and click interface

  • April 26, 2006 at 10:51 pm

    #634481

    What Phill has said is all correct. Some other things to consider:

    SQL Server security means the username/password pass over the wire. The "encryption" scheme on the password is weak... you can break it with a pen & paper and a calculator. Also, the hash stored in SQL Server has a weakness, meaning it's more easily crackable than it should be.

    Also, from an auditing perspective the only thing that can track a SQL Server login is SQL Server. However, normal Windows audit mechanisms work to track authentication with Windows logins. For instance, you'll see the audit success in the OS' Security Event Log if the proper auditing settings are set at the OS level. SQL Server will audit to the SQL Server error log and to the OS' application event log, but that means a second mechanism if auditing is required.

    Finally, if a Windows login is used, you're basically going to one place for handling security: the domain. That means if there is a compromise or a need to administer the login, the Windows domain admins can do so. From a security perspective this reduces management overhead.

    K. Brian Kelley
    @kbriankelley

  • April 27, 2006 at 5:06 am

    #634527

    Ahhh ... "weak encryption scheme" ... that's the phrase I was searching for while typing up my post

     

    --------------------
    Colt 45 - the original point and click interface

Viewing 4 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic. Login to reply