Disabling SA better than Changing Password?

  • Auditors have been wanting us to change the password on the SA sql id on a scheduled basis. Someone read a white paper 🙂 Even though our instances are setup for MIX security, we do not use SA when connecting to the instance.

    We do have SA as database and Job owners. However all are SYSADMIN work is done using window ids. Occasionally we get a vendor product whose installation just does not seem to work without using SA, which is sad!

    Is there any issue with disabling SA and still use it as database and job owners?

    Which is more secure disabling SA or changing its password to a random value on a scheduled basis?

    David Bird

  • Both.

    Disable SQL auth if you can.

    Change sa regularly. Just in case someone "re-enables" the account/athentication method. I've seen people change the password for a consultant, disable the auth, then forget and have someone enable auth with a known sa password by outsiders.

    Do this in a job and forget about it, after disabling auth. If you ever need it, change it that day and then run this job.

    DECLARE @pwd UNIQUEIDENTIFIER = NEWID()

    , @new VARCHAR(50);

    SELECT @new = CAST(@pwd AS VARCHAR(50))

    EXEC sp_password @new = @new, @loginame = 'sa'

  • This was removed by the editor as SPAM

Viewing 3 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic. Login to reply