SA PASSWORD

  • Our network staff want to install a SQL Server password capture tool on each SQL Server machine which is a lockbox of sa passwords which they have access to.

    Any DBA thoughts about allowing this?

  • Hey,

    It has the potential to be a problem in the future...  Do you also trust the network staff too?

    Brian

  • I'm a little confused. What does this tool do? I've allowed the network admins to have the sa password as they have been my remote hands before, but only when it's a small group that I know.

  • What justification do the Network people have for needing SA rights?

    If they act as a backup to the DBAs, then SA might be justified.  In our shop, there are enough DBAs to provide cover, and we are the only people with SA rights.

    Our network people have a signon that has public rights to all databases that need ODBC connections, as they are responsible for setting up these clients and legitimately need to test the clients can connect.  Beyond that, they have no data access capabilities or other rights on SQL Server.

     

    Original author: https://github.com/SQL-FineBuild/Common/wiki/ 1-click install and best practice configuration of SQL Server 2019, 2017 2016, 2014, 2012, 2008 R2, 2008 and 2005.

    When I give food to the poor they call me a saint. When I ask why they are poor they call me a communist - Archbishop Hélder Câmara

  • Please forgive what may be an odd question: why do they need to capture passwords in the first place?  If they need and deserve the SA password, they just need to ask for it nicely.  Getting written sign-off from your boss would be helpful too.  It sounds a little like a "if you don't give it to us, we'll sniff the wire and get it anyway" sort of thing.  Unless they want to gather [all passwords] (aka "users") I can't see why they'd want to install a password sniffer.  If you're using SQL Security and they want user passwords, simply tweak sp_password and require all users to change their passwords.  If you're running Mixed Mode, I'm not sure installing a password sniffer will really provide any revelation.

    Hopefully you're not in a political battle.  I hate those.

    Cheers,

    Ken

  • I agree with Ken here.  It does seem odd that they'd want a program like this.  If they can justify the need for the SA password and ask nicely for it, then they shouldn't need this program.

    Have they said why they need to use this program?

  • Depending on the politics of the situation...

    Can you increase the sa password length or change it regularly?

    A long enough password will not be cracked before its time to change it again...

    to be really paranoid, use SSL to thwart packet snifers

  • Hi all.

    How many of you actually removed Builtin/Administrators or removed system admin rights from this group? If you did not, they (them, network admins) have administrative rights anyway and SQL Server 2000 does not have an option of running just SQL Server authentication. THE administrator on the box has a way to get to your data, your databases etc anyway. Do you password-protect backups? No? Then the network admin can restore your backups including Master on the new installation. The other way around when someone with SQL Server admin rights can easily create Windows administrative login.

    I would first confirm with the management or business owner who should have administrative access to the box at all, then give out any rights.

    Yelena

    Regards,Yelena Varsha

Viewing 8 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic. Login to reply