February 7, 2007 at 10:47 am
Hi
What's more secure Windows or SQL Server Authentication?
If Windows Authentication is switched off, are there (inner) functions no longer working while looking for Windows Accounts?
After installing only with Windows Authentication, can the mixed mode be configured again over db properties/security?
Thanks for your help, Jan.
February 7, 2007 at 11:25 am
Windows authentication is never "switched off" per se. SQL Server supports either Windows authentication only (more secure) or Windows + SQL authentication (less secure).
It can always be changed over, however if you move to disable SQL authentication you will cut off the connectivity of any sql-based logins.
February 9, 2007 at 7:00 am
What's more secure really depends on your security policies and by how much they are implemented.
If you use Windows Authentication, you take advantage of all the goodies that come with it like, Password expiration, Windows Security Groups etc although SQL 2005 now has comparable functionality.
An advantage of using SQL aunthentication is that you can use it in hetrogenous environments
and as said above 'It can always be changed over, however if you move to disable SQL authentication you will cut off the connectivity of any sql-based logins.' But you would need to use the Studio Manager because apparently you can not use T-SQL to do it (hmmmpph..M$)
July 3, 2007 at 1:58 am
Windows is more secured and running SQL 2005 on windows 2003 you will have security enhanced more than windows 2000. But there are applications like PeopleSoft taht will run only with SQL Authentication mode and not in windows mode.
Cheers,
Sugeshkumar Rajendran
SQL Server MVP
http://sugeshkr.blogspot.com
July 3, 2007 at 10:15 am
Windows authentication is more secure. If you're using Kerberos authentication, you also get mutual authentication... the client is able to verify the SQL Server really is the SQL Server and not some imposter. NTLM (a form of Windows authenticaton) and SQL Server authentication do not do this.
Another reason Windows authentication tends to be more secure is that the username/password isn't transmitted over the wire. The "encryption" on the password for SQL Server authentication as it goes over the network is weak... if you know what you're looking for you can break it with a scientific calculator, a piece of paper, and a writing utensil. SQL Server 2005 takes great pains to protect this by using SSL to encrypt the login sequence if the client connecting in has a SQL Server 2005 native client. However, if your SQL Server 2005 is supporting legacy client connections, there's no SSL unless the whole connection is encrypted.
K. Brian Kelley
@kbriankelley
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply