Tuesday, Aug1:49:27 PM - Password hashing notes Would you happen to be able to provide your source of information regarding the statement "Renaming and disabling the sa account won't stop internal processes from being able to use the sa account. Seeing what you have here has swayed me to advise to turn it off. It has been used as a quick-fix until I could get around to creating a dedicated 'admin' ID that identifies me and allows auditing. I've always been on the fence about the use of SA because some of the sites that I have operated will have multiple domains with AD rarely having been configured correctly to enable the use of the proper groups. Windows groups is considered a best practice for SQL Server security Passwords last changed on your SQL Server-based logins. SQL Server profiler to detect if someone is logging in as sa.Ĭonfigure so you catch failed logins against your SQL Server. This is the safest approach I have found. Then to script the rename and disabling of the account immediately after the
My standard practice is to script the rename back to sa and enabling of theĪccount right before the application of any kind of update to SQL Server and In practice, however, there have been a couple of hiccups.
In theory, these should install just fine even with a renamed and disabled saĪccount. What about Service Packs and Cumulative Updates?
Therefore, there's no reason NOT to rename and disable the sa account. Server Agent jobs owned by sa won't fail, either. Like master and tempdb, require the sa account as the owner. This is a good thing, because some databases, Therefore, if you have databases whose ownersĪre sa, there isn't a problem. Renaming and disabling the sa account won't stop internal processes fromīeing able to use the sa account. What about Impersonation, Database Ownership, and SQL Server Agent? If you open up SQL Server Management Studio and you see something like this Passwords for domain controllers and particular accounts and passwords to beĪble to administer your Active Directory environment.
Your Windows administrators shouldĪlready be facing the same issues with respect to preserving particular Never use the password, it's likely not going to stick in memory.īut what if you do have to retain it for disaster recovery purposes? In thatĬase, following the standard procedures for your organization with respect to While passwords generated by such generatorsĬan be memorized (most of us have done it), this tends to happen because theĪccount is used over and over and the password is typed in repeatedly.
Preferably, when choosing the password use a password generator so that the Logins is a registry change and a restart. Server accepting only Windows logins to accepting both Windows and SQL Server