Re: Default Hidden login/password?
From: Hal Berenson (haroldb@truemountainconsulting.com)
Date: 12/22/02
- Next message: Jasper Smith: "TEST - IGNORE"
- Previous message: Umachandar Jayachandran: "Re: Oracle Linked Server Stored Procedures"
- In reply to: John: "Re: Default Hidden login/password?"
- Next in thread: Jasper Smith: "Re: Default Hidden login/password?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Hal Berenson" <haroldb@truemountainconsulting.com> Date: Sun, 22 Dec 2002 00:44:16 -0800
Use SSL!
-- Hal Berenson True Mountain Consulting "John" <jonashbaugh@hotmail.com> wrote in message news:OlWl4mGqCHA.2252@TK2MSFTNGP12... > Jasper, > > We currently have a beta tester that is using our application / sql > server solution. I was using the sa login to login to the server from our > office. Since you're saying that this is bad...any other solutions to my > dilemma? I have the ability to pcanywhere into the server as well. We are > also setting up replication between the server here and at the clients. What > other security issues should I be aware of? Should I deny access to sa? Any > additional input would be most appreciated. > > John > > > "Jasper Smith" <jasper_smith9@hotmail.com> wrote in message > news:#f8AafFqCHA.2796@TK2MSFTNGP10... > > If you are not using IPSEC or SSL anyone with the > > ability to search google can easily find out how to grab > > the password off the wire. The "encryption" for SQL > > passwords during a connect is tantamount to plain text, > > it's that easy to decipher. The benefit of using NT logins > > is that no password is transmitted to the server. It also > > allows better auditing of changes to the server if you have > > multiple administrators. It's easy enough to set up a local > > group on the server (e.g. SERVER\SQLDBA) and add > > your admins to that NT group and then grant access to > > SQL for that group and add it to the sysadmin role. If it's > > just you then just add a login for your NT account. > > Whilst you may well have firewalls in place, internal hacking > > is a growing threat and since it is so straightforward to hack > > SQL login passwords, it makes sense not to use them, > > especially for high risk accounts like sa. > > > > -- > > HTH > > > > Jasper Smith (SQL Server MVP) > > > > I support PASS - the definitive, global > > community for SQL Server professionals - > > http://www.sqlpass.org > > > > "John" <jonashbaugh@hotmail.com> wrote in message > > news:#R0IFIFqCHA.2252@TK2MSFTNGP12... > > > I have set up deny for BUILTIN\Administrators. I login using the sa > > account. > > > Bad idea? Why? Thanks in advance. Our sa password is over 12 characters > > > long. > > > > > > "Jasper Smith" <jasper_smith9@hotmail.com> wrote in message > > > news:OTlgDkEqCHA.2764@TK2MSFTNGP09... > > > > No, not hidden but there are 2 default logins > > > > > > > > 1) sa - built in sysadmin SQL login - make sure it has > > > > a very strong password and don't use it ever. > > > > 2) BUILTIN\Administrators - NT group that maps to > > > > the local administrators group on the server. Sysadmin > > > > rights by default. > > > > > > > > -- > > > > HTH > > > > > > > > Jasper Smith (SQL Server MVP) > > > > > > > > I support PASS - the definitive, global > > > > community for SQL Server professionals - > > > > http://www.sqlpass.org > > > > > > > > "John" <jonashbaugh@hotmail.com> wrote in message > > > > news:OSCIqFEqCHA.1776@TK2MSFTNGP09... > > > > > Is there a default hidden login and password like there is in > Oracle? > > I > > > > want > > > > > to make sure that the server is secure. Thanks. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
- Next message: Jasper Smith: "TEST - IGNORE"
- Previous message: Umachandar Jayachandran: "Re: Oracle Linked Server Stored Procedures"
- In reply to: John: "Re: Default Hidden login/password?"
- Next in thread: Jasper Smith: "Re: Default Hidden login/password?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
