Re: Windows vs SQL

From: Mark Broadbent (nospamplease_mark.broadbent_at_virgin.net)
Date: 07/16/03 

Date: Wed, 16 Jul 2003 12:43:56 +0100

see Jasper's reply. I would also add that with the sql security, the sa
account is a "known" entity in that a hacker knows that it exists and there
just has to worry about cracking the password wheras the Windows auth. users
could be called anything. Also the sql accounts will not lock out if there
are too many validation attempts (wheras Windows accounts will). Needless to
say a very long sa password using a combination of chars, numbers and
special chars would take a hacker a very long time to crack.
Sometimes you have to plump for the mixed authentication because of old apps
requirements. 

-- 
BR,
Mark Broadbent mcse+i, mcdba
_________________________
"Sean" <seanmccown@srcp.com> wrote in message
news:0b4e01c34b11$43140aa0$a001280a@phx.gbl...
> thanks for your response, but that just doesnt make
> sense... i have accountants, lawyers, etc in my company,
> and they have varied rights on the lan... to say that i
> would want a hacker to have any rights that these people
> do is just unheard of... i wouldnt want anyone outside the
> company to have access to a HR director's 'necessary'
> resources... there has to be a better answer than that...
> right?
> sean.
>
>
>
> >-----Original Message-----
> >The guidelines also indicate that the NT account should
> not be given access
> >to uncessary resources, making the admins point moot.
> >
> >"Sean" <seanmccown@srcp.com> wrote in message
> >news:019e01c34b0b$402d4d20$a601280a@phx.gbl...
> >> im always hearing that ms recommends trusted security
> for
> >> sql... but many admins i know prefer sql security
> because
> >> they say that if someone were to compromise a sql
> >> password, they only have access to sql, but if they were
> >> to compromise a trusted password, they would also have a
> >> windows account to get onto the lan with... how does
> this
> >> fit into ms's model for recommending trusted security...
> >> i mean... even with trusted security, i can go to dos
> and
> >> bring up any of my db tools with runas... so what does
> >> trusted security buy me in this context, or what
> >> mechanisms are in play to prevent this....
> >>
> >> thanks,
> >> sean.
> >
> >
> >.
> >

Relevant Pages

  • [NEWS] Xpede Found to Contain Multiple Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Intellisol Xpede ... anyone with a valid Xpede user account to issue requests to the Xpede's ... name used by Xpede to perform all its SQL queries. ...
    (Securiteam)
  • Re: ASP.NET Process Identity???
    ... In the application I not need/want to create user accounts into SQL Server. ... To control the security I have created a personalized security system. ... you can switch back to normal ASPNET machine account for the ... >> Public Class Personificacion ...
    (microsoft.public.dotnet.security)
  • Re: How to use EFS to encrypt SQL DB file
    ... You want to make sure that SQL is starting here with an ... account that has the right to decrypt the mdf file. ... For information about the Microsoft Strategic Technology ... Protection Program and to order your FREE Security Tool Kit, ...
    (microsoft.public.sqlserver.security)
  • Re: Microsoft Informational Alert
    ... > PSS Security Response Team Alert - SQL Security Recommendations ... > PRODUCTS AFFECTED: SQL Server ... Secure your SA login account with a non-NULL password. ...
    (microsoft.public.security)
  • Re: Windows vs SQL
    ... >> im always hearing that ms recommends trusted security ... >> sql... ... >> windows account to get onto the lan with... ...
    (microsoft.public.sqlserver.security)