March 2015 | SansSQL

Saturday, March 7, 2015

Suggested ways to manage SQL server password - A Guest Post by Jyoti Prakash

Security management of SQL server is equally important and you must know that how to manage it. The most initial step to make your SQL server authentic is password security, which required management. Whether it is server or database, all the roles are simplified by security administration by allowing every individual user inherit permissions granted, denied, or abolished to those roles. Although there are multiple areas where user has to put the passwords, which require a proper handling.

SA account is a special login, which is provided for the complete backward compatibility. It is assigned to system admin to fix the roles, which cannot be changed. Therefore, SA account is the most often attacked account and deserves special attention. Here in this article you will get to know about the various rules to manage your SA password. Make sure your password must be random, complex, long and most important not used for multiple instances.
If you are looking for an efficient way to manage your passwords, it is advisable that follow the given techniques to keep track of all your passwords, in case of multiple servers you must use them. There could be multiple ways, here are some of them:

Store Password list
If your number of passwords count is manageable then you can just list them on a sheet and store that hard copy in a safe location. It is advisable that do not store the soft copy of this document as it could be a security risk. This is a very secured way to manage passwords, but could be risky if you have lost the hard copy.

Somewhere this method is not very convenient way to manage passwords as at the time of changing passwords, you have to immediately access this list. If in that case you are not in the situation to access this list. Then this list might become incomplete or become wrong over the time. Therefore, it is recommended that you should opt this method only if you have a reliable and diligent person to take care of this list.

Use Cloud storage
If your organization distributes teams with a rich number of users then, it would be difficult for you to manage all the passwords in the hard copy format. Therefore, to manage such large number of password list you can use several cloud based password management systems that let you to share passwords with the entire team. Many password management tools allow you to your passwords locally so that no one can access your passwords except authenticated users, ever if any other organization using the same password management service.

Local Password storage
Some people do not believe on cloud systems, if you are the one, then a local password store like KeePass, Password Safe, might make more sense to you. Such local password store facilitates multiple powerful features, which make them most trustable and secured ways to manage passwords.

With these tools the password store in encrypted format on a local system. To encrypt the stored password keys, tool uses powerful algorithms that make it infeasible for the attacker. These passwords are handled in such a manner that the system memory will also never store an unencrypted password.
However, these tools also have some shortcomings as well, but in terms of security they are much better.

Enterprise Password Managers
If you belongs to a really big enterprise and have number of servers to manage then enterprise password management tools might be the best thing you are looking for.

An Enterprise password manager not only used to store the passwords, however, they provide various other features as well. This tool can automatically manage access auditing and temporary access. This tool can also allow people to quickly access in case of emergency at the time of creating a 'loud' audit entry as well as sending relevant notifications to the authenticated people.
These tools can also schedule the time for regular password change. For example, you can use this feature to change your SA passwords on monthly or quarterly basis without any user interaction.

Do not use Password
In case you do not feel that there is a requirement of any password, so for this SQL Server also has a feature to disable its Authentication. If this is what you required then your all the authentication and password management system completely depends upon Active Directory. In this mode, you are allowed to control anyone's access up to a particular limit by just including the account into the appropriate AD group, this action can be easily analyzed. Additionally, You will also have a simple process to take all those accounts back out of those groups after a particular interval.

The best advantage of this approach is, that you do not have to manage multiple passwords therefore do not have any risk of security in terms of loss passwords. Here you can easily disable SQL Authentication, therefore, can say that it is the most secured way to handle sysadmin access to your SQL Server instances. Although it is not applicable in every case but this option is surely a considered to a good one.

Conclusion:
In the above mentioned information, you can see various ways to manage your SQL Server SA passwords. Each technique has its own pros and cons, so you have to choose the one according to your requirements. However, in case after following a proper way you have lost your password due to any reason then there are professionalSQL password recovery tools available that can access SQL master database file and allow you to reset your lost or forgotten SQL SA and other individual user passwords. You can choose a reputed and reliable product if you are facing any of such problems. 

About Jyoti Prakash
Jyoti is a Sr. DBA - SQL Server at Stellar Data Recovery and has written several article on SQL Server disaster recovery planning & fixing. In addition, she spend her time on Technical forums helping people with the issues related to SQL server.