Honestly, I'm not using SA to access databases, neither are my applications. However, one of our vendors sets an SA password and then requires Windows credentials and disables SQL users. I have no idea why the vendor does it that way, I've called to complain and have been told that it will be addressed in the next realease. In the interim, I don't want to get into a war with a vendor that goes along the lines, of "you modified our installer script, therfore you're not supported." They haven't released an updated script, and while I do know what to change, it's just not a risk I'm willing to take when I have a viable, if annoying alternative.
This isn't a niche app, it's essentially our we can't do business without this software app. On Thu, Dec 17, 2009 at 12:07 PM, Ziots, Edward <[email protected]> wrote: > Honestly, > > > > If you are using SA to access databases, you should or the owner of said > application should be flogged mercilessly, along with being tarred and > feathered and dunked in a deep fat frier. That is one of the worse security > issues with SQL, the use of SQL authentication along with giving SA rights. > > > > Editing a script to install SQL is cake and including the SA password, > which should be different than any other SA password for any database should > be done as a best practice. > > > > That and ripping the local administrators out of the System Administrators > for SQL by default. > > > > Z > > > > Edward Ziots > > Network Engineer > > Lifespan Organization > > MCSE,MCSA,MCP+I, ME, CCA, Security +, Network + > > [email protected] > > Phone:401-639-3505 > ------------------------------ > > *From:* Jonathan Link [mailto:[email protected]] > *Sent:* Thursday, December 17, 2009 10:43 AM > > *To:* NT System Admin Issues > *Subject:* Re: Thursday Funny Request > > > > They may have an SA password they use and have an SOP to change it as soon > as an application is installed. In this case, the installer is getting an > error when it attempts to set the SA password to one that is less complex > than what your AD would like. There are three options to resolve > this. First is to relax the policy, which I agree with you, you shouldn't > do. The second is to pull the machine from the domain, complete the > install, change the SA password, add back to the domain. The final option > is to find the installer script file for the application, edit it so it > changes the SA password to something complex enough. However, I don't like > to go mucking about in SQL installer scripts unless I have a really good > reason (this isn't one). It's much simpler to remove from AD and add back > in. > > > > He made the request, because the error message says that's what he needs. > I wouldn't expect any less from a DBA. As a sysadmin you need to flog him > gently and give him the options your comfortable with. > > On Thu, Dec 17, 2009 at 9:58 AM, Sherry Abercrombie <[email protected]> > wrote: > > They have an SA password that they use for all their databases. This is > something to do with calculating taxes, at least that's what the server is, > oh and I didn't mention, this server is in the test environment, we've also > got two additional servers for this purpose one in Dev and one in > production. > > Nope it's not gonna happen. We'll remove it from the domain (2003 domain) > and he can just deal with it. > > On Thu, Dec 17, 2009 at 8:52 AM, Jonathan Link <[email protected]> > wrote: > > It's the SA password. > > Is this thing on? > > On Thu, Dec 17, 2009 at 9:49 AM, Kennedy, Jim < > [email protected]> wrote: > > That is the part I don’t get. Based upon his/her request the installer > shouldn’t even need to know the password. It should just install with the > logged in credentials. And if it chokes on a complex password during install > maybe because of a service it installs it will choke afterwards too. > > > > Unless he/she is asking for the password to remain ‘simple’ after the > install…..Just because I am curious I would love to hear the rest of this > story. > > > > > > > > *From:* Sherry Abercrombie [mailto:[email protected]] > *Sent:* Thursday, December 17, 2009 9:32 AM > > > *To:* NT System Admin Issues > *Subject:* Re: Thursday Funny Request > > > > What I want to know is what kind of application in 2009 "requires" a > network password to not be complex to be installed? > > > I'm just glad he's not in the office yet because I would have to rip him to > shreds.....yeah you can call me alice. > > On Thu, Dec 17, 2009 at 8:14 AM, David Lum <[email protected]> wrote: > > A complex password is so easy to create this sentence is one. **Any** > properly formatted sentence is an adequately complex “password”. People see > me enter my password and ask “how do you remember all that?”. A 25 character > sentence is easier to remember than some bizarre mix of random characters of > half the length. > > > > Even 17 December 2009 is a complex password – does SQL not allow spaces in > passwords? You security experts, is “Sr2FDeT2M0hProYMs” a more complex > password than “There once was a man from Nantucket.”? The latter is a 35 > character password that I’m sure most of you could remember. > > *David Lum** **// *SYSTEMS ENGINEER > NORTHWEST EVALUATION ASSOCIATION > (Desk) 971.222.1025 *// *(Cell) 503.267.9764 > > *From:* Sherry Abercrombie [mailto:[email protected]] > > *Sent:* Thursday, December 17, 2009 5:46 AM > > > *To:* NT System Admin Issues > > *Subject:* Re: Thursday Funny Request > > > > A complex password is SOOOO easy to create, just look at what is used > whenever you go to a MS training class: p...@ssw0rd, or something along > those lines. Even todays date configured correctly meets the password > complexity requiremends....17December2009. Sheesh.......now I've quit > laughing and am bordering on being pissed off. > > On Thu, Dec 17, 2009 at 7:39 AM, Jon Harris <[email protected]> wrote: > > Sounds to me like you have some people working as DBA's that should be > watched ALL the time to me. > > > > Jon > > On Thu, Dec 17, 2009 at 8:37 AM, Sherry Abercrombie <[email protected]> > wrote: > > Got this request from on of our DBA's, I'm waiting to respond until after I > stop laughing hysterically: > > Need domain policy temporarly changed on dbaserver to remove requirment > for Windows complex password, so application can be installed and then the > policy can be reactivated. > > > > -- > > Sherry Abercrombie > > "Any sufficiently advanced technology is indistinguishable from magic." > > Arthur C. Clarke > > > > > > > > > > > > > > > -- > Sherry Abercrombie > > "Any sufficiently advanced technology is indistinguishable from magic." > > Arthur C. Clarke > > > Sent from Keller, TX, United States > > > > > > > > > > > > > -- > Sherry Abercrombie > > "Any sufficiently advanced technology is indistinguishable from magic." > > Arthur C. Clarke > > > Sent from Keller, TX, United States > > > > > > > > > > > > > > > > > > > -- > Sherry Abercrombie > > "Any sufficiently advanced technology is indistinguishable from magic." > Arthur C. Clarke > Sent from Keller, TX, United States > > > > > > > > > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
