Then I agree there isn't much you are going to be able to do until the vendor fixes there stuff. I just don't see that they are setting SA password, and then requiring Windows authentication accordingly. You can map Windows Login to SQL permissions accordingly, to give them enough to install with, without having to give or reset SA. Could just create an empty database, and restore the db from backup ( seen that done quite a few times)
Z Edward Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I, ME, CCA, Security +, Network + [email protected] Phone:401-639-3505 ________________________________ From: [email protected] [mailto:[email protected]] Sent: Thursday, December 17, 2009 1:48 PM To: NT System Admin Issues Subject: Re: Thursday Funny Request So, they would have less problems with the system changing domain membership than with the script being updated to install? Wow. Sent from my Verizon Wireless BlackBerry ________________________________ From: Jonathan Link <[email protected]> Date: Thu, 17 Dec 2009 13:19:11 -0500 To: NT System Admin Issues<[email protected]> Subject: Re: Thursday Funny Request Honestly, I'm not using SA to access databases, neither are my applications. However, one of our vendors sets an SA password and then requires Windows credentials and disables SQL users. I have no idea why the vendor does it that way, I've called to complain and have been told that it will be addressed in the next realease. In the interim,I don't want to get into a war with a vendor that goes along the lines, of "you modified our installer script, therfore you're not supported." They haven't released an updated script, and while I do know what to change, it's just not a risk I'm willing to take when I have a viable, if annoying alternative. This isn't aniche app, it's essentially our we can't do business without this software app. On Thu, Dec 17, 2009 at 12:07 PM, Ziots, Edward <[email protected]> wrote: Honestly, If you are using SA to access databases, you should or the owner of said application should be flogged mercilessly, along with being tarred and feathered and dunked in a deep fat frier. That is one of the worse security issues with SQL, the use of SQL authentication along with giving SA rights. Editing a script to install SQL is cake and including the SA password, which should be different than any other SA password for any database should be done as a best practice. That and ripping the local administrators out of the System Administrators for SQL by default. Z Edward Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I, ME, CCA, Security +, Network + [email protected] Phone:401-639-3505 ________________________________ From: Jonathan Link [mailto:[email protected]] Sent: Thursday, December 17, 2009 10:43 AM To: NT System Admin Issues Subject: Re: Thursday Funny Request They may have an SA password they use and have an SOP to change it as soon as an application is installed. In this case, the installer is getting an error when it attempts to set the SA passwordto one that isless complex than what your AD would like. There are three options to resolve this.First is to relax the policy, which I agree with you, you shouldn't do. The second is topull the machine from the domain, complete the install, change the SA password, add back to the domain. The final option is to find the installer script file for the application, edit it so it changes the SA password to something complex enough. However, I don't like to go mucking about in SQL installer scripts unless I have a really good reason (this isn't one). It's much simpler to remove from AD and add back in. He made the request, because the error message says that's what he needs. I wouldn't expect any less from a DBA. As a sysadmin you need to flog him gently and give him the options your comfortable with. On Thu, Dec 17, 2009 at 9:58 AM, Sherry Abercrombie <[email protected]> wrote: They have an SA password that they use for all their databases. This is something to do with calculating taxes, at least that's what the server is, oh and I didn't mention, this server is in the test environment, we've also got two additional servers for this purpose one in Dev and one in production. Nope it's not gonna happen. We'll remove it from the domain (2003 domain) and he can just deal with it. On Thu, Dec 17, 2009 at 8:52 AM, Jonathan Link <[email protected]> wrote: It's the SA password. Is this thing on? On Thu, Dec 17, 2009 at 9:49 AM, Kennedy, Jim <[email protected]> wrote: That is the part I dont get. Based upon his/her request the installer shouldnt even need to know the password. It should just install with the logged in credentials. And if it chokes on a complex password during install maybe because of a service it installs it will choke afterwards too. Unless he/she is asking for the password to remain simple after the install..Just because I am curious I would love to hear the rest of this story. From: Sherry Abercrombie [mailto:[email protected]] Sent: Thursday, December 17, 2009 9:32 AM To: NT System Admin Issues Subject: Re: Thursday Funny Request What I want to know is what kind of application in 2009 "requires" a network password to not be complex to be installed? I'm just glad he's not in the office yet because I would have to rip him to shreds.....yeah you can call me alice. On Thu, Dec 17, 2009 at 8:14 AM, David Lum <[email protected]> wrote: A complex password is so easy to create this sentence is one. *Any* properly formatted sentence is an adequately complex password. People see me enter my password and ask how do you remember all that?. A 25 character sentence is easier to remember than some bizarre mix of random characters of half the length. Even 17 December 2009 is a complex password does SQL not allow spaces in passwords? You security experts, is Sr2FDeT2M0hProYMs a more complex password than There once was a man from Nantucket.? The latter is a 35 character password that Im sure most of you could remember. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 From: Sherry Abercrombie [mailto:[email protected]] Sent: Thursday, December 17, 2009 5:46 AM To: NT System Admin Issues Subject: Re: Thursday Funny Request A complex password is SOOOO easy to create, just look at what is used whenever you go to a MS training class: p...@ssw0rd, or something along those lines. Even todays date configured correctly meets the password complexity requiremends....17December2009. Sheesh.......now I've quit laughing and am bordering on being pissed off. On Thu, Dec 17, 2009 at 7:39 AM, Jon Harris <[email protected]> wrote: Sounds to me like you have some people working as DBA's that should be watched ALL the time to me. Jon On Thu, Dec 17, 2009 at 8:37 AM, Sherry Abercrombie <[email protected]> wrote: Got this request from on of our DBA's, I'm waiting to respond until after I stop laughing hysterically: Need domain policy temporarly changed on dbaserver to remove requirment for Windows complex password, so application can be installed and then the policy can be reactivated. -- Sherry Abercrombie "Any sufficiently advanced technology is indistinguishable from magic." Arthur C. Clarke -- Sherry Abercrombie "Any sufficiently advanced technology is indistinguishable from magic." Arthur C. Clarke Sent from Keller, TX, United States -- Sherry Abercrombie "Any sufficiently advanced technology is indistinguishable from magic." Arthur C. Clarke Sent from Keller, TX, United States -- Sherry Abercrombie "Any sufficiently advanced technology is indistinguishable from magic." Arthur C. Clarke Sent from Keller, TX, United States ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
