Cranky Series: Limit Access to the SA and Service Account Passwords


August 30, 2012 by Mike Hillwig

I swear that some developers have no clue when it comes to security.

At my former employer, we had a vendor-supplied system that was hard-coded to connect to the database server as SA. And worse yet, it wouldn’t allow you to put a password on the SA account. That’s right, SA with no password. The ironic thing is that this was our building security software. That’s right. Security software using a very insecure method of accessing the data.

If applications are hard-coded to use SA and we see this during testing, I’m probably going to pick a fight with the vendor. You don’t get SA access in my environment. You are going to get an account that has only the permissions you need to run the application. We’ll give you elevated rights during an upgrade if needed.

In the perfect world, everything would run as a service and use that service account to connect to the database server. But it’s not a perfect world. How do I know this? We have developers. What better proof do you need?

  • eccentricDBA

    This one makes me a very cranky dba.
    “If applications are hard-coded to use SA and we see this during testing, I’m probably going to pick a fight with the vendor.”

    The other one that get’s be upset is when the applicaiton is hard coded to check to see if a user is a sysadmin before it runs.

    I would be interested in seeing a blog post on how you handle the conversations with the vendor on this issue.

  • If you writeCASE x WHEN nullis the same you write: x = null.SQL has only IS NULL to coarpme x with null and you cannot use the = .If you writeCASE WHEN x is nullyou are using the correct SQL syntax for null coarpme.I’m sorry for my very bad english.Claudio.

  • There’s nothing like the relief of finding what you’re looking for.

  • Thanks! Looks like I missed that part the first time I watched it. I’m gonna be doing some fishing this weekend on Lake Cypress Springs and will be using some techniques that I picked up from your website to help me catch fish!

  • Tú has contratado ese servicio, no es un canal libre. Y, que yo sepa, los “dibujos animados” japoneses nunca han estado orientados a los niños. Los padres son los que deben cuidar de sus hijos, no la televisión.

  • ……………………………………داداش حسین: بسمه تعالی/ برادرم! سید احمد/ به موجب این Ø­Ú©Ù… از این پس شما را با عشقی صد چندان دوست دارم. موفق Ùˆ موید باشید/ حسین قدیانی.