RSS Feed

Cranky Series: Limit Access to the SA and Service Account Passwords


August 30, 2012 by Mike Hillwig

I swear that some developers have no clue when it comes to security.

At my former employer, we had a vendor-supplied system that was hard-coded to connect to the database server as SA. And worse yet, it wouldn’t allow you to put a password on the SA account. That’s right, SA with no password. The ironic thing is that this was our building security software. That’s right. Security software using a very insecure method of accessing the data.

If applications are hard-coded to use SA and we see this during testing, I’m probably going to pick a fight with the vendor. You don’t get SA access in my environment. You are going to get an account that has only the permissions you need to run the application. We’ll give you elevated rights during an upgrade if needed.

In the perfect world, everything would run as a service and use that service account to connect to the database server. But it’s not a perfect world. How do I know this? We have developers. What better proof do you need?