Access SQL Server securely using Windows domain accounts

You can authenticate to SQL Server using either a native SQL Server user account or a Windows domain account, such as Active Directory. All too often, a SQL Server administrator who simply wants to get things up and running will use SQL Server's native administrator account (the sa account) rather than set up properly-controlled access to SQL Server. This step is worth the extra effort, especially considering most hacks come from inside an organization.

Windows domain accounts offer the most secure access to SQL Server from the outside. There are two primary reasons for this:

1. Windows domain authentication is more secure

When a user's credentials are sent to SQL Server using SQL Authentication, the process is primarily unencrypted. The data is obfuscated using a static hash that can easily be reverse engineered. (In fact, the folks at SQLSecurity.com have published a simple stored procedure script that can be used to decrypt a hashed username/password.)

If you must use SQL Authentication, use SSL encryption or the Multiprotocol Net Library to prevent data from being read in the clear.

2. Windows domain authentication has more account-management possibilities

Setting policies for password age and complexity, account-lockout controls, and various other defenses makes it th...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT SQL Server Security Password cracking tools for SQL Server Meet compliance requirements with improved database security practices Hardening the network and OS for SQL Server security Securing the server and database in SQL Server SQL Server security made simple and sensible Blog: Protect your databases from the internal threat Setting up SQL Server Service Broker for secure communication The keys to database backup protection for SQL Server Understanding transparent data encryption in SQL Server 2008 The fine line between not encrypting your databases and breach notification Database Management and Administration Password cracking tools for SQL Server Using traces in SQL Server Profiler Meet compliance requirements with improved database security practices Hardening the network and OS for SQL Server security Securing the server and database in SQL Server How SQL Server 2008 components impact SharePoint implementations Troubleshooting Distributed Transaction Coordinator errors in SQL Server Achieving high availability and disaster recovery with SharePoint databases Clearing the Windows page file and its effect on server performance Deploying a SQL Server virtual appliance for Microsoft Hyper-V

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data corruption  (SearchSQLServer.com) data hiding  (SearchSQLServer.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

at much more difficult to crack a SQL Server system using brute force. SQL Server doesn't have account-management controls with the same level of sophistication, unless you decided to roll your own or buy a third-party solution. Why bother doing that when Windows offers it to you already?

One scenario where you could probably use SQL Authentication consistently and get away with it is when you're hosting SQL Server on the same computer as, for instance, a Web server, and there is no access to SQL Server from outside the box. Even then, you'd still need to be careful not to allow privilege elevation on the accounts in use.

About the author: Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter. Check out his Windows 2000 blog for his latest advice and musings on the world of Windows network administrators – please share your thoughts as well!

More information from SearchSQLServer.com