You can authenticate to SQL Server using either a native SQL Server user account or a Windows domain account, such as Active Directory. All too often, a SQL Server administrator who simply wants to get things up and running will use SQL Server's native administrator account (the sa account) rather than set up properly-controlled access to SQL Server. This step is worth the extra effort, especially considering most hacks come from inside an organization.
Windows domain accounts offer the most secure access to SQL Server from the outside. There are two primary reasons for this:
1. Windows domain authentication is more secure
When a user's credentials are sent to SQL Server using SQL Authentication, the process is primarily unencrypted. The data is obfuscated using a static hash that can easily be reverse engineered. (In fact, the folks at SQLSecurity.com have published a simple stored procedure script that can be used to decrypt a hashed username/password.)
2. Windows domain authentication has more account-management possibilities
Setting policies for password age and complexity, account-lockout controls, and various other defenses makes it that much more difficult to crack a SQL Server system using brute force. SQL Server doesn't have account-management controls with the same level of sophistication, unless you decided to roll your own or buy a third-party solution. Why bother doing that when Windows offers it to you already?
One scenario where you could probably use SQL Authentication consistently and get away with it is when you're hosting SQL Server on the same computer as, for instance, a Web server, and there is no access to SQL Server from outside the box. Even then, you'd still need to be careful not to allow privilege elevation on the accounts in use.
About the author: Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter. Check out his Windows 2000 blog for his latest advice and musings on the world of Windows network administrators – please share your thoughts as well!
More information from SearchSQLServer.com