Problem solve Get help with specific problems with your technologies, process and projects.

Access SQL Server securely using Windows domain accounts

Windows domain accounts offer the most secure access to SQL Server. Contributor Serdar Yegulalp explains why and how to use Windows authentication to defend against hackers and brute-force attacks.

You can authenticate to SQL Server using either a native SQL Server user account or a Windows domain account, such as Active Directory. All too often, a SQL Server administrator who simply wants to get things up and running will use SQL Server's native administrator account (the sa account) rather than set up properly-controlled access to SQL Server. This step is worth the extra effort, especially considering most hacks come from inside an organization.

Windows domain accounts offer the most secure access to SQL Server from the outside. There are two primary reasons for this:

1. Windows domain authentication is more secure

When a user's credentials are sent to SQL Server using SQL Authentication, the process is primarily unencrypted. The data is obfuscated using a static hash that can easily be reverse engineered. (In fact, the folks at have published a simple stored procedure script that can be used to decrypt a hashed username/password.)

If you must use SQL Authentication, use SSL encryption or the Multiprotocol Net Library to prevent data from being read in the clear.

2. Windows domain authentication has more account-management possibilities

Setting policies for password age and complexity, account-lockout controls, and various other defenses makes it that much more difficult to crack a SQL Server system using brute force. SQL Server doesn't have account-management controls with the same level of sophistication, unless you decided to roll your own or buy a third-party solution. Why bother doing that when Windows offers it to you already?

One scenario where you could probably use SQL Authentication consistently and get away with it is when you're hosting SQL Server on the same computer as, for instance, a Web server, and there is no access to SQL Server from outside the box. Even then, you'd still need to be careful not to allow privilege elevation on the accounts in use.

About the author: Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter. Check out his Windows 2000 blog for his latest advice and musings on the world of Windows network administrators – please share your thoughts as well!

More information from

  • Tip: Hacker's-eye view of SQL Server
  • Book Excerpt: Optional features turned off by default in SQL Server 2005
  • Topic: Get best practices and expert advice for locking down SQL Server

  • This was last published in October 2005

    Dig Deeper on SQL Server Security

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.