Honestly,
If you are using SA to access databases, you should or the owner of said application should be flogged mercilessly, along with being tarred and feathered and dunked in a deep fat frier. That is one of the worse security issues with SQL, the use of SQL authentication along with giving SA rights. Editing a script to install SQL is cake and including the SA password, which should be different than any other SA password for any database should be done as a best practice. That and ripping the local administrators out of the System Administrators for SQL by default. Z Edward Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I, ME, CCA, Security +, Network + ezi...@lifespan.org Phone:401-639-3505 ________________________________ From: Jonathan Link [mailto:jonathan.l...@gmail.com] Sent: Thursday, December 17, 2009 10:43 AM To: NT System Admin Issues Subject: Re: Thursday Funny Request They may have an SA password they use and have an SOP to change it as soon as an application is installed. In this case, the installer is getting an error when it attempts to set the SA password to one that is less complex than what your AD would like. There are three options to resolve this. First is to relax the policy, which I agree with you, you shouldn't do. The second is to pull the machine from the domain, complete the install, change the SA password, add back to the domain. The final option is to find the installer script file for the application, edit it so it changes the SA password to something complex enough. However, I don't like to go mucking about in SQL installer scripts unless I have a really good reason (this isn't one). It's much simpler to remove from AD and add back in. He made the request, because the error message says that's what he needs. I wouldn't expect any less from a DBA. As a sysadmin you need to flog him gently and give him the options your comfortable with. On Thu, Dec 17, 2009 at 9:58 AM, Sherry Abercrombie <saber...@gmail.com> wrote: They have an SA password that they use for all their databases. This is something to do with calculating taxes, at least that's what the server is, oh and I didn't mention, this server is in the test environment, we've also got two additional servers for this purpose one in Dev and one in production. Nope it's not gonna happen. We'll remove it from the domain (2003 domain) and he can just deal with it. On Thu, Dec 17, 2009 at 8:52 AM, Jonathan Link <jonathan.l...@gmail.com> wrote: It's the SA password. Is this thing on? On Thu, Dec 17, 2009 at 9:49 AM, Kennedy, Jim <kennedy...@elyriaschools.org> wrote: That is the part I don't get. Based upon his/her request the installer shouldn't even need to know the password. It should just install with the logged in credentials. And if it chokes on a complex password during install maybe because of a service it installs it will choke afterwards too. Unless he/she is asking for the password to remain 'simple' after the install.....Just because I am curious I would love to hear the rest of this story. From: Sherry Abercrombie [mailto:saber...@gmail.com] Sent: Thursday, December 17, 2009 9:32 AM To: NT System Admin Issues Subject: Re: Thursday Funny Request What I want to know is what kind of application in 2009 "requires" a network password to not be complex to be installed? I'm just glad he's not in the office yet because I would have to rip him to shreds.....yeah you can call me alice. On Thu, Dec 17, 2009 at 8:14 AM, David Lum <david....@nwea.org> wrote: A complex password is so easy to create this sentence is one. *Any* properly formatted sentence is an adequately complex "password". People see me enter my password and ask "how do you remember all that?". A 25 character sentence is easier to remember than some bizarre mix of random characters of half the length. Even 17 December 2009 is a complex password - does SQL not allow spaces in passwords? You security experts, is "Sr2FDeT2M0hProYMs" a more complex password than "There once was a man from Nantucket."? The latter is a 35 character password that I'm sure most of you could remember. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 From: Sherry Abercrombie [mailto:saber...@gmail.com] Sent: Thursday, December 17, 2009 5:46 AM To: NT System Admin Issues Subject: Re: Thursday Funny Request A complex password is SOOOO easy to create, just look at what is used whenever you go to a MS training class: p...@ssw0rd, or something along those lines. Even todays date configured correctly meets the password complexity requiremends....17December2009. Sheesh.......now I've quit laughing and am bordering on being pissed off. On Thu, Dec 17, 2009 at 7:39 AM, Jon Harris <jk.har...@gmail.com> wrote: Sounds to me like you have some people working as DBA's that should be watched ALL the time to me. Jon On Thu, Dec 17, 2009 at 8:37 AM, Sherry Abercrombie <saber...@gmail.com> wrote: Got this request from on of our DBA's, I'm waiting to respond until after I stop laughing hysterically: Need domain policy temporarly changed on dbaserver to remove requirment for Windows complex password, so application can be installed and then the policy can be reactivated. -- Sherry Abercrombie "Any sufficiently advanced technology is indistinguishable from magic." Arthur C. Clarke -- Sherry Abercrombie "Any sufficiently advanced technology is indistinguishable from magic." Arthur C. Clarke Sent from Keller, TX, United States -- Sherry Abercrombie "Any sufficiently advanced technology is indistinguishable from magic." Arthur C. Clarke Sent from Keller, TX, United States -- Sherry Abercrombie "Any sufficiently advanced technology is indistinguishable from magic." Arthur C. Clarke Sent from Keller, TX, United States ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
