Policy for the SQL sa password

CRITICAL

Policy for the SQL sa password

Revisions: Version Date 1.0 26.09.2008 Table of contents: Description Initial document Author

1. Introduction Security needs and the nature of an organizational business dictate how the sa password should be managed. Depending on the environment there are certain levels of the sa login protection, and as the security needs increase there is a need to implement additional measures to protect and manage the most privileged login in SQL Server. Since the XX Bank is the organization that takes great care of security issues and regulatory requirements, the official policy for strong sa password is a necessity.

2. Password management options for the SQL Server system administrator (sa) login SQL Server supports two authentication modes: Windows authentication mode and Mixed mode authentication. Although Windows authentication is the recommended authentication mode and more secured than mixed mode, many applications require mixed mode authentication. This is a main reason why the XX Bank decided to use the second option. Mixed mode authentication requires strong system administrator or sa password. The sa user is enabled when mixed mode is selected and a password prompt appears during the installation process.

3. Recommendations for implementing sa policy Given as opinion of the current DBAs here are some recommendations that would be very helpful to the organization.

3.1 Promotion of applications Applications should not be promoted in the organization's environment if they use sa password. 3.2 Password safety four eyes principle The electronic or physical password should be safe, meaning that the sa password should be stored in a very secure and not easily accessible location. In the sensitive environment where the important financial data can be abused four eyes principle is preferred option that can protect system from dishonest and disastrous mistakes. There should be a limited number of people who know the password or have the access to sa password. The recommendation is to split the password between two DBAs. First DBA defines the first half of the password, write it on the paper and put the

Page 1 of 2

Policy for the SQL sa password

CRITICAL

paper in an envelope. Second DBA defines the second half of the password, write it on the paper and put the paper in an envelope, too. Then, each of those two envelopes is put into the safe. So, one DBA should know the first half of the password and another DBA second half of the password.

3.3 Password policy Sa password in SQL Server 2005 should be enforced by password policy. Password complexity policies are designed to deter brute force attacks by increasing the number of possible passwords. When password complexity policy is enforced, new passwords must meet the following guidelines. The password does not contain all or part of the user's account name. Part of an account name is defined as three or more consecutive alpha-numeric characters delimited on both ends by white space (space, tab, return, etc.) or any of the following characters: , . - _ # The password is at least six characters long. The password contains characters from three of the following four categories: English uppercase letters (A Z) English lowercase letters (a z) Base 10 digits (0 9) Nonalphanumeric (For example: !, $, #, or %)

Source: SQL Server Books Online

3.4 Strong password The password should be strong. A strong password has the following characteristics: Combines letters, numbers, and symbol characters within the password. Is not found in a dictionary. Is not the name of a command. Is not the name of a person. Is not the name of a user. Is not the name of a computer. Is changed regularly. Is significantly different from previous passwords.

3.5 Changing sa password Changing password should be performed after every six month because sa account is well know and often targeted by malicious users. In the case when a DBA or any other person that knows the password leaves the organization, the sa password should be changed. 3.6 Sa passwords across the organization The sa password should be different for each server because if one server is compromised the other ones should not be. If the organization does not allow this preferred option, it is good to set different sa passwords between different environments such as production, development, and test or even between different application environments such as financial, legal, etc.

Page 2 of 2