What is the best practices are supposed to be for MS SQL authentication?

From: Jay (Jay4050_at_hotmail.com)
Date: 02/23/04

• Next message: Craig McLachlan: ""Yukon" version control"
• Previous message: anonymous_at_discussions.microsoft.com: "jdbc permissions"
• In reply to: Hubco: "What is the best practices are supposed to be for MS SQL authentication?"
• Messages sorted by: [ date ] [ thread ]

---

Date: Mon, 23 Feb 2004 11:31:23 -0800

1) First, make sure to patch and upgrade your sql clients
and sql servers with latest service packs and security
fixes. This will make sure that passwords are not stored
in clear text form.
2) sa user should not be used for any application or even
for administration
3) assign strong password to sa
4) create separate sql users for applications and for
administration and assign them required permissions
5) use a local NT user with minimum permissions on local
box as service startup account
6) if you have a publicly accessible sites, then you
should put your webservers behind firewall, then database
servers, then another firewall and only one way
communication should be allowed from Webservers to sql
server so that if sql server is compromised then it can't
affect your webservers. No communication should be allowed
from DMZ to LAN, and only open necessary ports for one
way communication from specific PCs in LAN to sql server.
7) you can install a certificate on sql server and encrypt
any communication to and from sql server. Passwords are
always encrypted whether you are using encryption or not.

>-----Original Message-----
>Hi There;
>I have few SQl 2000 server in my site and I was wondering
about SQL security and I like to know:
>What is the best practices are supposed to be for MS SQL
authentication? Is it NT/2000 Authentication or SQL, and
is there a way to encrypt the authnication and make sure
that is not save on Server or Worksation as clear text.
Please let me know.
>
>Thank you.
>.
>

---

• Next message: Craig McLachlan: ""Yukon" version control"
• Previous message: anonymous_at_discussions.microsoft.com: "jdbc permissions"
• In reply to: Hubco: "What is the best practices are supposed to be for MS SQL authentication?"
• Messages sorted by: [ date ] [ thread ]

---

Relevant Pages Re: Access 2007->SQL Server2005 "connection was forcibly closed",G ... I moved every table I was able to move to the SQL ... closed connections - but all of these errors are in the version which used ... the SQL Server 2000 and everything worked ... communication between ODBC (OLEDB and Native Client, ... (microsoft.public.sqlserver.connect) Re: Unable to Apply SP4 to SQL 2000 Cluster (new Node) ... Rebuild the node in the failover cluster. ... Scenario 1" in SQL Server 2000 Books Online. ... This setup process updates to SP4 only the binaries on the new ... (microsoft.public.sqlserver.clustering) Re: WSS 3.0 question ... I followed the advise given in removing WSS 3.0 etc, ... the server is complaining that the SQL service(?) was tempered with or corrupt. ... I may just instal the SQL server as I was going eventuall use it anyway. ... If WSUS 3.0 is installed, I would suggest you uninstall it and then you install WSS 3.0. ... (microsoft.public.windows.server.sbs) Re: WSUS ... I'm not seeing performance issues with the full enchilada installed, and 25 users busy hitting SQL. ... WSUS isn't difficult to uninstall - if you have WSUS v2 (installed with SBS R2) uninstall R2 from add/remove programs. ... How can anyone work with 4 instances of SQL Server on the same box? ... (microsoft.public.windows.server.sbs) Re: SQL Resets ... If it were SQL that was falling short, ... The default backlog for SQL Server is 5. ... System.InvalidOperationException: Internal connection fatal error. ... From time to time, under heavy loads, we are getting resets at ... (microsoft.public.sqlserver.connect)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)