I am using SQL Server 2008 R2. Since 2-3 weeks ago, the sa password has been continuously changing automatically. Does anyone know why this is the case?
Make sure the you have not set the SA account up to change password after a set amount of time. In PCI compliance mode you may have to roll security passwords. However, you should account for this for your SA accounts.
**SA passwords** don't change or reset automatically.
You can visit possible solution at this link:
sa password keep changing automatically
Related
I have a strange problem. In SQL Server Management Studio 18, I tried to log in with the sa account. It failed.
I know in this case we should check mixed mode auth and sa enable checkbox. I checked them and they were enabled. I saw all the net for other checkboxes or something useful but nothing that not enabled for me.
I logged in with Windows auth and changed the password of sa. after changing, sa login worked. but few minutes later after some tests with my application, I realized that I can't login remotely to sa. I returned and check again in management studio and While it was unbelievable, the sa login failed again.
I changed sa password and the story repeated again. what was happening?
Note, while this doesn't directly resolve a problem experienced with the SA account, which is ultimately unknowable without extensive investigation into the specific host environment, it does form part of best practice which the OP has identified as having resolved their overall problem.
The original comment:
Disable the SA account and create a dedicated application and/or user
login with appropriate permissions. The first thing I do on a new SQL
instance is kill SA as it's a prime attack surface.
I want to connect to SQL Server using SQL Server authentication in connection manager in SSIS. I want that every time when the package runs and connects to server it should use user id and password from the table created in SQL Server at run time.
The reason to get password from table is that every 6 months I need to change the password as per the policy so I don't want to login to each and every SSIS package and change the password there. I want to change the password in table and redirect that password through variable/expression to the connection manager password window.
I will ignore the idea that saving passwords in plain text makes changing them every six months a futile effort. It is a far greater security risk to have them stored in plain text ANYWHERE.
The solution is to NOT use an SQL Login. Have these services run under a specific Windows User and grant that User the necessary access.
An alternative is to explain the problem to the Security admin and get an account setup that does not expire but that can only login locally as a service. Don't use that account for anything else.
HTH,
Sean
I've logged in to my sqlserver with a registred "sa" sql account and
I want to print (not change) my current password. I can change it but I have an application using the current password.
I have done
select * from sys.sql_logins where name ='sa'
but it gives me a hashed password
If it is impossible, how to export my sa connection to another sql server instance?
WARNING - HORRIFIC PRACTICE
Change your application to use a user OTHER THAN sa, and preferably without sysadmin permissions. Usually database level db_datareader, db_datawriter, and MAYBE db_ddladmin is enough, though it may need a GRANT EXECUTE on the database.
If you can't, then argue some more. In writing.
If you lose again, go change the sa password to a long, strong, cryptographically random password in concert with the application being updated with a new password.
And make sure that instance is used ONLY for that app, so the risk is limited to that one area.
Recovering the current sa password
First, you are a sysadmin, aren't you? You should already know the sa password! If you lost twice, just change the sa password on the other instance to that same one (or, better, change them both to something better), through ALTER LOGIN (below) or the GUI.
Second, realize that EVERY USER OF THAT APPLICATION CAN GET YOUR SA PASSWORD - they can almost certainly extract it right out of the application with a hex editor, looking for the string pwd or pass (either UCS-2 "Unicode" or ASCII).
You have the application, right? Consult your local security admins, and see if you're allowed to open it up in a hex editor and find the sa password yourself.
Moving the sa password
In general, if you want to move the same password around, you can use
ALTER LOGIN sa PASSWORD = 'hash string' HASHED
to change it.
Do not do this regularly - if someone gets hashes of all your passwords (just like you're getting them), it's better that each one have a unique salt, so the attacker has to spend more work testing against many salts before they start finding passwords.
Do not do this from lower protection to higher protection - SQL Server 2005, 2008, and 2008R2 all use the same algorithm. SQL Server 2012 and 2014 use the same. Don't move a 2005/8/8R2 hash to 2012/14; it's significantly weaker (and 2012/14 password hashing is pathetic to begin with).
Thus, you're better off changing the password to what you want in cleartext, so SQL Server generates a new salt. The password hash is incredibly weak, a single iteration of SHA-1 or SHA-512, so it needs all the help it can get.
I have a database BugTracker which is accessible from "sa" user.
I have just created new user AdminBugCatcher. I have also mapped "BugTracker" database with this user. But this database should not be accessible through "sa" user.
How can we achieve the same ?
I have already tried to unlink this database from "sa" user but getting an error "Drop failed for the User "dbo" ".
I don't think it's possible. I'm not an expert, but I do have about 7 years of experience with sql server, and to the best of my knowledge, sa is system administrator, and you can't block this user from anything.
You can disable the sa login (although I wouldn't recommend it), or better yet, just don't give the sa password to anyone except the system administrator.
For a little bit more information, read this.
You can't remove the sa account but you can rename and/or disable it.
Just make sure if you disable the sa account that you have another account with administrator privileges.
Please refer the below link for DISABLING\RENAMING
http://www.andreas-kraus.net/blog/security-advise-rename-your-sql-server-2005-sa-account/
sa is a member of the SYSADMIN role and this can't be changed.
All you can do is put a strong password on "sa" and keep it safe.
The title says it pretty well: I can access my SQL Server from the internet, and my users are configured with strong passwords to access only their respective DBs.
But I receive 10000+ login attacks by day with the user "sa".
I don't need "sa" remote access, how to disable it, and only it?
Thank you!
Security practices by Microsoft and industry state if use SQL authentication to rename the sa account and disable it. There is really no reason to use that account explicity for an application or admin account. Most companies require tracability when it comes to security and use of the sa account in SQL server does not allow for that.
Even if you disable or rename it you will still see attacks coming in for that account, it comes with the territory. The same thing occurs with the default login Oracle has in their product. Script kiddies and other hacking programs are just programmed to check for those type of accounts.
A better option might be to report where the attacks are coming from on the network side to your network team or ISP. They will be able to better handle that to block that traffic through the network layer. Just my opinion.
Perhaps this might help: in conjunction with this:
As far as i know SQL Server lets you diable single sql server logins, but that means the login is disabled in general, regardless of the machine the user is trying to connect from. So you either disable "sa" in general or you'll have give the login a really strong password. You might be able to emulate the desired behavior by using a logon trigger, that checks where the user connects from, if the user is "sa", but i think that's not a viable solution for you, since you seem to be wanting to get rid of the many connection attempts from attacks. In any case, you might want to remove "sa" from the server role "sysadmin" to guard against a potentially successful login attemt.