T-SQL Tuesday is a monthly event where SQL Server bloggers write a post based on a subject chosen by the month’s host. This month’s host is Kennie Nybo Pontoppidan (b|t) and this months topic is: The daily (database-related) WTF.
Some of the biggest WTF moments I have had when working with SQL Server have been poor security practices. One in particular was a SQL Server instance with an enabled sa account that had a password with less than 8 characters. This is bad for many reasons, just ask Jeff Atwood of Stack Overflow fame.
This sa account was used by everyone in the company. That’s right, everyone could read, write, and delete the data. They could even cover their tracks if they knew how to. So the companies data, their most valuable asset, was open to accidental and malicious damage.
I can already hear managers saying:
If you don’t trust your employees, why employ them in the first place?
Well there is the whole accidental damage thing. I guess you could cover that by having a good backup\restore process (if your RTO and RPO permitted the downtime) but don’t expect to pass any security audits coming your way. Hint: your clients wont like this.
But wait there’s more…
This sa account was also used by the application’s web servers to connect directly to the database. There was no application layer, no web application firewall and worst of all the password was stored in plain text on each web server!
Call to Action
Secure your data by disabling the sa account on all of your SQL Server instances. Give it a very strong password and rename it. If your superiors are saying “if it ain’t broke, don’t fix it”, check out Remus Rusanu’s answer to Rob Sewell’s question.
If you would like to be the host of a T-SQL2sday event, then read these rules and contact Adam Machanic.