Database Engine Configuration - Account Provisioning

SQL Server Setup

Beginning in SQL Server 2005, significant changes were implemented to help ensure that SQL Server was more secure than previous versions. Changes included a “secure by design, secure by default, and secure in deployment” strategy designed to protect the server instance and its databases from security attacks.

SQL Server 2008 continues the security hardening process by introducing more changes to the server and database components. SQL Server 2008 leverages the User Account Control (UAC) found in Windows Vista and Windows Server 2008.

The changes introduced in SQL Server 2008 further decrease the surface and attack areas for the server and its databases by instituting a policy of “Least Privileged Authority.” This means that internal accounts are protected and separated into operating system functions and SQL Server functions. These measures include:

  • The ability to provision one or more Windows principals into the Sysadmin server role inside SQL Server. This option is available during SQL Server Setup.
  • The Surface Area Configuration (SAC) tool has been removed, and replaced by poliyc-based management and changes in the Configuration Manager tool.

These changes will affect your security planning for SQL Server, and help you create a more complete security profile for your system.

Considerations for Running SQL Server 2008 on Windows Vista

On Windows versions earlier than Windows Vista, members of the local Administrators group do not need their own SQL Server logins and they do not have to be granted administrative rights inside SQL Server. They connect to SQL Server as the built-in server principal BUILTIN\Administrators, and they have administrative rights inside SQL Server because BUILTIN\Administrators is a member of the sysadmin fixed server role.

On Windows Vista, these mechanisms are available only to administrative users who are running with elevated Windows permissions, which is not recommended. By default, administrators perform most actions as a standard user on Windows Vista and Windows Server 2008 operating systems. As a result, you should create a SQL Server login for each administrative user, and add that login to the sysadmin fixed server role. You should also do this for Windows accounts that are used to run SQL Server agent jobs. These include replication agent jobs.

The following considerations apply when you install and run SQL Server 2008 on Windows Vista.

Issues Caused by User Account Control in Windows Vista

Windows Vista includes a new feature, User Account Control (UAC) that helps administrators manage their use of elevated permissions. By default, on Windows Vista, administrators do not use their administrative rights. Instead, they perform most actions as standard users, temporarily assuming their administrative rights only when it is necessary.

UAC causes some known issues. For more information, see the following Web pages on TechNet:

Windows Vista: User Account Control

Options

Security Mode - Select Windows Authentication or Mixed Mode Authentication for your installation.

Windows Principal Provisioning - In previous versions of SQL Server, the Windows Builtin\Administrator local group was placed into the SQL Server sysadmin server role, effectively granting Windows administrators access to the instance of SQL Server.

Important:
If your organization’s processes or code depend on Windows Builtin\Administrator local group access, you must explicitly grant the right to log in to SQL Server. Setup will not allow you to continue until you complete this step.

Specify SQL Server Administrators - You must specify at least one Windows principal for the instance of SQL Server. To add the account under which SQL Server Setup is running, click the Current User button. To add or remove accounts from the list of system administrators, click Add or Remove, and then edit the list of users, groups, or computers that will have administrator privileges for the instance of SQL Server.

When you are finished editing the list, click OK, then verify the list of administrators in the configuration dialog. When the list is complete, click Next.

If you select Mixed Mode Authentication, you must provide logon credentials for the builtin SQL Server system administrator (SA) account.

Security Note:
Do not use a blank password. Use a strong password.

Windows Authentication Mode

When a user connects through a Windows user account, SQL Server validates the account name and password using the Windows principal token in the operating system. This is the default authentication mode, and is much more secure than Mixed Mode. Windows Authentication utilizes Kerberos security protocol, provides password policy enforcement in terms of complexity validation for strong passwords, provides support for account lockout, and supports password expiration.

Security Note:
When possible, use Windows Authentication.

Important:
Do not use a blank password. Use a strong password. Never set a blank or weak sa password.

Mixed Mode (Windows Authentication or SQL Server Authentication)

Allows users to connect by using Windows Authentication or SQL Server Authentication. Users who connect through a Windows user account can use trusted connections that are validated by Windows.

If you must choose Mixed Mode Authentication and you have a requirement for using SQL logins to accommodate legacy applications, you must set strong passwords for all SQL Server accounts.

Note:
SQL Server Authentication is provided for backward compatibility only. When possible, use Windows Authentication.

Enter Password

Enter and confirm the system administrator (sa) login. Passwords are the first line of defense against intruders, so setting strong passwords is essential to the security of your system. Never set a blank or weak sa password.

Note:
SQL Server passwords can contain from 1 to 128 characters, including any combination of letters, symbols, and numbers. If you choose Mixed Mode authentication, you must enter a strong sa password before you can continue to the next page of the Installation Wizard.

Strong Password Guidelines

Strong passwords are not readily guessed by a person, and are not easily hacked using a computer program. Strong passwords cannot use prohibited conditions or terms, including:

  • A blank or NULL condition
  • "Password"
  • "Admin"
  • "Administrator"
  • "sa"
  • "sysadmin"

A strong password cannot be the following terms associated with the installation computer:

  • The name of the user currently logged onto the machine.
  • The computer name.

A strong password must be more than 8 characters in length and satisfy at least three of the following four criteria:

  • It must contain uppercase letters.
  • It must contain lowercase letters.
  • It must contain numbers.
  • It must contain non-alphanumeric characters; for example, #, %, or ^.

Passwords entered on this page must meet strong password policy requirements. If you have any automation that uses SQL Server Authentication, ensure that the password meets strong password policy requirements.

See Also