Tuesday, October 28, 2008

Password Best Practises / Meilleures pratiques au niveau des mots de passe

When you are in the process of creating accounts to access your SQL Server databases, it is best to make sure you use alphanumeric passwords that are at least ten characters long. I also recommend local accounts that are given the least amount of priveliges neceeary when in a multi-server environment. Please don't use a domain account, unless it is for an individual user's access, for database access to applications. Lors du création des comptes SQL, il faut s'assurer que le mot de passe lui-meme, est composé des chiffres et lettres, et au moins dix touches du clavier. Donnez ce compte les privilèges le plus faibles possibles aux applications qui sert de la b.d, et ne surtout pas un compte domaine (AD) avec accès sur plusieurs serveurs. A worst practise would be to create a generic SQL user account with the level of access included in its name and having the password be the same as the account name (which, given the forces of complacency in a work place, will end up never being changed).

If you have arrived in a new environment and have been asked to check the password strength of the existing database infrastructure, Idera's Password Checker (within the admin toolset) does the job quite well. Using several tools (up to three to be sure) to verify the security, such as Microsoft Baseline Security Analyser, will allow you to reassure the 'powers that be' of how secure your databases are.

Let's say you are configuring SQL Server to handle web server sessions, in a load balancing environment, you will probably have to create a sysadmin level account for the setup to work - in this case (since you cannot get around it as far as I know) an obscurely named account, with a more than 10 alphanumeric characters would be your safest bet.