Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
tamartin
Starting Member
4 Posts |
 Posted - 2007-06-18 : 14:56:39
|
Hello, We have mixed mode set on all of our sql 2000 servers. External auditors (SOX) are questioning the validity of mixed mode and would like us to go to Windows authentication. Has anyone else run into this requirement and if so, what justification was used to support mixed mode ? We do have a number of linux machines connecting to SQL. They are also asking for a 90 password rotation on SQL logins. Any help would be greatly appreciated. Thanks.  |
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
Posted - 2007-06-18 : 15:16:14
|
| You'd have to upgrade to SQL Server 2005 if you want password expiration built-in. If you've got clients connecting from Linux, then I'm pretty sure you have to use SQL authentication, which means mixed mode is required. Linux clients aren't connected via Windows, so there's no Windows security context to pass to SQL Server when logging in.Tara Kizerhttp://weblogs.sqlteam.com/tarad/ |
 |
|
|
Michael Valentine Jones
Yak DBA Kernel (pronounced Colonel)
7020 Posts |
Posted - 2007-06-18 : 15:28:13
|
| If your application does not support windows authentication, you will have to allow SQL Server passwords or change the application.Forcing password expiration, preventing reuse, enforcing password complexity, etc. is not supported in SQL Server 2000 for SQL Server logins. If you want that, you will have to use SQL Server 2005, build it into the application, or change to windows authentication.Just because the auditors desire it does not mean it has to be done. The potential cost of a security breach has to be weighed against the cost of making the requested application changes.CODO ERGO SUM |
|
|
|
tamartin
Starting Member
4 Posts |
Posted - 2007-06-19 : 08:57:14
|
| Thanks for the replies. The info helps. Just wondering how many people are running mixed mode vs. NT authentication only. Any other comments would be greatly appreciated. Has anyone had touble with third party software requiring a sql login? |
|
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
Posted - 2007-06-19 : 11:41:24
|
| Well most third party software I've used has used SQL authentication. In fact, they try to use sa a lot. It just shows you how much the vendor understands SQL Server security when they are using sa. I run mixed mode on all of my servers. For whatever reason, the admins do not setup trust relationships between our back DMZ domain and our front DMZ domain, so the only way to authenticate is to use SQL authentication. We run mission critical systems, however none of them are financial applications or anything that would need to be SOX compliant. All of our SOX stuff is on Oracle.Tara Kizerhttp://weblogs.sqlteam.com/tarad/ |
|
|
|
|
|
|
|
|
Mixed Mode + SOX