Geeks With Blogs

@bsherwin

Brian Sherwin's Blog Moving at the Speed of .Net

I'm going to start a series of short posts on stupid things developers do that they shouldn't.  Some of these have been preached for years, some are just developers don't know any better.

So here goes...starting with security!

#1:  Never use the SA account in a production database.

I worked with a company that purchased a time and billing database that was developed as a web application.  Cool thing was that when we installed it, we had to change the SA password per their setup guide.  When we looked at the code...SA was hard coded 138 times with this password!  Guess using a config file was out of the question.

#2:  Not unlike #1...Never leave the SA password blank.

OK. So Microsoft decides that you must set this when you first enable SQL authentication. So what do people set it to "blank"...Yes! the actual word.

#3:  Corollary to #1 and #2...Don't set the ASPNET account to the "System Administrators" role inside SQL Server!

This is no different than using the SA account.  You don't want users accessing your data in "god" mode.

Those are the biggest and worst ones--and the ones I see broken the most often.

Posted on Tuesday, January 30, 2007 3:37 PM | Back to top


Comments on this post: SQL Developer Don'ts (Part 1)

# re: SQL Developer Don'ts (Part 1)
Requesting Gravatar...
But...but...but...it's so much harder...and...but...and I have to...to...actually plan the security....and...deal with security issues...


OH! WHOA! Sorry...had a flashback to my current employer...sorry!

Okay...seriously...good advice!
Left by Codesailor on Jan 30, 2007 4:04 PM

Your comment:
 (will show your gravatar)
 


Copyright © Brian Sherwin | Powered by: GeeksWithBlogs.net | Join free