Database Engine Configuration - Account Provisioning
Beginning in SQL Server 2005, significant changes were implemented to help ensure that SQL Server was more secure than previous versions. Changes included a "secure by design, secure by default, and secure in deployment" strategy designed to protect the server instance and its databases from security attacks.
SQL Server 2008 continues the security hardening process by introducing more changes to the server and database components. The changes introduced in SQL Server 2008 further decrease the surface and attack areas for the server and its databases by instituting a policy of least privileges and increases separation of Windows administration and SQL Server administration. This means that internal accounts are protected and separated into operating system functions and SQL Server functions. These measures include:
New SQL Server 2008 installations no longer add the local Windows Group BUILTIN\Administrators to the SQL Server sysadmin fixed server role.
The ability to provision one or more Windows principals into the sysadmin server role inside SQL Server. This option is available during SQL Server Setup for new installations of SQL Server 2008.
The Surface Area Configuration (SAC) tool has been removed, and replaced by policy-based management and changes in the SQL Server Configuration Manager tool.
These changes will affect your security planning for SQL Server, and help you create a more complete security profile for your system.
Windows Vista and Windows Server 2008 include a new feature, User Account Control (UAC), that helps administrators manage their use of elevated permissions. By default, on Windows Vista and Windows Server 2008, administrators do not use their administrative rights. Instead, they perform most actions as standard users, temporarily assuming their administrative rights only when it is necessary. However, instead of elevating privileges, we recommend one of the following options:
If you are using Windows authentication mode, you should create a Windows user account that has sufficient permissions to perform all necessary administrative tasks.
If you are using Mixed Mode (SQL Server authentication and Windows authentication), you might consider creating a SQL Server login account that is used for administrative purposes only.
UAC causes some known issues. For more information, see the following Web pages:
Security Mode - Select Windows authentication or Mixed Mode authentication for your installation.
Windows Principal Provisioning - In previous versions of SQL Server, the Windows BUILTIN\Administrators local group was placed into the SQL Server sysadmin server role, effectively granting Windows administrators access to the instance of SQL Server. In SQL Server 2008, the BUILTIN\Administrators group is not provisioned in the sysadmin server role. Instead, you should explicitly provision SQL Server administrators for new installations during setup.
If your organization's processes or code depend on Windows BUILTIN\Administrators local group access, you must explicitly provision SQL Server administrators for new installations during setup. Setup will not allow you to continue until you complete this step.
Specify SQL Server Administrators - You must specify at least one Windows principal for the instance of SQL Server. To add the account under which SQL Server Setup is running, click the Current User button. To add or remove accounts from the list of system administrators, click Add or Remove, and then edit the list of users, groups, or computers that will have administrator privileges for the instance of SQL Server.
When you are finished editing the list, click OK, and then verify the list of administrators in the configuration dialog. When the list is complete, click Next.
If you select Mixed Mode authentication, you must provide logon credentials for the built-in SQL Server system administrator (sa) account.
Do not use a blank password. Use a strong password.