Encrypting sa passwords during SQL Server Installation

26 June,2013 by Jack Vamvas

How can I store an encrypted “sa” Logon password  as part of the SQL Server 2014 installation command script? I’d like to store the encrypted password rather than store the plain text password.

The problem of not being able to store an encrypted "sa" password in the SQL Server installation scripts is a technical and auditing requirement. Most companies maintain a SQL Server security policy which includes information about storing passwords.

The comments below refer to :

SQL Server 2005 Installation

SQL Server 2008 Installation

SQL Server 2012 Installation

SQL Serer 2014 Installation

 

The SQL Server DBA maintains SQL Server Instance build scripts. As part of those scripts  special admin logons, "sa" passwords and service account logons are included as part of the code.

An example of a SQL Server 2008 Installation:

 

E:\SQL_2008_ENT_R1\Setup.exe /INDICATEPROGRESS /SQLSVCPASSWORD="hsjas667" /AGTSVCPASSWORD="ppipoi89" /ISSVCPASSWORD="tttt7vgjki" /SAPWD="mySApasw1rds" /ConfigurationFile=ConfigurationFile.INI

 

Attempting to place an encrypted password , and hoping it will work , when attempting to logon as "sa" post-installation  will not work.

To get around limitation requires some scripting capability. The idea is to  execute the  installation command from another scripting environment and force a prompt. At the prompt retrieve the password either programmatically or manually from the password vault.

This could be achieved either through Powershell scripts or a batch file. If anyone has a similar problem and has developed a solution , let me know. As well as being a technical issue , there are also audit requirements to maintain passwords in safe locations.  

Read More on sa password, weak passwords, sql audits

Forgotten sa password - SQL Server DBA

Find Weak passwords in SQL Server - SQL Server DBA

Powershell sql server security audit - SQL Server DBA


Author: Jack Vamvas (http://www.sqlserver-dba.com)


Share:

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment on Encrypting sa passwords during SQL Server Installation


sqlserver-dba.com | SQL Server Performance Tuning | SQL Server DBA:Everything | FAQ | Contact|Copyright & Disclaimer