In my last post, I explained the kind, gentle way to talk people out of the SA account.
Today, I’ll describe a time when Option 1 didn’t work, and I had to get ugly.
Power User: “You can’t change the SA password. It’s embedded everywhere. Everything we have relies on it, and we all use it for all kinds of processes.”
Me: “I see. Alright, well, talk to you soon.”
(The next day)
Power User: “EVERYTHING IS DOWN! THE SA ACCOUNT PASSWORD ISN’T WORKING! DID YOU RESET IT?”
Me: “Of course not. You told me not to.”
Power User: “THEN WHO DID IT?”
Me: “Oh, I have no way of knowing. Anyone who uses the account can change the password with the ALTER LOGIN command. And you said everyone has it, right?”
Power User: “YES, BUT…CHANGE IT BACK. NOW. SET IT TO P@SSW0RD1 THE WAY IT ALWAYS WAS.”
Me: “Sure, but I can’t do that kind of thing without a ticket. Just create a help desk ticket, and I’ll set it to whatever you want.”
(The next day, after the password was reset)
Power User: “EVERYTHING IS DOWN AGAIN! THE SA PASSWORD GOT RESET AGAIN!”
Me: “Oh, my. That’s unfortunate.”
Power User: “YOU ARE DOING THIS AREN’T YOU?”
Me: “No, but I’m worried because at this point, if it’s embedded all over the place, someone might have scripted out the ALTER LOGIN command. They might be doing it programatically. It might happen again, at any time. Right when you least expect it.”
Power User: “I HATE YOU!”
Me: “Well, we certainly can’t have that. How about I give you a nice, new, separate account of your own, not SA, and you start using that instead? No one else will have the password but you, and that way you won’t have to worry about anyone else changing it.”
Power User: “NO, I JUST WANT YOU TO RESET THE….ACTUALLY, YES, I SEE WHAT YOU DID THERE. GIVE ME MY OWN ACCOUNT.”
What if they demand the audit logs to see who altered the login? 🙂 Oh wait, it was sa.
Damnit, Brent! You’re giving away all my secrets!
You are bringing back the BOFH in me…
“Old Nick” is a well known appellation of the Devil. It has been thought by some to be derived from “Niccolo” of Machiavelli fame. We, of course, know that it really comes “Nick Frobisher” the first DBA. Bwaaah ha ha!
And that’s when Brent left to start a consulting business. 🙂
From a BOFH standpoint, I love it. From a realist standpoint, everyone still using the SA login can change the password on Power User’s new login just as easily. It’s just much less likely that someone (wink, wink) would do it.
Would it surprise you to know it takes me a year or more to “wean” someone off of sa? I’ve found that no matter how much “ammo” I have, it just doesn’t matter–at first. I have to establish and cultivate a relationship with management, development, et al. I have to earn some level of trust and respect. Eventually, I’ll fix a corrupted db, tune a few stored procs, or handle some other “hot” issue. It’s only then that I’ll have some currency to get some buy-in. From there, any proposed changes have to go through typical SDLC phases.
Over the years, I’ve come to the sad acceptance that this is the way of things and no matter how badly I may want to, I can’t speed up the process.
Dave – so, that raises an interesting question. Why do you think that is?
Why? Ha ha. We’re all slaves to “why”, aren’t we? Seriously, though. I don’t know why. If I did, the process wouldn’t take so long. If there was a data breach, an outage cased by non-DBA with elevated privileges, or some other occurrence of shooting ourselves in the foot, talking people out of SA would be easy. Maybe that’s our answer: most people are reactive instead of proactive.
Have I rambled enough?
I was trying to be a little tactful, so I’ll try it a different way.
Start with the book Getting to Yes. If that one doesn’t resonate, try How to Win Friends and Influence People. They’re both classics, and there are better/newer/trendier books out there, but those will get you started on the path to getting what you want.
I did something like this, but on the Email, I include the security teams and the noise was bigger.