When heroes collide…

batman_vs_superman
I was browsing SQL Server Central like I do most nights, and I came across this post discussing the use of SA.
Now anyone that reads my blog will know that I have much respect for Brent Ozar, and much respect for Grant Fritchey.  In my opinion both of them have been and continue to be a constant source of motivation and information for me.  So when I read the above mentioned post I instantly went back to something that I had learned from Brent Ozar’s writing (as well as a critical care session with Jes Borland), and it was about using SA.  A couple items that sp_Blitz returns are Database Owners <> SA and Jobs Owned by User Accounts.  Because I’m a sp_Blitz fanboy I’ve been going by these rules for quite some time, I’ve even been in that scenario where IT disabled an old user account that had been used for jobs and they started failing right away.  Using SA for the database owner also makes complete sense to me because well…why else would anyone need to be the db_owner?  (If you have some good reason, please let me know)

Grant and Jeff brought up some interesting points, and I’ve come to the conclusion that there is no single right answer.  Using SA definitely ensures that trifling hands will not do something like lock out the jobs user account but SA is also a known account and definitely an attack vector.  Renaming the SA account surely mitigates that vector, but disabling the account could possibly affect service pack installs and upgrades, all great reasons for doing and not doing, all requiring due diligence and testing on my own part, but the point of this post is not to define a “correct” security policy, the point of this post is what to do when your heroes and their advice collide?
In a situation like this, I personally feel that a death match in the thunderdome is the BEST way to choose a winner, but in reality I view it as an opportunity to learn from both parties, collect, combine and assimilate techniques and tools into my arsenal.  For some time I’ve been using SA for jobs and database owners by default as one of my initial re-configurations (unless the business has a reason to not do this).  In this case, Grant and Jeff have made great points that now make me go back, evaluate my own reasons, optimize and re-deploy.  Armed with knowledge and hopefully a tested proof of concept, you can take it to your manager and the business, get a solid definition that directly impacts your paycheck, and win.
Rarely is anything black and white, especially in the modern business driven infrastructures, and when two experts are both giving accepted expert advice, my advice would be to digest both sets of advice, optimize, and redeploy.  This is how I believe the community works, experts helping to shape and mold other experts.

Leave a Reply

Your email address will not be published. Required fields are marked *