Difficulty: Easy
Correct Answer: Correct
Explanation:
Introduction / Context: Authentication mode in Microsoft SQL Server determines how clients prove their identity. You can enable only Windows Authentication or use Mixed Mode (Windows Authentication plus SQL logins). Security guidance typically favors Windows-only authentication because it centralizes identity and policy enforcement in the operating system and Active Directory rather than keeping another password store inside SQL Server.
Given Data / Assumptions:
Concept / Approach: Windows Authentication leverages Kerberos/NTLM, centralized password policies, account lockouts, smart cards/MFA, and group-based authorization. Mixed Mode adds SQL logins that are managed in SQL Server and are not governed by domain password policies unless explicitly configured via CHECK_POLICY and related options. Reducing credential stores generally reduces attack surface.
Step-by-Step Solution:
Identify authentication choices: Windows-only vs. Mixed Mode.Evaluate controls: domain policies, MFA, Kerberos tickets, auditing—all apply to Windows logins.Assess attack surface: disabling SQL logins removes risks like weak sa passwords and credential spraying against SQL accounts.Conclusion: Windows-only typically yields stronger security posture.Verification / Alternative check: Review security baselines and CIS/Microsoft guidance; confirm no legacy apps require SQL logins. Where exceptions exist, mitigate with strong, rotated, and disabled-by-default SQL logins.
Why Other Options Are Wrong:
Common Pitfalls: Leaving the sa login enabled; weak SQL login policies; overlooking service accounts and application pools; failing to audit login failures.
Final Answer: Correct
Discussion & Comments