SQL Server security model:\nIs the following claim accurate?\n\n"Selecting Windows Authentication only (disabling Mixed Mode) results in better security."

Difficulty: Easy

Correct Answer: Correct

Explanation:


Introduction / Context:
Authentication mode in Microsoft SQL Server determines how clients prove their identity. You can enable only Windows Authentication or use Mixed Mode (Windows Authentication plus SQL logins). Security guidance typically favors Windows-only authentication because it centralizes identity and policy enforcement in the operating system and Active Directory rather than keeping another password store inside SQL Server.


Given Data / Assumptions:

  • Windows-only mode disables SQL logins (such as sa).
  • Active Directory domain policies are in place (account lockout, password history, multifactor integration, Kerberos, and auditing).
  • Transport encryption and least-privilege are assumed as supporting controls.


Concept / Approach:
Windows Authentication leverages Kerberos/NTLM, centralized password policies, account lockouts, smart cards/MFA, and group-based authorization. Mixed Mode adds SQL logins that are managed in SQL Server and are not governed by domain password policies unless explicitly configured via CHECK_POLICY and related options. Reducing credential stores generally reduces attack surface.


Step-by-Step Solution:

Identify authentication choices: Windows-only vs. Mixed Mode.Evaluate controls: domain policies, MFA, Kerberos tickets, auditing—all apply to Windows logins.Assess attack surface: disabling SQL logins removes risks like weak sa passwords and credential spraying against SQL accounts.Conclusion: Windows-only typically yields stronger security posture.


Verification / Alternative check:
Review security baselines and CIS/Microsoft guidance; confirm no legacy apps require SQL logins. Where exceptions exist, mitigate with strong, rotated, and disabled-by-default SQL logins.


Why Other Options Are Wrong:

  • Incorrect: Ignores the added risk of SQL logins.
  • Domain-only caveat: Windows Auth works securely in workgroups too (with local accounts), though domain adds benefits.
  • TLS dependency: TLS protects transport; it does not negate identity benefits.
  • Password length only: Security posture is broader than password length.


Common Pitfalls:
Leaving the sa login enabled; weak SQL login policies; overlooking service accounts and application pools; failing to audit login failures.


Final Answer:
Correct

Discussion & Comments

No comments yet. Be the first to comment!
Join Discussion