We are implementing security changes in order to pass an ISO 27001 audit.
We are in the process of setting all domain accounts (user accounts, admin accounts, service accounts) to have their passwords changed automatically by our information security management system (Thycotic).
The question is, do we need to also change the non-domain SQL Server authentication accounts (such as the "SA" accounts) and if so do you know of a way to do this?
Is is standard to reset the passwords for these SQL Server authentication accounts?
Best Answer
The ISO/IEC 27001:2013 paper Information technology -- Security techniques -- Information security management systems -- Requirements is a standard that:
If this standard defines that you should change the passwords every so often to ensure security, then by all means go ahead and do this.
Regarding SQL Server
Changing the password of an account is as simple as logging in to the instance and setting off the command:
Answering Your Question
There are no standards, regarding resetting the
[sa]
login's (or for that matter any other SQL Server authenticated account's) password.But if you want to abide by the standards laid out in ISO/IEC 27001:2013 then you probably should change the SQL Server authenticated account's passwords at regular intervals.
Reference: regular (Cambridge Dictionary)
That means that once a year can be considered regular.