sunhux
asked on
Automated/scripted way to periodically set an MS SQL password (of account used by SolarWinds NPM)
Our audit mandates that an SQL account used by SolarWinds must have
its password expired periodically (eg: every 60 days) even tho we convey
it is a service account.
a) if we forget to change the password prior to expiry, service is affected
b) if we try to set it to non-interactive, will get the error in the attached
In UNIX nagios, I have a tool "changepass" that could change the password
of the nagios interactive account periodically which I could place in crontab
to set the password to an encrypted password ie if this password is seen
by an unauthorized party, he still need to decrypt it.
Thus, I plan to set this MS SQL account's password to expire every 60 days
& then set a script in task scheduler (or some sort of automated periodic
job in MS SQL/Windows) to do something like:
net user /domain SolarWindsOrionDatabaseUse r F1xedP@ssw0rd
(above command is for Windows, so I'll need equivalent for MS SQL).
Certainly using the scripted/automated way of changing the password
(including re-using back the password ie bypassing the password
history should not result in the password being expired: I know this
is against password history but I would still want it this way, pls.
When we have time/remembers, we'll go into the script to change
the password to be set in the script)
Certainly the script has to be non-readable or the password
F1xedP@ssw0rd is the encrypted password so that if it's leaked/
seen, no harm.
NPMacctpasswdNonInteract.pdf
its password expired periodically (eg: every 60 days) even tho we convey
it is a service account.
a) if we forget to change the password prior to expiry, service is affected
b) if we try to set it to non-interactive, will get the error in the attached
In UNIX nagios, I have a tool "changepass" that could change the password
of the nagios interactive account periodically which I could place in crontab
to set the password to an encrypted password ie if this password is seen
by an unauthorized party, he still need to decrypt it.
Thus, I plan to set this MS SQL account's password to expire every 60 days
& then set a script in task scheduler (or some sort of automated periodic
job in MS SQL/Windows) to do something like:
net user /domain SolarWindsOrionDatabaseUse
(above command is for Windows, so I'll need equivalent for MS SQL).
Certainly using the scripted/automated way of changing the password
(including re-using back the password ie bypassing the password
history should not result in the password being expired: I know this
is against password history but I would still want it this way, pls.
When we have time/remembers, we'll go into the script to change
the password to be set in the script)
Certainly the script has to be non-readable or the password
F1xedP@ssw0rd is the encrypted password so that if it's leaked/
seen, no harm.
NPMacctpasswdNonInteract.pdf
ASKER
Btw, I'm completely newbie to SolarWinds so I don't know if the
account SolarWindsOrionDatabaseUse r is an AD account or
an MS SQL DB account (but I reckon it's the latter)
account SolarWindsOrionDatabaseUse
an MS SQL DB account (but I reckon it's the latter)
ASKER
I heard that account was created during the SolarWinds NPM installation.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
> GMSA logins as Startup accounts for SQL Server services and we don't worry about
> it for any password expiration to meet our Audit requirements.
So your DB account for Solarwinds expires periodically &
if so, how exactly you get the password renewed so that
it doesn't expire?
> it for any password expiration to meet our Audit requirements.
So your DB account for Solarwinds expires periodically &
if so, how exactly you get the password renewed so that
it doesn't expire?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I recall one EE expert has suggested the link but it's only applicable
to MS SQL 2016 & newer, correct me if I'm mistaken.
We're on MS SQL 2012.
to MS SQL 2016 & newer, correct me if I'm mistaken.
We're on MS SQL 2012.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
the method suggested in link below:
https://stackoverflow.com/questions/46451344/convert-batch-script-into-base64-non-readable-format?rq=1