| title | Database Engine Configuration - Account Provisioning | Microsoft Docs |
|---|---|
| ms.custom | |
| ms.date | 06/13/2017 |
| ms.prod | sql-server-2014 |
| ms.reviewer | |
| ms.technology | database-engine |
| ms.topic | conceptual |
| ms.assetid | 834b26bc-49de-4033-88d5-6aa7b1609720 |
| author | mashamsft |
| ms.author | mathoma |
| manager | craigg |
Use this page to set the [!INCLUDEssNoVersion] security mode, and to add Windows users or groups as administrators of the [!INCLUDEssDEnoversion].
Considerations for Running [!INCLUDEssCurrent]
On previous versions of [!INCLUDEssNoVersion], the BUILTIN\Administrators group was provisioned as a login in the [!INCLUDEssDE] and members of the local Administrators group could login using their Administrator credentials. Using elevated permissions is not a best practice. In [!INCLUDEssCurrent] the BUILTIN\Administrators group is not provisioned as a login. As a result, you should create a [!INCLUDEssNoVersion] login for each administrative user, and add that login to the sysadmin fixed server role during installation of a new instance of [!INCLUDEssCurrent]. You should also do this for Windows accounts that are used to run [!INCLUDEssNoVersion] agent jobs. These include replication agent jobs.
Security Mode - Select Windows Authentication or Mixed Mode Authentication for your installation.
Windows Principal Provisioning - In previous versions of [!INCLUDEssNoVersion], the Windows Builtin\Administrator local group was placed into the [!INCLUDEssNoVersion] sysadmin server role, effectively granting Windows administrators access to the instance of [!INCLUDEssNoVersion]. In [!INCLUDEssCurrent], the Builtin\Administrator group is not provisioned in the sysadmin server role. Instead, you should explicitly provision [!INCLUDEssNoVersion] administrators for new installations during Setup.
Important
You must explicitly provision [!INCLUDEssNoVersion] administrators for new installations during Setup. Setup will not allow you to continue until you complete this step.
Specify [!INCLUDEssNoVersion] Administrators - You must specify at least one Windows principal for the instance of [!INCLUDEssNoVersion]. To add the account under which [!INCLUDEssNoVersion] Setup is running, click the Current User button. To add or remove accounts from the list of system administrators, click Add or Remove, and then edit the list of users, groups, or computers that will have administrator privileges for the instance of [!INCLUDEssNoVersion].
When you are finished editing the list, click OK, then verify the list of administrators in the configuration dialog. When the list is complete, click Next.
If you select Mixed Mode Authentication, you must provide logon credentials for the builtin [!INCLUDEssNoVersion] system administrator (SA) account.
Important
[!INCLUDEssNoteStrongPass]
Windows Authentication Mode
When a user connects through a Windows user account, [!INCLUDEssNoVersion] validates the account name and password using the Windows principal token in the operating system. This is the default authentication mode, and is much more secure than Mixed Mode. Windows Authentication utilizes Kerberos security protocol, provides password policy enforcement in terms of complexity validation for strong passwords, provides support for account lockout, and supports password expiration.
Important
[!INCLUDEssNoteWinAuthentication]
Important
[!INCLUDEssNoteStrongPass] Never set a blank or weak sa password.
Mixed Mode (Windows Authentication or [!INCLUDEssNoVersion] Authentication)
Allows users to connect by using Windows Authentication or [!INCLUDEssNoVersion] Authentication. Users who connect through a Windows user account can use trusted connections that are validated by Windows.
If you must choose Mixed Mode Authentication and you have a requirement for using SQL logins to accommodate legacy applications, you must set strong passwords for all [!INCLUDEssNoVersion] accounts.
Note
[!INCLUDEssNoVersion] Authentication is provided for backward compatibility only. [!INCLUDEssNoteWinAuthentication]
Enter Password
Enter and confirm the system administrator (sa) login. Passwords are the first line of defense against intruders, so setting strong passwords is essential to the security of your system. Never set a blank or weak sa password.
Note
[!INCLUDEssNoVersion] passwords can contain from 1 to 128 characters, including any combination of letters, symbols, and numbers. If you choose Mixed Mode authentication, you must enter a strong sa password before you can continue to the next page of the Installation Wizard.
Strong Password Guidelines
Strong passwords are not readily guessed by a person, and are not easily hacked using a computer program. Strong passwords cannot use prohibited conditions or terms, including:
-
A blank or NULL condition
-
"Password"
-
"Admin"
-
"Administrator"
-
"sa"
-
"sysadmin"
A strong password cannot be the following terms associated with the installation computer:
-
The name of the user currently logged onto the machine.
-
The computer name.
A strong password must be more than 8 characters in length and satisfy at least three of the following four criteria:
-
It must contain uppercase letters.
-
It must contain lowercase letters.
-
It must contain numbers.
-
It must contain non-alphanumeric characters; for example, #, %, or ^.
Passwords entered on this page must meet strong password policy requirements. If you have any automation that uses [!INCLUDEssNoVersion] Authentication, ensure that the password meets strong password policy requirements.
For more information about choosing Windows Authentication vs. [!INCLUDEssNoVersion] Authentication, see the topic Choose an Authentication Mode in [!INCLUDEssNoVersion] Books Online.
For more information about choosing an account to run the [!INCLUDEssDEnoversion], see the topic Configure Windows Service Accounts and Permissions in [!INCLUDEssNoVersion] Books Online.