Managed Service Accounts
Doh! Never mind the post below. If I had read more thoroughly (or if I had tested using MSAs with SQL Server) before posting, I would have realized MSAs are NOT supported with SQL Server. At least, not according to the article in the first link below. Sorry to mislead you, and hopefully this will be able to work with SQL Server sooner or later.
I've recently learned there's such as a thing as Managed Service Accounts (MSAs) in Active Directory if your domain controller is using Window Server 2008 R2 or Windows 7, and these accounts can significantly improve security. Why didn't I hear about this before? Probably because I'm a SQL Server specialist, not a Windows or Active Directory specialist. At any rate, I thought I'd pass this along in case I'm not the last person on the planet to get clued in.
For an MSA, Active Directory will assign a 120-random-character password, change the password every 30 days, and manage the Service Principal Names (SPNs). The account can't be locked out, and system administrators don't have to maintain it.
Security is improved because the passwords don't have to be maintained by humans and because an MSA can only be used by a service on one computer. It does take a little extra work in the beginning, though, as seen in this 4-step process:
- Create an MSA in Active Directory.
- Associate the MSA with a single computer.
- Install the MSA on its computer.
- Configure the service (e.g. SQL Server) to use the MSA.
This isn't in the Database STIG yet, but I expect it will show up there as a security best practice sooner or later.
For more information on MSAs, start here http://technet.microsoft.com/en-us/library/ff641729(v=ws.10) or here http://technet.microsoft.com/en-us/library/dd548356(v=WS.10).aspx.