選擇驗證模式Choose an Authentication Mode

適用範圍:Applies to: 是SQL ServerSQL Server (所有支援的版本) yesSQL ServerSQL Server (all supported versions) 適用範圍:Applies to: 是SQL ServerSQL Server (所有支援的版本) yesSQL ServerSQL Server (all supported versions)

在安裝期間,您必須選取 Database EngineDatabase Engine的驗證模式。During setup, you must select an authentication mode for the Database EngineDatabase Engine. 有兩種可能的模式:Windows 驗證模式與混合模式。There are two possible modes: Windows Authentication mode and mixed mode. Windows 驗證模式會啟用 Windows 驗證並停用 SQL ServerSQL Server 驗證。Windows Authentication mode enables Windows Authentication and disables SQL ServerSQL Server Authentication. 混合模式會啟用 Windows 驗證及 SQL ServerSQL Server 驗證。Mixed mode enables both Windows Authentication and SQL ServerSQL Server Authentication. Windows 驗證一定可用而且無法停用。Windows Authentication is always available and cannot be disabled.

設定驗證模式Configuring the Authentication Mode

如果您在安裝期間選取混合模式驗證,就必須為名為 sa 的內建 SQL ServerSQL Server 系統管理員帳戶提供並確認增強式密碼。If you select Mixed Mode Authentication during setup, you must provide and then confirm a strong password for the built-in SQL ServerSQL Server system administrator account named sa. sa 帳戶會使用 SQL ServerSQL Server 驗證進行連接。The sa account connects by using SQL ServerSQL Server Authentication.

如果您在安裝期間選取 Windows 驗證,安裝程式就會針對 SQL ServerSQL Server 驗證建立 sa 帳戶,但是此帳戶是停用的。If you select Windows Authentication during setup, Setup creates the sa account for SQL ServerSQL Server Authentication but it is disabled. 如果您之後變更為混合模式驗證,而且想要使用 sa 帳戶,就必須啟用此帳戶。If you later change to Mixed Mode Authentication and you want to use the sa account, you must enable the account. 任何 Windows 或 SQL ServerSQL Server 帳戶都可以設定為系統管理員。Any Windows or SQL ServerSQL Server account can be configured as a system administrator. 由於 sa 帳戶是已知的而且經常成為惡意使用者的攻擊目標,因此除非您的應用程式需要 sa 帳戶,否則請勿啟用此帳戶。Because the sa account is well known and often targeted by malicious users, do not enable the sa account unless your application requires it. 此外,絕對不可針對 sa 帳戶設定空白或弱式密碼。Never set a blank or weak password for the sa account. 若要從 Windows 驗證模式變更為混合模式驗證,並且使用 SQL ServerSQL Server 驗證,請參閱 變更伺服器驗證模式To change from Windows Authentication mode to Mixed Mode Authentication and use SQL ServerSQL Server Authentication, see Change Server Authentication Mode.

透過 Windows 驗證進行連接Connecting Through Windows Authentication

當使用者透過 Windows 使用者帳戶連接時, SQL ServerSQL Server 會使用作業系統中的 Windows 主體 Token 來驗證帳戶名稱和密碼。When a user connects through a Windows user account, SQL ServerSQL Server validates the account name and password using the Windows principal token in the operating system. 這代表 Windows 已確認使用者身分。This means that the user identity is confirmed by Windows. SQL ServerSQL Server 不會要求您輸入密碼,而且不會執行身分驗證。does not ask for the password, and does not perform the identity validation. Windows 驗證是預設驗證模式,而且比 SQL ServerSQL Server 驗證更安全。Windows Authentication is the default authentication mode, and is much more secure than SQL ServerSQL Server Authentication. Windows 驗證會使用 Kerberos 安全性通訊協定、在增強式密碼的複雜驗證方面提供密碼原則強化、提供對帳戶鎖定的支援,而且支援密碼逾期。Windows Authentication uses Kerberos security protocol, provides password policy enforcement with regard to complexity validation for strong passwords, provides support for account lockout, and supports password expiration. 使用 Windows 驗證所建立的連接有時候稱為信任連接,因為 SQL ServerSQL Server 會信任 Windows 所提供的認證。A connection made using Windows Authentication is sometimes called a trusted connection, because SQL ServerSQL Server trusts the credentials provided by Windows.

使用 Windows 驗證,可以在網域層級建立 Windows 群組,也可以在 SQL ServerSQL Server 建立整個群組的登入。By using Windows Authentication, Windows groups can be created at the domain level, and a login can be created on SQL ServerSQL Server for the entire group. 從網域層級管理存取可簡化帳戶管理。Managing access from at the domain level can simplify account administration.

重要

儘可能使用 Windows 驗證。When possible, use Windows authentication.

透過 SQL Server 驗證進行連接Connecting Through SQL Server Authentication

使用 SQL ServerSQL Server 驗證時,在 SQL ServerSQL Server 中建立不是以 Windows 使用者帳戶為基礎的登入。When using SQL ServerSQL Server Authentication, logins are created in SQL ServerSQL Server that are not based on Windows user accounts. 其使用者名稱和密碼都是使用 SQL ServerSQL Server 所建立而且儲存在 SQL ServerSQL Server中。Both the user name and the password are created by using SQL ServerSQL Server and stored in SQL ServerSQL Server. 使用 SQL ServerSQL Server 驗證進行連接的使用者必須在每次連接時提供其認證 (登入和密碼)。Users connecting using SQL ServerSQL Server Authentication must provide their credentials (login and password) every time that they connect. 使用 SQL ServerSQL Server 驗證時,所有 SQL ServerSQL Server 帳戶都必須設定增強式密碼。When using SQL ServerSQL Server Authentication, you must set strong passwords for all SQL ServerSQL Server accounts. 如需增強式密碼的指導方針,請參閱 增強式密碼For strong password guidelines, see Strong Passwords.

有三個選擇性密碼原則可供 SQL ServerSQL Server 登入使用。Three optional password policies are available for SQL ServerSQL Server logins.

  • 使用者必須在下次登入時變更密碼User must change password at next login

    要求使用者在下次連接時變更密碼。Requires the user to change the password the next time that the user connects. 變更密碼的功能是由 SQL Server Management StudioSQL Server Management Studio提供的。The ability to change the password is provided by SQL Server Management StudioSQL Server Management Studio. 如果使用這個選項,協力廠商軟體開發人員應該提供這項功能。Third-party software developers should provide this feature if this option is used.

  • 強制執行密碼逾期Enforce password expiration

    針對 SQL ServerSQL Server 登入強制執行電腦的最大密碼存在時間原則。The maximum password age policy of the computer is enforced for SQL ServerSQL Server logins.

  • 強制執行密碼原則Enforce password policy

    針對 SQL ServerSQL Server 登入強制執行電腦的 Windows 密碼原則。The Windows password policies of the computer are enforced for SQL ServerSQL Server logins. 這包括密碼長度和複雜性。This includes password length and complexity. 這項功能相依於 NetValidatePasswordPolicy API,而這個 API 只有 Windows Server 2003Windows Server 2003 和更新版本才有。This functionality depends on the NetValidatePasswordPolicy API, which is only available in Windows Server 2003Windows Server 2003 and later versions.

判斷本機電腦的密碼原則To determine the password policies of the local computer

  1. [開始] 功能表上,按一下 [執行]On the Start menu, click Run.

  2. 在 [執行] 對話方塊中,輸入 secpol.msc,然後按一下 [確定]。In the Run dialog box, type secpol.msc, and then click OK.

  3. 在 [本機安全性設定] 應用程式中,依序展開 [安全性設定] 和 [帳戶原則],然後按一下 [密碼原則]。In the Local Security Settings application, expand Security Settings, expand Account Policies, and then click Password Policy.

    密碼原則就會描述在結果窗格中。The password policies are described in the results pane.

SQL Server 驗證的缺點Disadvantages of SQL Server Authentication

  • 如果某個使用者是擁有 Windows 登入和密碼的 Windows 網域使用者,則他們仍然必須提供其他 (SQL ServerSQL Server) 登入和密碼才能連線。If a user is a Windows domain user who has a login and password for Windows, they must still provide another (SQL ServerSQL Server) login and password to connect. 追蹤多個名稱和密碼對於許多使用者而言很困難。Keeping track of multiple names and passwords is difficult for many users. 此外,每次連接至資料庫就必須提供 SQL ServerSQL Server 認證可能會造成困擾。Having to provide SQL ServerSQL Server credentials every time that one connects to the database can be annoying.

  • SQL ServerSQL Server 驗證無法使用 Kerberos 安全性通訊協定。Authentication cannot use Kerberos security protocol.

  • Windows 提供了不適用於 SQL ServerSQL Server 登入的其他密碼原則。Windows offers additional password policies that are not available for SQL ServerSQL Server logins.

  • 加密的 SQL ServerSQL Server 驗證登入密碼在連接時必須透過網路傳遞。The encrypted SQL ServerSQL Server Authentication login password, must be passed over the network at the time of the connection. 自動連接的某些應用程式會將密碼儲存在用戶端。Some applications that connect automatically will store the password at the client. 這些是額外的攻擊點。These are additional attack points.

SQL Server 驗證的優點Advantages of SQL Server Authentication

  • 可讓 SQL ServerSQL Server 支援需要 SQL ServerSQL Server 驗證的舊版應用程式以及協力廠商所提供的應用程式。Allows SQL ServerSQL Server to support older applications and applications provided by third parties that require SQL ServerSQL Server Authentication.

  • 可讓 SQL ServerSQL Server 支援具有混合作業系統的環境,其中 Windows 網域無法驗證所有使用者。Allows SQL ServerSQL Server to support environments with mixed operating systems, where all users are not authenticated by a Windows domain.

  • 可讓使用者從未知或未受信任的網域進行連線。Allows users to connect from unknown or untrusted domains. 例如,既有客戶使用所指派 SQL ServerSQL Server 登入連接來接收訂單狀態的應用程式。For instance, an application where established customers connect with assigned SQL ServerSQL Server logins to receive the status of their orders.

  • 可讓 SQL ServerSQL Server 支援 Web 架構應用程式,其中使用者會建立自己的識別。Allows SQL ServerSQL Server to support Web-based applications where users create their own identities.

  • 可讓軟體開發人員根據已知的現有 SQL ServerSQL Server 登入,使用複雜的權限階層來散發其應用程式。Allows software developers to distribute their applications by using a complex permission hierarchy based on known, preset SQL ServerSQL Server logins.

    注意

    使用 SQL ServerSQL Server 驗證不會限制安裝 SQL ServerSQL Server 之電腦上本機管理員的權限。Using SQL ServerSQL Server Authentication does not limit the permissions of local administrators on the computer where SQL ServerSQL Server is installed.

另請參閱See Also

SQL Server 安裝的安全性考量Security Considerations for a SQL Server Installation