Home > SQL Server Tips > Database Management and Administration > Killing the SQL Server Authentication password
SQL Server Tips:
EMAIL THIS
 TIPS & NEWSLETTERS TOPICS 

DATABASE MANAGEMENT AND ADMINISTRATION

Killing the SQL Server Authentication password


Barrie Sosinsky, Contributor
07.17.2003
Rating: --- (out of 5)


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


The first security lesson that SQL Server administrators should learn is to change the default password that SQL Server Authentication (Standard Security) uses upon installation, the sa password. But even having learned that, some administrators still may be caught by surprise when the installation of a service pack also reinstates the sa password. That password is stored as clear -- or encrypted but readable -- text in your setup files. When you use a domain account to configure SQL Server Services you will also find that your password is written in a weakly encrypted form in the SETUP.ISS file.

Version 7 stores these passwords as clear or weakly encrypted text in the SETUP.ISS file inside the %WINDRIR% folder as well as the SQLSP.LOG file in your TEMP folder. To locate your TEMP folder, go to the Advanced Tab, Environmental Variables section of the System control panel. For SQL Server 2000 the sa or domain password is stored in not only the SETUP.ISS file, but the SQLSTP.LOG and the SQLSP.LOG files in an encrypted but readable form. These three files are found in the :\Program Files\Microsoft SQL Server\MSSQL\INSTALL folder (the default), or at MSSQL$ for a named instance install. Only domain or SQL admins can access the SETUP.ISS file.

If you want to avoid the security risk posed by the sa password you can do any of the following:

  • Change both passwords (sa and domain) after a service pack installation
  • Install SQL Server or a service pack under Windows Security using a LocalSystem account
  • Or use the KILLWD.EXE utility.

The KILLWD.EXE is currently the most popular download on Microsoft's SQL Server web site, giving you some idea of the scope of this issue. You can download this utility at: support.microsoft.com/default.aspx?scid=kb;en-us;263968. Instructions on using KILLWD will be found on that page. For more information about the security issues described, go to the Microsoft Knowledge Base article Q263968.

Barrie Sosinsky is president of consulting company Sosinsky and Associates (Medfield MA). He has written extensively on a variety of computer topics. His company specializes in custom software (database and Web related), training and technical documentation.

Rate this Tip
To rate tips, you must be a member of SearchSQLServer.com.
Register now to start rating these tips. Log in if you are already a member.




Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   



RELATED CONTENT
SQL Server Security
Password cracking tools for SQL Server
Meet compliance requirements with improved database security practices
Hardening the network and OS for SQL Server security
Securing the server and database in SQL Server
SQL Server security made simple and sensible
Blog: Protect your databases from the internal threat
Setting up SQL Server Service Broker for secure communication
The keys to database backup protection for SQL Server
Understanding transparent data encryption in SQL Server 2008
The fine line between not encrypting your databases and breach notification

Database Management and Administration
Password cracking tools for SQL Server
Using traces in SQL Server Profiler
Meet compliance requirements with improved database security practices
Hardening the network and OS for SQL Server security
Securing the server and database in SQL Server
How SQL Server 2008 components impact SharePoint implementations
Troubleshooting Distributed Transaction Coordinator errors in SQL Server
Achieving high availability and disaster recovery with SharePoint databases
Clearing the Windows page file and its effect on server performance
Deploying a SQL Server virtual appliance for Microsoft Hyper-V

RELATED GLOSSARY TERMS
Terms from Whatis.com − the technology online dictionary
data corruption  (SearchSQLServer.com)
data hiding  (SearchSQLServer.com)

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary

DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.



SQL Server Development - .NET, C#, T-SQL, Visual Basic
HomeNewsTopicsITKnowledge ExchangeTipsAsk the ExpertsMultimediaWhite PapersIT Downloads
About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
SEARCH 
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2005 - 2009, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts