The first security lesson that SQL Server administrators should learn is to change the default password that SQL Server Authentication (Standard Security) uses upon installation, the sa password. But even having learned that, some administrators still may be caught by surprise when the installation of a service pack also reinstates the sa password. That password is stored as clear -- or encrypted but readable -- text in your setup files. When you use a domain account to configure SQL Server Services you will also find that your password is written in a weakly encrypted form in the SETUP.ISS file.
Version 7 stores these passwords as clear or weakly encrypted text in the SETUP.ISS file inside the %WINDRIR% folder as well as the SQLSP.LOG file in your TEMP folder. To locate your TEMP folder, go to the Advanced Tab, Environmental Variables section of the System control panel. For SQL Server 2000 the sa or domain password is stored in not only the SETUP.ISS file, but the SQLSTP.LOG and the SQLSP.LOG files in an encrypted but readable form. These three files are found in the :\Program Files\Microsoft SQL Server\MSSQL\INSTALL folder (the default), or at MSSQL$ for a named instance install. Only domain or SQL admins can access the SETUP.ISS file.
If you want to avoid the security risk posed by the sa password you can do any of the following:
- Change both passwords (sa and domain) after a service pack installation
- Install SQL Server or
- a service pack under Windows Security using a LocalSystem account
- Or use the KILLWD.EXE utility.
The KILLWD.EXE is currently the most popular download on Microsoft's SQL Server web site, giving you some idea of the scope of this issue. You can download this utility at: support.microsoft.com/default.aspx?scid=kb;en-us;263968. Instructions on using KILLWD will be found on that page. For more information about the security issues described, go to the Microsoft Knowledge Base article Q263968.
Barrie Sosinsky is president of consulting company Sosinsky and Associates (Medfield MA). He has written extensively on a variety of computer topics. His company specializes in custom software (database and Web related), training and technical documentation.
This was first published in March 2005