Killing the SQL Server Authentication password

Barrie Sosinsky, Contributor

The first security lesson that SQL Server administrators should learn is to change the default password that SQL Server Authentication (Standard Security) uses upon installation, the sa password. But even having learned that, some administrators still may be caught by surprise when the installation of a service pack also reinstates the sa password. That password is stored as clear -- or encrypted but readable -- text in your setup files. When you use a domain account to configure SQL Server Services you will also find that your password is written in a weakly encrypted form in the SETUP.ISS file.

Version 7 stores these passwords as clear or weakly encrypted text in the SETUP.ISS file inside the %WINDRIR% folder as well as the SQLSP.LOG file in your TEMP folder. To locate your TEMP folder, go to the Advanced Tab, Environmental Variables section of the System control panel. For SQL Server 2000 the sa or domain password is stored in not only the SETUP.ISS file, but the SQLSTP.LOG and the SQLSP.LOG files in an encrypted but readable form. These three files are found in the :\Program Files\Microsoft SQL Server\MSSQL\INSTALL folder (the default), or at MSSQL$ for a named instance install. Only domain or SQL admins can access the SETUP.ISS file.

If you want to avoid the security risk posed by the sa password you can do any of the following:

  • Change both passwords (sa and domain) after a service pack installation
  • Install SQL Server or

    Requires Free Membership to View

  • a service pack under Windows Security using a LocalSystem account
  • Or use the KILLWD.EXE utility.

The KILLWD.EXE is currently the most popular download on Microsoft's SQL Server web site, giving you some idea of the scope of this issue. You can download this utility at: support.microsoft.com/default.aspx?scid=kb;en-us;263968. Instructions on using KILLWD will be found on that page. For more information about the security issues described, go to the Microsoft Knowledge Base article Q263968.

Barrie Sosinsky is president of consulting company Sosinsky and Associates (Medfield MA). He has written extensively on a variety of computer topics. His company specializes in custom software (database and Web related), training and technical documentation.

This was first published in March 2005

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.