Exposed sa or SQL Service Account Password

Issue

Users with access to the %windir% or%windir%\%temp% directories can potentially obtain the sa account passwords from the setup.iss and sqlstp.log files. These files may contain the SQL Server administrator password (if the server is configured to use Mixed Mode authentication) and/or a domain userid and password (if the Administrator chooses to provide this information to automatically start SQL Server services).  Passwords in these files are stored in clear text by version of SQL Server 7.0 prior to SP4. All versions of SQL Server 2000 and SQL Server 7.0 SP4 encrypt the passwords before storing them.

Solution

If the unattended installation file and log files are not needed, they should be deleted.  If the files must be retained, they should be moved to a folder that is only accessible by Administrators, or moved to offline storage. 

Additionally, the KillPwd utility provided by Microsoft can remove passwords from the setup.iss and log files. This utility deletes any passwords that are found in the setup and log files, whether encrypted or not. It does not, by default, delete passwords in the setup.iss file created by SQL Server 2000 installations since this file is saved in a directory that only allows access to Administrators and the individual user setting up the SQL server.

Additional Information

Microsoft Security Bulletin MS02-035

FIX: Service Pack Installation May Save Standard Security Password in File (Q263968)

Microsoft Security Bulletin (MS00-035): Frequently Asked Questions

© 2002 Microsoft Corporation. All rights reserved.