Exposed sa or SQL Server Service Account Password

Check Description

This check determines whether Microsoft® SQL Server™ 7.0 Service Pack 1 (SP1), SQL Server 7.0 SP2, or SQL Server 7.0 SP3 sa (system administrator) account passwords are written in plaintext to the Setup.iss, Sqlstp.log, or SqlspX.log files in the %windir% and %windir%\%temp% directories. The Splstp.log or SqlspX.log file is also checked on SQL Server 2000 if domain credentials are used in starting SQL Server services.

If Mixed Mode authentication is used while setting up SQL Server, the sa password is saved in plaintext format in the Setup.iss and Sqlstp.log files for SQL Server 7.0 SP1, SQL Server 7.0 SP2, and SQL Server 7.0 SP3. Administrators using Windows Authentication Mode (which is the recommended mode) would only have credentials at risk if they chose to provide a domain credential to be used when starting the SQL Server services automatically.

Additional Information

Microsoft Security Bulletin MS02-035

FIX: Service Pack Installation May Save Standard Security Password in File (263968)

Microsoft Security Bulletin (MS00-035): Frequently Asked Questions