Exposed sa or SQL Service Account Password

Issue

Users with access to the %windir% or %windir%\%temp% directories can potentially obtain the sa (system administrator) account passwords from the Setup.iss and Sqlstp.log files. These files may contain the Microsoft® SQL Server™ administrator password (if the server is configured to use Mixed Mode authentication) or a domain user ID and password (if the administrator chooses to provide this information to automatically start SQL Server services). Passwords in these files are stored in plaintext by SQL Server 7.0 versions prior to Service Pack 4 (SP4). All versions of SQL Server 2000 and SQL Server 7.0 SP4 encrypt the passwords before storing them.

Solution

If the unattended installation file and log files are not needed, they should be deleted. If the files must be retained, they should be moved to a folder that is only accessible by administrators, or moved to offline storage.

Additionally, the KillPwd utility provided by Microsoft can remove passwords from the Setup.iss and log files. This utility deletes any passwords that are found in the setup and log files, whether encrypted or not. It does not, by default, delete passwords in the Setup.iss file created by SQL Server 2000 installations because this file is saved in a directory that only allows access to administrators and the individual user setting up SQL Server.

Additional Information

Microsoft Security Bulletin MS02-035

FIX: Service Pack Installation May Save Standard Security Password in File (263968)

Microsoft Security Bulletin (MS00-035): Frequently Asked Questions