Exposed sa or SQL Server Service Account Password
Check Description
This check determines whether Microsoft® SQL Server™ 7.0 Service Pack 1 (SP1), SQL Server 7.0 SP2, or SQL Server 7.0 SP3 sa (system administrator) account passwords are written in plaintext to the Setup.iss, Sqlstp.log, or SqlspX.log files in the %windir% and %windir%\%temp% directories. The Splstp.log or SqlspX.log file is also checked on SQL Server 2000 if domain credentials are used in starting SQL Server services.
If Mixed Mode authentication is used while setting up SQL Server, the sa password is saved in plaintext format in the Setup.iss and Sqlstp.log files for SQL Server 7.0 SP1, SQL Server 7.0 SP2, and SQL Server 7.0 SP3. Administrators using Windows Authentication Mode (which is the recommended mode) would only have credentials at risk if they chose to provide a domain credential to be used when starting the SQL Server services automatically.
Additional Information
Microsoft Security Bulletin MS02-035
FIX: Service Pack Installation May Save Standard Security Password in File (263968)
Microsoft Security Bulletin (MS00-035): Frequently Asked Questions
©2002-2004 Microsoft Corporation. All rights reserved.