Re: Security bug?

From: John Alderson (jalderson.spamnot@adelphia.net)
Date: 01/23/03

• Next message: David Pendleton: "Re: Is this really the best way?"
• Previous message: Mark Talbot: "SQL Connection using ASP"
• In reply to: R. van Noorloos: "Re: Security bug?"
• Next in thread: R. van Noorloos: "Re: Security bug?"
• Reply: R. van Noorloos: "Re: Security bug?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "John Alderson" <jalderson.spamnot@adelphia.net>
Date: Thu, 23 Jan 2003 06:58:51 -0500

SQL Server 2000 Setup has been prompting for a password for sa since RTM,
IIRC. This is nothing new with SP3. However, it's only a prompt and the
ignorant administrator can still bypass it. I think it would serve
Microsoft well to retool the prompt to be such that a password is a
requirement to continue setup.

Further, folks pleading security ignorance just doesn't fly when a 3 second
Google search on sql security brings up www.sqlsecurity.com as the first 2
hits and Chip Andrews Blackhat presentation as the third.

John Alderson

"R. van Noorloos" <renennospam@syfact.com> wrote in message
news:#1UntkrwCHA.2636@TK2MSFTNGP12...
> Kevin
>
> Thanks, I know there is more, but a blank password is easely overseen if
you
> standard install with NT security and not aware of this. And also
> administrators could be denied access to a database/sql server,depending
on
> the confidentiallity of the stored information.
>
> But it is good to know SP3 is forcing it anyway.
>
> Kind regards
>
> René van Noorloos
>
> Syfact int'l
>
> "Kevin McDonnell [MS]" <kevmc@online.microsoft.com> wrote in message
> news:Y5oyS$XwCHA.3048@cpmsftngxa06...
> > Also, installing sp3 will prompt the user to change a blank 'sa'
password.
> > Only Administrators should be allowed to modify the servers registry
key.
> > There's more to securing a server than supplying a good 'sa' password...
> >
> >
> > Kevin McDonnell
> > Microsoft SQL Server Support
> >
>
>

• Next message: David Pendleton: "Re: Is this really the best way?"
• Previous message: Mark Talbot: "SQL Connection using ASP"
• In reply to: R. van Noorloos: "Re: Security bug?"
• Next in thread: R. van Noorloos: "Re: Security bug?"
• Reply: R. van Noorloos: "Re: Security bug?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Update Sqlserver 7.0 auf 2000 bricht ab ... Setup bricht aber leider immer wieder ab. ... > vorhandene Installation aktualisieren möchte. ... Upgrade from SQL Server 7.0 May Abort with Messages.sql ... Occurs When You Install SQL Server 2000 Service Pack 3 (SP3 ... (microsoft.public.de.sqlserver) Re: Whats the real difference between SP3 and SP3a? ... >Differences are there but the issues addressed for SP3a ... were in setup, ... related to sql server ... >server2000 sp3, as in your case. ... (microsoft.public.sqlserver.security) SQL Server 2000 could not be visited in win2003 by ODBC ... SQL Server 2000 could not be visited in win2003 by ODBC ... I have setup the sp3, but all it tell me no sql server or ... (microsoft.public.sqlserver.odbc) RE: Installation ... To run Unattended SQL Server setup at Command Prompt, ... How to record an unattended installation file ... (microsoft.public.sqlserver.setup) RE: Problems upgrading SQL MSDE for Sharepoint ... Please try the following steps and then run the SQL Server 2000 setup again: ... Can we install SQL Server successfully at this time? ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... (microsoft.public.windows.server.sbs)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint