Date: Thu, 4 Mar 1999 19:52:15 -0500 From: Stephen_Wyatt@AMSINC.COM To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM I've come across an issue regarding Microsoft SQL Server 6.0 and 6.5. SQL Server has a management tool called SQL Explorer (used to manage the server). If your SQL Server is set to use normal userid/password authentication and not integrated NT authentication, Explorer stores your userid and password in clear text. (6.0 stores it in a file in the same subdirectory of the software, 6.5 in the HKCU's registry hive). I would expect alittle more from a company like Microsoft... -stephen ------------------------------------------------------------------------------ Date: Fri, 5 Mar 1999 09:59:23 -0800 From: Paul Keister To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Re: Security Issue in SQL Server Enterprise Manager I checked this out and the password is visible in my registry as clear text inside a binary block. However the product name of this management tool is SQL Enterprise Manager, not SQL Explorer. Until this problem is address by Microsoft, an effective workaround for dba's using Enterprise Manger would be to unregister all servers before exit. ------------------------------------------------------------------------------ Date: Wed, 10 Mar 1999 17:23:07 -0500 From: Russ To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Re: Security Issue in SQL Server Enterprise Manager A number of people have written in response to Stephen's observations about finding the plaintext password for a registered SQL server in the registry. As Stephen stated in his original message, he had chosen Basic Authentication rather than NT Authentication. Using NT Authentication prevents the issue completely. SQL 7.0 eliminates the possibility of using Basic Authentication for this purpose, relying entirely on NT Authentication. Ergo Microsoft feels they have addressed the problem. So, a workaround exists (use NT Authentication only or unregister servers), and a fix has been made to the next version of SQL server (i.e. SQL 7.0). However Stephen's original point, that the product does store plaintext passwords in non-protected areas of the registry if configured to use Basic Authentication, should not be discarded. Cheers, Russ - NTBugtraq moderator