SQL Server service pack installation may save the system administrator password in a file for SQL Server 7.0 and SQL Server 2000

During the installation of SQL Server products and service packs, the password(s) of system administrator (sa) and/or SQL Server Sevices domain account may be stored as clear text or weakly encrypted readable format in the SQL Server Setup files and/or Setup.iss file. These files can be found in the following locations / files, and should be removed when the files are no longer required.

- %Windir% folder
- %Windir%\Temp folder
- Temp folder (as specified in System Control Panel –> Advanced –> Environment Variables)
- %SystemDrive%\MSSQL7\Install\or\Tools folder
- Sqlstp.log
- Sqlsp*.log
- Setup.iss
- Drive:\Program Files\Microsoft SQL Server\MSSQL\Install folder
- Drive:\Program Files\Microsoft SQL Server\MSSQL$InstanceName\Install folder
- Remsetup.ini (at %Windir%)
- remote install script (RemoteComputerName_InstanceName.iss) at %Windir% folder

Users are suggested to do the following on or after the installation of SQL Server products and service packs.
- Copy *.iss file (for
unattended installation) to a security-enhanced location that is not in searchable folders.
- Use Microsoft Windows NT Security Authentication to install SQL Server products and service packs.
- Use LocalSystem account to configure the SQL Services
- After the installation of SQL Server service packs, change the SQL Server system administrator (sa) password and SQL Service domain account password.
- Use the
Killpwd.exe utility to clear the setup files. Killpwd utility automates scanning for the setup files and removes the passwords from them. Killpwd can be found at http://www.microsoft.com/downloads/details.aspx?amp;amp;displaylang=en&familyid=7BDA4AE4-E287-4A6B-86E4-9AFDB3EA26C9&displaylang=en

References
-
http://support.microsoft.com/kb/263968/en-us

One thought on “SQL Server service pack installation may save the system administrator password in a file for SQL Server 7.0 and SQL Server 2000”

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>