Tutorial - MS SQL Server Default Password

MS SQL Server Default Password

Created 5/23/02
CAN 2000-1209

Impact

A remote attacker could execute arbitrary commands on the server.

Background

Microsoft SQL Server is a complete web-enabled database package.

The Problems

A service account called "sa" is created when the SQL Server is installed. By default, this account has no password. If left unchanged, this account could be used by a remote attacker to execute arbitrary commands on the operating system using the xp_cmdshell SQL function.

This vulnerability is actively exploited by the Spida worm. The worm exploits blank passwords on "sa" accounts to infect systems, then sends sensitive information including passwords and database information to an external site. Finally, it scans for other vulnerable Microsoft SQL Servers.

Resolution

Set a password for the "sa" account in Microsoft SQL Server. A non-guessable password which is at least eight characters long and composed of letters, digits, and non-alphanumeric characters is recommended.

Where can I read more about this?

For more information on this vulnerability, see CERT Vulnerability Note #635463.

For more information on securing Microsoft SQL Server, see the SQL Server security page.

For more information on the Spida worm, see the ISS Alert.