Microsoft has posted guidelines to system administrators on how to close an apparent security hole in MS SQL
Server 7.0 - read the instruction manual!
AUSTRALIA (ZDNet Australia
) - The problem, which has been blamed for several
UK and American government sites being hacked into in recent weeks, results from a default blank system administrator
login that some administrators have failed to change.
Microsoft denies the default blank password is a vulnerability and suggests it is more a case of system administrators
not following its recommended best practices and installing their own complex password.
The company has posted guidelines on the Bugtraq site on how to do that. The problem first came to light on Bugtraq
last month when it was revealed that not only SQL Server 7.0 but several programs that ran a light version of it,
called Microsoft Data Engine, had the same blank password.
MSDE is distributed as part of Office 2000 (for Access 2000) and incorporated in several Microsoft and third party
packages such as Visio 2000 and Visual Studio 6.0.
Last week a hacker calling himself Herbless posted code on Bugtraq that allowed Linux users to access SQL Servers
with the default password and execute arbitrary commands.
Microsoft countered claiming "the code does not exploit a vulnerability. Rather, it uses the normal SQL authentication
process to gain access to the machine, for cases in which the password is a known value - namely, blank.
"SQL Server 7.0 and earlier may be configured to run with Mixed Mode Authentication. An 'sa' account is created,
having full rights to the SQL environment. Users must manually configure a strong password for this account,"
the company said.
It has listed what it describes as 'best practices' for running SQL servers and says that while it will not be
posting a patch for SQL 7.0 it has fixed the problem with SQL2000 - by prompting system administrators to supply
a non-blank password during the installation process.
Default passwords are not a problem confined to Microsoft. Earlier this year Internet Security Systems' anti-hacker
group X-Force warned system administrators that several of the major server and database packages on the market
incorporated default passwords that must be changed during installation.