|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Local SQLDebugger account created by SQL Server 2000 SP3
From: Marilee Niemi (marilee.j.niemi
SF.FRB.ORG)
Date: Tue Apr 08 2003 - 16:48:01 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
An archive search did not bring up this topic as having been covered so
here goes.
Under the theory that any local NT/Windows 2000 user account which is
created by default as part of an application install is a potential
threat, I would like to warn administrators about SQL Server 2000 SP3.
Installing SQL Server 2000 SP3 creates a local account, SQLDebugger.
The account, while only a member of the Users group, has "Password never
expires" and "User cannot change password" checked by default. This is
not documented in the Readme(s) nor the Fixlist. If its there it is
buried so deep that I never found it. I opened a case with Microsoft
to find out what was going on and was told that SQLDebugger is created
as part of sqldbreg2.exe. The account is used by Visual Studio and
Query Analyzer. More information (though not much) can be found in
Q318632.
What I don't understand is why this is not documented better or even
mentioned. Administrators should certainly be told of any local
account so that they can either delete it or secure it.
Marilee Niemi
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Have you discovered a security vulnerability related to Windows or a
commercial product which runs on Windows?
Need assistance crafting the format or translating your advisory to English?
Need to verify it, or having problems contacting the Vendor?
Contact mailto:AdvisoriesNTBugtraq.com
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]