COMMAND

    MS SQL Server

SYSTEMS AFFECTED

    Microsoft SQL Server 7.0

PROBLEM

    Following is based  on ISS Security  Advisory.  Internet  Security
    Systems (ISS)  has identified  a vulnerability  in the  encryption
    used to  conceal the  password and  login ID  of a  registered SQL
    Server user in  Enterprise Manager for  Microsoft SQL Server  7.0.
    When registering  a new  SQL Server  in the  Enterprise Manager or
    editing the  SQL Server  registration properties,  the login  name
    that will  be used  by the  Enterprise Manager  for the connection
    must be specified. If a SQL  Server login name is used instead  of
    a Widows Domain  user name and  the 'Always prompt  for login name
    and password' checkbox is not  set, the login ID and  password are
    weakly encrypted and stored in the registry.

    When a DBA (database  administrator) logs into a  workstation with
    a  roaming  profile,  the  login  ID  and password are stored in a
    registry key.  This information  is stored as the file  NTUSER.DAT
    (for Windows NT) or USER.DAT  (for Windows 95 or Windows  98) when
    the user  logs off.   An attacker  can open  this file  in a  text
    editor  to  view  the  DBA  login  ID  and password encrypted.  An
    attacker can  reverse this  encryption to  gain access  to the DBA
    login ID and password.

    Remote and  local attackers  who acquire  the system administrator
    password have full  control over the  database server software  as
    well as full access to the content and integrity of the database.

    The encryption  used to  conceal the  password and  login ID  of a
    registered SQL Server  user in Enterprise  Manager for SQL  Server
    7.0 can be reversed.  The encryption scheme used is an  alphabetic
    substitution  where  each  Unicode  character  in  the password is
    XOR'ed with  a two  byte value  according to  its position  in the
    string.   If  the  'Always  prompt  for  login  name and password'
    checkbox is not  set when registering  a SQL Server,  the login ID
    and  password  is  weakly  encrypted  and  stored in the following
    registry key:

        HKEY_CURRENT_USER\SOFTWARE\Microsoft\MSSQLServer\SQLEW\Registered Server X.

    By  design,  the  HKEY_CURRENT_USER  registry  hive is meant to be
    available only to the currently logged  on user.  That is, when  a
    different Windows NT user logs  onto the system, a different  copy
    of the HKEY_CURRENT_USER  registry hive is  loaded.  In  practice,
    the HKEY_CURRENT_USER registry hive  is saved locally as  the file
    NTUSER.DAT or USER.DAT when a  user logs off.  This  registry hive
    can be opened in Notepad  and the encrypted login ID  and password
    can be  easily located.   If the  DBA has  a roaming  profile, the
    NTUSER.DAT file will  be saved on  every workstation the  DBA logs
    into.

SOLUTION

    To securely  use SQL  Server, Microsoft  recommends using  Windows
    Integrated  Security.    In  Windows   Integrated  Security   mode
    passwords  are  never  stored,  as  your Windows Domain sign-on is
    used as the security identifier to the database server.

    If a SQL Server login ID is specified for logging into a server in
    the  Enterprise  Manager,  Microsoft  recommends  using the option
    'Always prompt for login  name and password' to  prevent passwords
    from being stored in the registry.

    ISS  SAFEsuite  security  assessment  software,  Database Scanner,
    contains a security check for this vulnerability and is  currently
    available for customers in the latest version of Database Scanner,
    3.0.1.