Currently, all versions of Microsoft SQL Server, including SQL 2000, have a potential vulnerability which allows any remote user to obtain Administrator level access to the system through the 'sa' account in the database server. During the MSSQL Server 6.5 and 7 installations the user is prompted, but not required to set a password on this account. MSSQL Server 2000 defaults to using NT authentication but can also be set to use SQL authentication, opening up the same issue. Further, there are several conditions under which this password may be reset to null, including applying some system patches, rebuilding the master database, or running an atypical system command sequence. Also, some systems may have an additional account named 'probe' which is used in system profiling and performance testing and may also open the system to this vulnerability. Once a connection can be established using the 'sa' or 'probe' accounts, a remote attacker can utilize the xp_cmdshell stored procedure to execute operating system commands in the context of the SYSTEM account in the underlying OS, leaving both the machine and its data completely compromised. Therefore, it is essential that these systems be manually checked to ensure that the passwords are set. We recommend that they be periodically audited and checked after system maintenance.

Due to the severity of this vulnerability, the Network Security Center will be scanning campus periodically and removing from the network machines which are found to have a null password on the 'sa' account.

For your convienience we have included below a set of instructions for setting the 'sa' password on Microsoft SQL Servers. Please note that these instructions cover full installations of Microsoft SQL Server as distributed by Microsoft Corporation, and versions of Microsoft Data Engine (MSDE) distributed with some third party applications. Other thrid party application vendors may include, as part of thier distribution, partial versions of MSSQL Server which are vulnerable to the null 'sa' password expolit, but which do not include the client tools necessary to change the password. In these cases you should contact your software vendor for support and then contact us once the problem is fixed to have the machine returned to the network.

Please see the Microsoft SQL Server Security pages and the SQL Server Security Checklist from SQLsecurity.com for more information on securely administering Microsoft SQL Server. Also, a detailed analysis of one worm which exploits this vulnerability is available from the Incidents.org site maintained by the SANS Institute

To change the password from the command line on MSSQL Server or MSDE:

1. Open a command shell by selecting "Start"-->"Run...", and typing "cmd.exe" in the "Run" dialog box.
2. Change to the directory in which the MSSQL or MSDE utilities are stored (this is ususally C:\MSDE\binn, C:\MSSQL7\binn, etc., but YMMV).
3. Issue the following command where <newpassword> is the password you have chosen:
   osql -U sa -P "" -Q "sp_password NULL,<newpassword>,sa"

To change the password on the 'sa' account from the graphical interfaces of MSSQL Server 7.0 and 2000 on both Windows NT 4.0 and 2000:

1. Open the "SQL Server Enterprise Manager". This is usually under "Start"-->"Programs"-->"Microsoft SQL Server", but your software maby be configured differently. Starting with MSSQL 7.0, the "SQL Server Enterprise Manager" is a snap-in for the "Microsoft Management Console" (mmc.exe). Please see Microsoft documentation if you are unsure how to use this application.
2. Navigate to the "Logins" object under the "Security" folder on the SQL Server you wish to administer. Then, right click on the 'sa' account and select "Properties".
   
   

   
   Enterprise Manager

3. Now, enter a new password in the "Password" field under the "Authentication" options.
   
   

   
   Set Password

To change the password on the 'sa' account from the graphical interface of MSSQL Server 6.5 on Windows NT 4.0:

1. Open the "SQL Server Enterprise Manager". This is usually under "Start"-->"Programs"-->"Microsoft SQL Server", but your software may be configured differently. This package should have been installed with MSSQL Server 6.5, so please see your documentation if you are unsure of how to find this application
2. Navigate to the "Logins" object for the SQL Server you wish to administer. Then, right click on the 'sa' account and select "Edit".
   
   

   
   Enterprise Manager

3. Now, enter a new password in the "Password" field and click "Modify"
   
   

   
   Set Password

4. Also note that if there is an account named "probe", it may also open you up for this vulnerability. Please verify the password for these accounts as well.