Microsoft KB Archive/264880

= FIX: Passwords May Be Retrieved from Enterprise Manager and from a DTS Package with No Owner Password =

Article ID: 264880

Article Last Modified on 3/14/2006

-

APPLIES TO


 * Microsoft SQL Server 7.0 Standard Edition

-



This article was previously published under Q264880



BUG #: 58000; 58112 (SQLBUG_70)



SYMPTOMS
It may be possible to use a third-party utility to retrieve a password, stored in an edit box and masked behind asterisks. This problem could occur in SQL Server Enterprise Manager and in a Data Transformation Services (DTS) package. If a DTS package is saved without an owner password, any user with permissions to access the location where the package is stored (that is, SQL Server, the Repository, or a file) can edit that package to view the password if the DTS package contains tasks that store a password, such as a connection to an OLE DB or ODBC data source, Send Mail, or Transfer Objects task. A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that are experiencing this specific problem. This fix may receive additional testing. Therefore, if you are not severely affected by this problem, Microsoft recommends that you wait for the next SQL Server service pack that contains this hotfix.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS

NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The typical support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

Microsoft SQL Server 7.0 Service Pack 2 must already be installed prior to applying this fix.

The English version of this fix should have the following file attributes or later: Version     File name   Platform -

7.00.886    DTSUI.dll   x86 7.00.886    Sqlns.dll   x86 7.00.886    DTSUI.dll   Alpha 7.00.886    Sqlns.dll   Alpha NOTE: Due to file dependencies, the most recent hotfix or feature that contains the preceding files may also contain additional files.

Steps to Install the Fix
To install the fix, perform the following steps:  Read Microsoft Security Bulletin MS00-041 Frequently Asked Questions, located at the following Web site:

http://www.microsoft.com/technet/security/bulletin/fq00-041.mspx

You are only required to download this patch if none of the listed workarounds in the security bulletin represents an acceptable workaround for your specific configuration. Download the appropriate version of the patch for your hardware platform by clicking the link to the file in the Microsoft Download Center.

Microsoft SQL Server 7.0 on x86:

Download DTSUIi.exe now

Microsoft SQL Server 7.0 on Alpha:

Download DTSUIa.exe now Run the self-extracting executable file to obtain the patch. During the extraction process, you will be prompted to specify a destination directory for the files.NOTE: Both the Alpha and x86 versions of the patch must be extracted by running on an x86-based system.

 In Microsoft Windows Explorer, navigate to the Mssql7\Binn folder and rename the existing DTSUI.dll and Sqlns.dll files. Replace the existing DTSUI.dll and Sqlns.dll files with the version that you extracted in Step 3. Repeat this on all client workstations that you use to edit DTS packages.



WORKAROUND
Always save DTS packages with an Owner password. The Owner password is used to encrypt the package, which ensures that only users who correctly supply the Owner password can open the package. If Windows NT Authentication is used on the tasks, multiple users can still safely have the password to edit the package without compromising any SQL Server passwords.

You may also choose to strictly control access to the location where the package is stored, either by removing the guest user from the msdb database (for packages stored in SQL Server or the Repository) or by setting the appropriate permissions on the file or directory (for a file package).

Using Windows NT authentication will also ensure that Enterprise Manager will be secure.



STATUS
Microsoft has confirmed this to be a problem in SQL Server 7.0. This problem has been corrected in U.S. Service Pack 3 for Microsoft SQL Server 7.0. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

274799 INF: How to Obtain Service Pack 3 for Microsoft SQL Server 7.0 and Microsoft Data Engine (MSDE) 1.0

For more information, contact your primary support provider.

<div class="moreinformation_section">

MORE INFORMATION
For the greatest security, Microsoft recommends that you always use Microsoft Windows NT Authentication, because SQL Server never stores any password. Microsoft also recommends that all DTS packages be saved with an Owner password to control who has access to edit the package. Either of the previous suggestions prevents unauthorized access of the DTS package.

With this fix, the DTS edit boxes with passwords actually contain asterisks for their text, not the actual password masked behind the asterisks.

Additional query words: security bugtraq internet dtswiz sysdtspackages ent man entman SEM SSEM

Keywords: kbdownload kbbug kbfix kbgraphxlinkcritical kbqfe KB264880

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.