Quote:>I am new to MSQL7. Can anyone help in explaining the security risks to
>setting the 'sa' account to the default credentials i.e no password. There
>reason why we have had to do this but we have been told the system is
>insecure with this configuration.
It is totally insecure. Not only can anyone trash the SQL Server
installation, but since the MSSQLServer service generally runs under
an account with admin rights anyone can trash anything else on the
server by using xp_cmdshell. And if the account is a domain admin....
Quote:>The explanation given was that since 'sa'
>is the default
>administrator account, any person who uses SQL would be aware of this.
Yes, anyone who knows anything will know the sa account. For that
matter most tools default to the sa account with an empty password, so
even people who know nothing at all will be able to get int.
>person is able to obtain the IP address of the server then they can
>interrogate the database using a standard query tool.
And trash it too.
Quote:>Is there any way of making the system secure without having to change the
>default details of the 'sa' account.
Going back to your statement that "There is a reason why we have had
to do this", whatever the reason might be it is not good enough. What
is this supposed reason, anyway?