Default SA password and you

[foxdev]

Just a reminder...

I work for a dot-com (that shall remain nameless) that has recently installed and started using a very large ERP system (that shall remain nameless, but you've heard of it). This ERP system runs on top of a huge SQL Server 7 database. The servers reside several states away.

The databases include sales data such as credit card numbers, cardholder names, and so forth. Lots of them.

As we know, SQL Server is installed with a default system administrator password. This ERP still had that default, which means:

1) anyone who has ever installed SQL Server knows the default SA password

2) anyone who could determine the IP address of the ERP/SQL Server and knew #1 could gain access to lots and lots of credit card numbers

Both #1 and #2 are pretty easily obtainable.

Naturally, once I determined this situation existed, I changed the SA password and, hopefully, kept my company out of USA Today's headlines.

But let this be a reminder, regardless of whether you or someone else installed SQL Server: [red]immediately change the SA password, because a million people know it![/red]
Robert Bradley

http://www.foxdev.com/

http://www.agrainofhope.org

 

[TomSark]

This is a major issue, and a major soapbox of mine as well...

And to add to this... NEVER NEVER NEVER code your applications to use the sa account to connect to SQL Server... I can't tell you what a security nightmare it is when all developers and users can do anything they choose to your servers because the applications have this password contained in them.
Tom Davis
tdavis@sark.com

http://www.sarkdallas.com