Installation of MSDE creates an 'sa' account with a blank password in Visio

Article ID: 321081 - View products that this article applies to.
This article was previously published under Q321081
Expand all | Collapse all

On This Page

SYMPTOMS

When you install Microsoft Data Engine (MSDE) version 1.0 or Microsoft SQL Server Desktop Engine (MSDE2000), the installation uses SQL Authentication by default. In addition, the default user name in these cases is sa, and the default password is blank.
Back to the top | Give Feedback

CAUSE

This problem may occur when either of the following conditions is true:

The Microsoft Data Engine (MSDE) version 1.0 is installed with the following products:
  • Visio 2000 Enterprise Edition
  • Microsoft Visio 2000 Enterprise Edition SR-1
-or-

The Microsoft SQL Server Desktop Engine (MSDE2000) is installed with Microsoft Visio Enterprise Network Tools (VENT).
Back to the top | Give Feedback

RESOLUTION

Microsoft advises that this problem can pose a potential security issue.

To determine whether this applies to your system, try to log on to MSDE by using the OSQL utility from a command prompt. Use the following syntax:
C:\>osql -U sa -P
If you receive the following message
Login failed for user 'sa'
the sa password is not blank, which indicates that the issue does not exist on your system.

However, if you receive the following message after you run the command
"1>"
the security vulnerability applies to the system, and you must follow the steps in the next section to change the 'sa' password.

How to Secure the 'sa' Account with a Password

You can use the sp_password stored procedure to set up a password for the 'sa' account. For example, to change the 'sa' password from NULL to "Test!01", use code similar to the following:
EXEC sp_password NULL,'Test!01','sa'
To set a secure password on Microsoft Data Engine (MSDE) 'sa' account, follow these steps:
  1. At the command prompt, log on to MSDE as follows:
    C:\>osql -U sa -P
  2. When you receive the "1>" message, change the 'sa' account password by using the following command:
    EXEC sp_password NULL,'Test!01','sa'
    Note In this command, 'Test!01' is a secure password that meets your organization's security guidelines and that you can remember.

    Note The password for 'sa' account must be strong. For password advice, visit the following Microsoft Web site:
    http://www.microsoft.com/security/articles/password.asp
    (http://www.microsoft.com/security/articles/password.asp)
Back to the top | Give Feedback

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.
Back to the top | Give Feedback

MORE INFORMATION

For more information about Microsoft Data Engine (MSDE) security recommendations, click the following article numbers to view the articles in the Microsoft Knowledge Base:
248683
(http://support.microsoft.com/kb/248683/ )
Microsoft Data Engine security recommendations for ISVs
313418
(http://support.microsoft.com/kb/313418/ )
Unsecured SQL Server with blank (NULL) SA password leaves vulnerability to a worm
274773
(http://support.microsoft.com/kb/274773/EN-US/ )
FIX: If You Change Windows Security to Windows/SQL Security the SA Password is Blank
290212
(http://support.microsoft.com/kb/290212/ )
List of bugs fixed in SQL Server 2000 Service Pack 1 (1 of 2)
For additional information about the sp_password stored procedure, refer to SQL Server books online.

Acknowledgment: Adrian Romo of Quilogy contributed to this Microsoft Knowledge Base article.
Back to the top | Give Feedback

Properties

Article ID: 321081 - Last Review: October 13, 2006 - Revision: 1.1
APPLIES TO
  • Microsoft Data Engine 1.0, when used with:
    • Microsoft Visio 2000 Enterprise Edition
  • Microsoft SQL Server 2000 Desktop Engine (Windows), when used with:
    • Microsoft Visio Enterprise Network Tools
Keywords: 
kbpending kbprb KB321081
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top