FIX: Passwords May Be Retrieved from Enterprise Manager and from a DTS Package with No Owner Password

This article was previously published under Q264880
This article has been archived. It is offered "as is" and will no longer be updated.
BUG #: 58000; 58112 (SQLBUG_70)
It may be possible to use a third-party utility to retrieve a password, stored in an edit box and masked behind asterisks. This problem could occur in SQL Server Enterprise Manager and in a Data Transformation Services (DTS) package. If a DTS package is saved without an owner password, any user with permissions to access the location where the package is stored (that is, SQL Server, the Repository, or a file) can edit that package to view the password if the DTS package contains tasks that store a password, such as a connection to an OLE DB or ODBC data source, Send Mail, or Transfer Objects task. A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
Microsoft SQL Server 7.0 Service Pack 2 must already be installed prior to applying this fix.
The English version of this fix should have the following file attributes or later:
Version      File name   Platform---------------------------------7.00.886     DTSUI.dll   x867.00.886     Sqlns.dll   x867.00.886     DTSUI.dll   Alpha7.00.886     Sqlns.dll   Alpha				
NOTE: Due to file dependencies, the most recent hotfix or feature that contains the preceding files may also contain additional files.

Steps to Install the Fix

To install the fix, perform the following steps:
  1. Read Microsoft Security Bulletin MS00-041 Frequently Asked Questions, located at the following Web site:You are only required to download this patch if none of the listed workarounds in the security bulletin represents an acceptable workaround for your specific configuration.
  2. Download the appropriate version of the patch for your hardware platform by clicking the link to the file in the Microsoft Download Center.

    Microsoft SQL Server 7.0 on x86:

    Download DTSUIi.exe now

    Microsoft SQL Server 7.0 on Alpha:

    Download DTSUIa.exe now
  3. Run the self-extracting executable file to obtain the patch. During the extraction process, you will be prompted to specify a destination directory for the files.NOTE: Both the Alpha and x86 versions of the patch must be extracted by running on an x86-based system.

  4. In Microsoft Windows Explorer, navigate to the Mssql7\Binn folder and rename the existing DTSUI.dll and Sqlns.dll files. Replace the existing DTSUI.dll and Sqlns.dll files with the version that you extracted in Step 3. Repeat this on all client workstations that you use to edit DTS packages.
Always save DTS packages with an Owner password. The Owner password is used to encrypt the package, which ensures that only users who correctly supply the Owner password can open the package. If Windows NT Authentication is used on the tasks, multiple users can still safely have the password to edit the package without compromising any SQL Server passwords.

You may also choose to strictly control access to the location where the package is stored, either by removing the guest user from the msdb database (for packages stored in SQL Server or the Repository) or by setting the appropriate permissions on the file or directory (for a file package).

Using Windows NT authentication will also ensure that Enterprise Manager will be secure.
Microsoft has confirmed this to be a problem in SQL Server 7.0. This problem has been corrected in U.S. Service Pack 3 for Microsoft SQL Server 7.0. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
274799 INF: How to Obtain Service Pack 3 for Microsoft SQL Server 7.0 and Microsoft Data Engine (MSDE) 1.0
For more information, contact your primary support provider.
More information
For the greatest security, Microsoft recommends that you always use Microsoft Windows NT Authentication, because SQL Server never stores any password. Microsoft also recommends that all DTS packages be saved with an Owner password to control who has access to edit the package. Either of the previous suggestions prevents unauthorized access of the DTS package.

With this fix, the DTS edit boxes with passwords actually contain asterisks for their text, not the actual password masked behind the asterisks.

security bugtraq internet dtswiz sysdtspackages ent man entman SEM SSEM

Article ID: 264880 - Last Review: 11/02/2013 22:17:00 - Revision: 5.0

Microsoft SQL Server 7.0 Standard Edition

  • kbnosurvey kbarchive kbautohotfix kbhotfixserver kbdownload kbbug kbfix kbgraphxlinkcritical kbqfe KB264880