How to specify a strong SA password when you install SQL Server 2000 Desktop Engine (MSDE 2000)

Exclusion de responsabilité du contenu obsolète de la base de connaissances

Cet article a été rédigé sur les produits pour lesquels Microsoft n’offre plus aucune prise en charge. Par conséquent, cet article est proposé « en l’état » et ne sera plus mis à jour.

Summary

This article describes how to specify a strong sa password when you install SQL Server Desktop Engine (also known as MSDE 2000).

More Information

You must assign a strong password to the sa account during the installation of any instance of SQL Server 2000 Desktop Engine (MSDE 2000). You must do this even if the instance is using Windows Authentication Mode. The sa account cannot be used by any user when running in Windows Authentication Mode; however, the instance can later be switched to Mixed Mode, and the sa account becomes an active login.

If the sa account has a null, blank, simple, or well-known password when an instance of MSDE 2000 is switched to Mixed Mode, the MSDE instance can then be accessed by unauthorized users. The sa account cannot be dropped, and it must always be protected with a strong password to help restrict unauthorized access. Any user who gains access to an instance of MSDE 2000 by using the sa account, might gain full control on that instance of MSDE, and have the ability to access any resources that the MSDE service account has. By default, the MSDE service account is the LocalSystem built-in security account.

For more information about strong passwords, visit the following Microsoft Web site:

Security Rules

You can use custom application code to install MSDE. The application code must use one of the following two methods for setting the sa password:
  • If the user is going to set up MSDE in Mixed Mode, and is going to use the sa account, request a strong password for the sa account from the user. Use that password in the MSDE setup.
  • If the sa account is not used, generate a random string, and then pass that string as the sa password to the MSDE setup.

To help improve security, you should not hard-code the sa password assigned at setup as a parameter in a Setup.ini file, or as a command prompt switch in a command (.cmd) file, or include it as a property in an MSI file, or in any other way that can expose the password as plain text. The password should be dynamically generated by an application setup program at run time, and it should be passed to the MSDE setup process in one of the following ways:
  • Run the MSDE setup.exe from the application setup code, and specify a SAPWD value in the arguments.

    For example, run the setup by using the .NET Framework Process class, and then specify SAPWD in the ProcessStartInfo Arguments property, or run the setup by using the Win32 CreateProcess function, and then specify SAPWD in the lpCommandLine parameter.


    For more information about the SAPWD command line parameter, click the following article number to view the article in the Microsoft Knowledge Base:

    810826 New switches in MSDE Service Pack 2 Setup

  • Perform a custom action to pass a strong password when you use the MSDE merge modules in a custom Windows Installer-based setup.

Note You cannot set a password for the sa account during the MSDE 2000 setup by using Windows Authentication Mode. In this scenario, you must set the password after the setup completes. Microsoft strongly recommends that you use the latest service pack to install MSDE 2000.

The method that Microsoft recommends you use to generate a random password is to use the Crypto API functions such as:
  • CryptAcquireContext
  • CryptGenRandom
  • CryptCreateHash
  • CryptHashData
If you are using native code, use CryptReleaseContext.

If you are using managed code, use System.Security.Cryptography.RNGCryptoServiceProvider to obtain a random encoded string, and then hash the value that is returned by using the ComputeHash method of the System.Security.Cryptography.SHA1 class. The random string must be of variable length, between 7 and 20 characters.

If you forget the sa password, or you do not know what the sa password is, and the instance is converted to Mixed Mode, a member of the sysadmin fixed server role can reset the sa password without knowing the previous password. By default, all users who are members of the local Administrators group are members of the sysadmin role. The members of the sysadmin role can change an MSDE instance from Windows Authentication Mode to Mixed Mode or vice versa, and can change the sa password. Hence, for security reasons, you may want to remove the Administrators group from sysadmin role.

For more information about how the Administrators group can be removed from the sysadmin role, click the following article number to view the article in the Microsoft Knowledge Base:

263712 How to impede Windows NT administrators from administering a clustered instance of SQL Server



For more information about changing the password for the sa account, click the following article number to view the article in the Microsoft Knowledge Base:

322336 How to verify and change the system administrator password in MSDE or SQL Server 2005 Express Edition


Note The methods for changing the sa password during installation listed in this article only apply to new installations of MSDE.

The following steps use sample source code to generate a random sa password, and then start an MSDE installation.

Using Microsoft Visual C++ .NET

Using Microsoft C#.NET

  1. In Visual Studio .NET, create a new Visual C# Console Application project.
  2. Paste the following code in the class file that contains the Main function.

    Verify that the code replaces all the existing code in the file:
    using System;
    using System.Diagnostics;
    using System.IO;
    using System.Resources;
    using Microsoft.Win32;
    using System.Security.Cryptography;


    class InstMSDE
    {
    static void Main(string[] args)
    {
    try
    {


    // Generate random password.
    RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
    byte[] encodedSeed = new byte[512];
    rng.GetBytes(encodedSeed);
    SHA1 sha1 = SHA1.Create();
    byte[] hashval = sha1.ComputeHash(encodedSeed);
    String base64HashVal = Convert.ToBase64String(hashval);
    // Trim "=" off the end.
    base64HashVal = base64HashVal.TrimEnd('=');

    string msdeINI = "setup.ini";

    // You have to set startInfo parameters values as appropriate for your installation.
    ProcessStartInfo startInfo = new ProcessStartInfo();

    // Setup.exe for MSDE sp3.
    startInfo.FileName = "setup.exe";

    // Pass the SA password to the setup program.
    startInfo.Arguments = "/settings \"" + msdeINI + "\"" + " SAPWD=" + base64HashVal + " /qr+ ";
    startInfo.WindowStyle = ProcessWindowStyle.Normal;
    // Substitute the workdir with complete path of installation folder.
    startInfo.WorkingDirectory = "c:\\Workingdir";

    Process.Start(startInfo);


    }
    catch (Exception e)
    {
    Console.WriteLine("Unable to execute program due to the following error: " + e.Message);
    return;
    }
    }
    }
  3. Press F5 to compile, and then run the program.

References

For more information about how to embed MSDE in a custom application setup, visit the following Microsoft Web site:
Propriétés

ID d'article : 814463 - Dernière mise à jour : 20 juin 2014 - Révision : 1

Commentaires