question

pepper7 avatar image
pepper7 asked

Security Vulnerability - SQL Logins With Blank or NULL Passwords Detected

After running a vulnerability scan this is the only item I cannot fix. Upon installing SQL Server 2008 R2, according to Microsoft there are six 'Prinicpals' or Certificate-Based SQL Server Logins: The following principals are created from certificates when SQL Server is installed, and should not be deleted. ##MS_SQLResourceSigningCertificate## ##MS_SQLReplicationSigningCertificate## ##MS_SQLAuthenticatorCertificate## ##MS_AgentSigningCertificate## ##MS_PolicyEventProcessingLogin## ##MS_PolicySigningCertificate## ##MS_PolicyTsqlExecutionLogin## All of these logins have a password of null. These logins can be seen in the master database sys.syslogins table. These findings pose a problem with our customer and I truly don't know how to fix this. I've spent the last four days trying to figure it out and so far I can't. It may be helpful if I new what checked this and why the result was considered a vulnerability. I understand that I can run a query to result all of the logins which have a null password; but what criteria makes this a vulnerability? I thought that these types of logins were used only internally and posed no security issue. Any help would be greatly appreciated. I am really stumped.
sql-server-2008passwordmeta
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

·
Kev Riley avatar image
Kev Riley answered
A similar discussion [here][1]. All you can do is convince the customer that the vulnerability tool is wrong in it's conclusions - these are internal accounts. Alternatively get the vulnerability tool provider (which tool are you using?) to comment. [1]: http://social.msdn.microsoft.com/Forums/en-US/sqlsecurity/thread/c2452e9b-f326-41dc-8e6f-caa25aee3542
1 comment
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

pepper7 avatar image pepper7 commented ·
Kev, Thank you for your response. The tool I'm using is eEye Retina.
0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.