x

Security Vulnerability - SQL Logins With Blank or NULL Passwords Detected

After running a vulnerability scan this is the only item I cannot fix. Upon installing SQL Server 2008 R2, according to Microsoft there are six 'Prinicpals' or Certificate-Based SQL Server Logins: The following principals are created from certificates when SQL Server is installed, and should not be deleted. ##MS_SQLResourceSigningCertificate## ##MS_SQLReplicationSigningCertificate## ##MS_SQLAuthenticatorCertificate## ##MS_AgentSigningCertificate## ##MS_PolicyEventProcessingLogin## ##MS_PolicySigningCertificate## ##MS_PolicyTsqlExecutionLogin##

All of these logins have a password of null. These logins can be seen in the master database sys.syslogins table.

These findings pose a problem with our customer and I truly don't know how to fix this. I've spent the last four days trying to figure it out and so far I can't. It may be helpful if I new what checked this and why the result was considered a vulnerability. I understand that I can run a query to result all of the logins which have a null password; but what criteria makes this a vulnerability? I thought that these types of logins were used only internally and posed no security issue. Any help would be greatly appreciated. I am really stumped.

more ▼

asked May 10, 2013 at 01:33 PM in Default

avatar image

pepper7
20 1 1 5

(comments are locked)
10|1200 characters needed characters left

1 answer: sort voted first

A similar discussion here.

All you can do is convince the customer that the vulnerability tool is wrong in it's conclusions - these are internal accounts.

Alternatively get the vulnerability tool provider (which tool are you using?) to comment.

more ▼

answered May 13, 2013 at 08:34 AM

avatar image

Kev Riley ♦♦
66.2k 48 63 81

Kev, Thank you for your response. The tool I'm using is eEye Retina.

May 13, 2013 at 02:04 PM pepper7
(comments are locked)
10|1200 characters needed characters left
Your answer
toggle preview:

Up to 2 attachments (including images) can be used with a maximum of 524.3 kB each and 1.0 MB total.

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

SQL Server Central

Need long-form SQL discussion? SQLserverCentral.com is the place.

Topics:

x2188
x22
x3

asked: May 10, 2013 at 01:33 PM

Seen: 2446 times

Last Updated: May 14, 2013 at 02:57 PM

Copyright 2017 Redgate Software. Privacy Policy