DOCUMENT:Q235179 10-MAY-2000 [sms] TITLE :Licsvcfg.log Exposes the SQL SA Account Password PRODUCT :Microsoft Systems Management Server PROD/VER:winnt:2.0 OPER/SYS: KEYWORDS:kbsms200 kbsms200bug ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Systems Management Server version 2.0 ------------------------------------------------------------------------------- SYMPTOMS ======== When logging is enabled for a Systems Management Server (SMS) site, the Licsvcfg.log file reveals the password that SMS uses to connect to SQL Server. If SQL is configured to use standard security and SMS is configured to use the default SA account to access SQL, the SQL security may be compromised. CAUSE ===== SMS logging is used to help administrators monitor the flow of information through the SMS system. As a part of typical processing, SMS makes frequent connections to the SQL server to access the SMS database(s). WORKAROUND ========== To avoid this issue, do not enable logging for the SMS site servers. If you must enable logging for troubleshooting purposes, disable it as soon as possible. In addition, do not use the standard SA account with SMS; specify a different account or use integrated security. If integrated security is enabled, be aware that the password for the Microsoft Windows NT account used by SMS may be revealed in the Licsvcfg.log file. If License Metering logging is enabled, make sure to limit physical access to the server that is hosting the License Metering log file. STATUS ====== Microsoft has confirmed this to be a problem in SMS version 2.0. This problem has been corrected in the latest U.S. service pack for SMS version 2.0. For information on obtaining the service pack, query on the following word in the Microsoft Knowledge Base (without the spaces): S E R V P A C K MORE INFORMATION ================ This issue is fixed in Service Pack 1 for SMS 2.0. Additional query words: prodsms ====================================================================== Keywords : kbsms200 kbsms200bug Technology : kbSMSSearch kbSMS200 Version : winnt:2.0 Issue type : kbprb ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2000.