SQL Server 7.0 Linked Passwords

Blake Coverett reported a problem with linked SQL Server 7.0 systems. According to Blake's initial report, "If the remote linked server is running SQL Server 7.0, security credentials can be passed through correctly in some manner. If the remote server is not SQL Server 7.0 (for example, SQL Server 6.5), linked logins must be set to map local logins to the login name and password to be used on the remote server. These linked logins and passwords are stored in the master.sysxlogins table. The passwords are encrypted with a new, undocumented, built-in function called encrypt() before being stored in the password attribute of this table." The problem is that the encryption is very weak and intruders can crack it with relative ease; cracking requires no reverse engineering of the algorithm to succeed. Microsoft is aware of the problem but has issued no response as of press time. For more information, see http://www.ntsecurity.net/go/load.asp?id=/security/sql7-1.htm.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.