Re: Tumbleweed Worldsecure (MMS) BLANK '

[Neil Pike <NeilPike () COMPUSERVE COM>]

Russ,

 By default SQL 7 goes into "mixed mode".  This means it accepts NT auth or
non-NT auth.  If you use a non-NT auto-authed net-lib protocol and don't
demand a "trusted" connection - e.g. use the tcp-ip sockets net-lib - then
you can get in as "sa" and no password.
 
 MSDE is just the "cut-down" run-time engine of SQL Server and so has the
same issue.
 
 The "issue" can be resolved by correct manual setup or correct setting of
the unattend .iss file for MSDE by the vendors.

 The install wasn't botched by the user as the Tumbleweed vendors install
MSDE automatically/silently and give you no chance to change the install
type/password.  In fact their docs hardly mention the fact that they're
installing it, let alone saying anything about install options, changing
the password etc.
 
> The part that confuses me about this Tumbleweed vulnerability, and the
part
> I asked "__nt__ () ANONYMOUS TO" (who originally posted this message) and
never
> got answered, was that SQL 7.0 by default assumes you will be using NTLM
for
> SQL Authentication. As such, no SA account is to be used. When configured
> like this the client performs the normal c/r with the SQL box and, if
> authenticated, is allowed access.
>
> Does the stripped down version of SQL 7.0 that Tumbleweed implemented use
> the same authentication basis? Was the installation performed by
> "__nt__ () ANONYMOUS TO" botched by telling it to use normal SA
authentication
> instead?
>
> Cheers,
> Russ - NTBugtraq Editor

 Neil Pike MVP/MCSE
 Protech Computing Ltd