SQL Server 2005 Installation Log File Security Vulnerabilities
By: Jeremy Kadlec | Updated: 2007-01-09 | Comments | Related: More > Security
Where can I find the SQL Server 2005 installation log files to ensure no sensitive data, specifically clear text passwords, are stored in these files? I can remember from earlier versions of SQL Server that sensitive data, specifically clear text passwords, were stored in the installation and service pack log files. Is this the case with the SQL Server 2005 installation?
During the SQL Server 2005 installation process the summary log is displayed on the final screen of the installation providing access to the first level of the installation logs. See the screen shot below as a point of reference.
On the top left of the screen is the link to the summary log. This file is typically located at - C:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\LOG\Summary.txt. This file outlines each portion of the installation that was completed and has references to additional SQL Server 2005 installation log files. See below as a point of reference.
Microsoft SQL Server 2005 9.00.1399.06
OS Version : Microsoft Windows XP Professional Service Pack 2 (Build 2600)
Time : Tue Jan 09 05:33:48 2007
MachineName : Microsoft Internet Information Services (IIS) is either not installed or is disabled. IIS is required by some SQL Server features. Without IIS, some SQL Server features will not be available for installation. To install all SQL Server features, install IIS from Add or Remove Programs in Control Panel or enable the IIS service through the Control Panel if it is already installed, and then run SQL Server Setup again. For a list of features that depend on IIS, see Features Supported by Editions of SQL Server in Books Online.
Machine : MachineName
Product : Microsoft SQL Server Setup Support Files (English)
Product Version : 9.00.1399.06
Install : Successful
Log File : C:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\LOG\Files\SQLSetup0002_JTKLAPTOP_SQLSupport_1.log
Machine : MachineName
Product : Microsoft SQL Server Native Client
Product Version : 9.00.1399.06
Install : Successful
Log File : C:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\LOG\Files\SQLSetup0002_JTKLAPTOP_SQLNCLI_1.log
As far as confidential information in the summary log (Summary.txt), this should be considered a minimal threat. This file has information on the installation start and stop time, installed components, machine name, product, version and detailed log files. Although this file differs slightly based on selected installation components, this file does not have any user names, passwords, service accounts, ports, etc. What this file does have is references to the detailed files which will be reviewed next.
As far as the detailed information is concerned, these files are stored by default at C:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\LOG\Files\. Depending on the components that are installed, you may have 30 or more files, so do not be alarmed by the number of files because some of the components have multiple log files.
When it comes to clear text passwords being stored in the detailed log files, it appears as if the sa password validation and confirmation is logged, but the actual password is never stored in clear text during the database services installation. As an example, the files listed below reference the usage of the sa password:
In the files listed above, the sa password is referenced in the following ways:
Action start 5:47:32: SAPasswordPolicyCheck.D20239D7_E87C_40C9_9837_E70B8D4882C2.
<EndFunc Name='SetCAContext' Return='T' GetLastError='203'>
Doing Action: SAPasswordPolicyCheck
PerfTime Start: SAPasswordPolicyCheck : Tue Jan 09 05:47:32 2007
<EndFunc Name='CheckSAPwdPolicy' Return='0' GetLastError='203'>
<EndFunc Name='SAPasswordPolicyCheck' Return='0' GetLastError='203'>
PerfTime Stop: SAPasswordPolicyCheck : Tue Jan 09 05:47:32 2007
<EndFunc Name='LaunchFunction' Return='0' GetLastError='203'>
MSI (s) (28:6C) [05:47:32:437]: Skipping action: ValidateUpgrade.D20239D7_E87C_40C9_9837_E70B8D4882C2 (condition is false)
MSI (s) (28:6C) [05:47:32:437]: Doing action: Validate_RSCatalog.D20239D7_E87C_40C9_9837_E70B8D4882C2
Action ended 5:47:32: SAPasswordPolicyCheck.D20239D7_E87C_40C9_9837_E70B8D4882C2. Return value 1.
Property(S): Authentication_DlgText = Select the authentication mode to use for this installation.
Property(S): Authentication_DlgTitle = Authentication Mode
Property(S): Authentication_EnterPWText = &Enter password:
Property(S): Authentication_saPasswordText = Specify the sa logon password below:
Property(S): Authentication_SQL = &Mixed Mode (Windows Authentication and SQL Server Authentication)
Property(S): Authentication_Windows = &Windows Authentication Mode
Action 5:36:59: AuthenticationDlg. Dialog created
MSI (c) (7C:68) [05:37:02:343]: PROPERTY CHANGE: Modifying _AuthenticationType property. Its current value is 'Windows'. Its new value: 'SQL'.
MSI (c) (7C:68) [05:37:16:656]: PROPERTY CHANGE: Adding _saPassword property. Its value is '**********'.
MSI (c) (7C:68) [05:37:20:687]: PROPERTY CHANGE: Adding _saConfirm property. Its value is '**********'.
MSI (c) (7C:68) [05:37:20:812]: Doing action: NextAuthentication
Action 5:37:20: NextAuthentication. NextAuthentication
Action start 5:37:20: NextAuthentication.
After reviewing the SQL Server 2005 installation log files, it appears as if temporary files are referenced. Do these local files have clear text passwords? Based on files located at - C:\DOCUME~1\ProfileName\LOCALS~1\Temp\*.tmp these files appear to be cleaned up after the installation process and do not appear to pose any additional vulnerability because they do not appear to have the passwords in clear text.
The bottom line is that based on the research conducted for this tip, clear text passwords are not stored during the installation, but during every service and patch, it is worth your time to validate that the sa password is not mistakenly left in a file in the operating system in clear text.
- As a portion of your future SQL Server 2005 installations, review the installation
log files to be sure the installation was successful and all of the components
you expected were installed.
- Do not be alarmed by the detail in the log files nor that additional core components are installed.
- As a portion of the installation process consider copying the installation log files to a central location for future reference in case you have an issue with the SQL Server.
- Another consideration would be to run the MPS reports to gather additional
detailed information on the status and configuration of the SQL Server following
- For more information on the SQL Server MPS reports, check out Free SQL Server Troubleshooting Tool from Microsoft.
- Finally, with security being a top priority for many DBAs and organizations, it is wise to be diligent about protecting this sensitive data and validating that none of these log files have clear text passwords stored in future versions of SQL Server whether they are hot fixes or service packs. Any time you enter a password in SQL Server or any application where elevated rights are needed, be sure to validate that the clear text passwords are not stored in the log files.
- Check out the following related MSSQLTips
Last Updated: 2007-01-09
About the author
View all my tips