I completely agree with you assessment of the storage of the sa password. You should *NEVER* store a god/root password like that anywhere. I'm looking more closely at the thread subject and realize now that the question is specifically about the sa password. I would discourage this action. I would encourage the use of Windows Authentication and explicitly manage permissions on the SQL Server side of the world.
Saving encrypted identity credentials for a web application pool or windows service might be more acceptable *IF* you follow appropriate procedures to make sure that identity has Least Privilege access to dependent services like databases. You always want to minimize the impact of a compromised account. Edwin G. Castro Software Developer - Staff Electronic Banking Services Fiserv Office: 503-746-0643 Fax: 503-617-0291 www.fiserv.com Please consider the environment before printing this e-mail > -----Original Message----- > From: James Johnston [mailto:johnst...@inn-soft.com] > Sent: Wednesday, February 16, 2011 10:46 AM > To: 'General discussion for Windows Installer XML toolset.' > Subject: Re: [WiX-users] Encrypt and store the SQL sa password in the > windows registry > > I think that would depend on whether the SQL Server is located on the same > physical computer as the software in question that wants to store an account > password. If it's the same computer then you are correct - in fact that > thought had already crossed my mind. The one remaining issue I can think of > is that the user's password is still compromised in a way that it wouldn't be > otherwise. Windows and I'm sure SQL Server uses one-way hash functions > so that, even if the "password file" is stolen, significant effort must be > expended to determine what the passwords are if the quality of the > passwords is good. If the administrator is using the same password for > everything then there could be a problem: it might allow an attacker to > further infiltrate the network. If the password was only used for that one > account then it's a non-issue. > > I think that the "save password" concept really gets scary if the SQL Server > is > located on a different computer. For example, suppose the app uses the > "sa" password to create the database on a remote server. But for security > reasons the app should not use the "sa" account for day-to-day use, and so > the "sa" password is never used again except for uninstall and is saved in the > registry somehow as has been discussed. In that case, if the client computer > is compromised, this "saved password" registry key. I.e. the attacker pulls > the hard drive from the client computer, reads the key associated with the > SYSTEM context somehow, and then decrypts the password. Now he's > gained access to the server that he did not previously have. > > -----Original Message----- > From: Castro, Edwin G. (Hillsboro) [mailto:edwin.cas...@fiserv.com] > Sent: Wednesday, February 16, 2011 18:33 > To: General discussion for Windows Installer XML toolset. > Subject: Re: [WiX-users] Encrypt and store the SQL sa password in the > windows registry > > That all depends on what key you use to encrypt the data. If the key is > associated with the SYSTEM context then only the SYSTEM context will be > able to decrypt the data. If an attacker already has access to the SYSTEM > context then it's already Game Over. > > Edwin G. Castro > Software Developer - Staff > Electronic Banking Services > Fiserv > Office: 503-746-0643 > Fax: 503-617-0291 > www.fiserv.com > P Please consider the environment before printing this e-mail > > > -----Original Message----- > > From: James Johnston [mailto:johnst...@inn-soft.com] > > Sent: Wednesday, February 16, 2011 8:19 AM > > To: 'General discussion for Windows Installer XML toolset.' > > Subject: Re: [WiX-users] Encrypt and store the SQL sa password in the > > windows registry > > > > Isn't storing the administrator password for a server in the registry > > a terrible idea? This is setting off all kinds of alarm bells in my mind... > > Even if you "encrypt" it, I would think it would still be easy enough > > to recover the plaintext just by finding the key in the MSI file and > > then decrypting. I don't see how it offers any real security beyond > > shielding from casual prying eyes. I would think an installer that > > does this without telling could easily trap the unwary system administrator > who wants to run a tight ship... > > > > -----Original Message----- > > From: Rob Mensching [mailto:r...@robmensching.com] > > Sent: Wednesday, February 16, 2011 15:35 > > To: General discussion for Windows Installer XML toolset. > > Subject: Re: [WiX-users] Encrypt and store the SQL sa password in the > > windows registry > > > > Not today but it would be a great custom action to have. > > > > On Tue, Feb 15, 2011 at 2:40 PM, Thai-Hoa Nguyen > > <taiwa...@hotmail.com>wrote: > > > > > > > > > > > Hello > > > > > > I'm currently storing the SQL sa password so the database can be > > > uninstalled later. > > > > > > <RegistryValue Root='HKLM' Key='SOFTWARE\xyz\abcName='SQLPwd' > > > Value='[SQLPASSWORD]' Type='string' /> > > > > > > > > > <Property Id="SQLPASSWORD" Value="password"> <RegistrySearch > > > Id='SqlPwdReg' Key='SOFTWARE\xyz\abc' Name='SQLPwd' > > > Root='HKLM' Type='raw'/> > > > </Property> > > > > > > Is there a quick and easy way to encrypt and decypt the password in Wix? > > > > > > Thank you. > > > > > > -------------------------------------------------------------------- > > > -- > > > -------- The ultimate all-in-one performance toolkit: Intel(R) > > > Parallel Studio XE: > > > Pinpoint memory and threading errors before they happen. > > > Find and fix more than 250 security defects in the development cycle. > > > Locate bottlenecks in serial and parallel code that limit performance. > > > http://p.sf.net/sfu/intel-dev2devfeb > > > _______________________________________________ > > > WiX-users mailing list > > > WiX-users@lists.sourceforge.net > > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > > > > > > > -- > > virtually, Rob Mensching - http://RobMensching.com LLC > > ---------------------------------------------------------------------- > > ------ > > -- > > The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: > > Pinpoint memory and threading errors before they happen. > > Find and fix more than 250 security defects in the development cycle. > > Locate bottlenecks in serial and parallel code that limit performance. > > http://p.sf.net/sfu/intel-dev2devfeb > > _______________________________________________ > > WiX-users mailing list > > WiX-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > ---------------------------------------------------------------------- > > -------- The ultimate all-in-one performance toolkit: Intel(R) > > Parallel Studio XE: > > Pinpoint memory and threading errors before they happen. > > Find and fix more than 250 security defects in the development cycle. > > Locate bottlenecks in serial and parallel code that limit performance. > > http://p.sf.net/sfu/intel-dev2devfeb > > _______________________________________________ > > WiX-users mailing list > > WiX-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/wix-users > ------------------------------------------------------------------------------ > The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: > Pinpoint memory and threading errors before they happen. > Find and fix more than 250 security defects in the development cycle. > Locate bottlenecks in serial and parallel code that limit performance. > http://p.sf.net/sfu/intel-dev2devfeb > _______________________________________________ > WiX-users mailing list > WiX-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/wix-users > > > ------------------------------------------------------------------------------ > The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: > Pinpoint memory and threading errors before they happen. > Find and fix more than 250 security defects in the development cycle. > Locate bottlenecks in serial and parallel code that limit performance. > http://p.sf.net/sfu/intel-dev2devfeb > _______________________________________________ > WiX-users mailing list > WiX-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/wix-users ------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users
