COMMAND

    Data Transformation Service (DTS)

SYSTEMS AFFECTED

    Microsoft SQL Server 7.0

PROBLEM

    Following  is  based  on  a  Security Bulletin from the Microsoft.
    Data Transformation Service (DTS) packages in SQL Server 7.0 allow
    database  administrators to create  a package that will perform  a
    particular database action  at regular intervals.  As part of  the
    creation of a DTS package, the administrator  provides the account
    name  and  password  under  which  the  action  should  be  taken.
    However,  the  password  can  be  retrieved  by   programmatically
    interrogating   the   package's    Properties   dialogue.      The
    vulnerability could only occur if several best practices have  not
    been followed:

      - The creator of the DTS package chose to supply a username  and
        password instead of using Windows Authentication.
      - The DTS package was  created without restricting who can  edit
        it.
      - The SQL Server administrator  allowed Guest access to the  SQL
        Server MSDB database.
      - A SQL  Server is registered  under Enterprise Manager  using a
        username and password instead of using Windows Authentication.

    On July 11,  2000, Microsoft updated  their bulletin to  reflect a
    similar  issue  with  the  Enterprise  Manager Server registration
    dialog.  A  new version of  the patch is  available to remedy  all
    symptoms related to this vulnerability.

SOLUTION

    Patch availability:

        - Intel: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=21905
        - Alpha: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=21906