I think that would depend on whether the SQL Server is located on the same 
physical computer as the software in question that wants to store an account 
password.  If it's the same computer then you are correct - in fact that 
thought had already crossed my mind.  The one remaining issue I can think of is 
that the user's password is still compromised in a way that it wouldn't be 
otherwise.  Windows and I'm sure SQL Server uses one-way hash functions so 
that, even if the "password file" is stolen, significant effort must be 
expended to determine what the passwords are if the quality of the passwords is 
good.  If the administrator is using the same password for everything then 
there could be a problem: it might allow an attacker to further infiltrate the 
network.  If the password was only used for that one account then it's a 
non-issue.

I think that the "save password" concept really gets scary if the SQL Server is 
located on a different computer.  For example, suppose the app uses the "sa" 
password to create the database on a remote server.  But for security reasons 
the app should not use the "sa" account for day-to-day use, and so the "sa" 
password is never used again except for uninstall and is saved in the registry 
somehow as has been discussed.  In that case, if the client computer is 
compromised, this "saved password" registry key.  I.e. the attacker pulls the 
hard drive from the client computer, reads the key associated with the SYSTEM 
context somehow, and then decrypts the password.  Now he's gained access to the 
server that he did not previously have. 

-----Original Message-----
From: Castro, Edwin G. (Hillsboro) [mailto:edwin.cas...@fiserv.com] 
Sent: Wednesday, February 16, 2011 18:33
To: General discussion for Windows Installer XML toolset.
Subject: Re: [WiX-users] Encrypt and store the SQL sa password in the windows 
registry

That all depends on what key you use to encrypt the data. If the key is 
associated with the SYSTEM context then only the SYSTEM context will be able to 
decrypt the data. If an attacker already has access to the SYSTEM context then 
it's already Game Over.

Edwin G. Castro
Software Developer - Staff
Electronic Banking Services
Fiserv
Office: 503-746-0643
Fax: 503-617-0291
www.fiserv.com
P Please consider the environment before printing this e-mail

> -----Original Message-----
> From: James Johnston [mailto:johnst...@inn-soft.com]
> Sent: Wednesday, February 16, 2011 8:19 AM
> To: 'General discussion for Windows Installer XML toolset.'
> Subject: Re: [WiX-users] Encrypt and store the SQL sa password in the 
> windows registry
> 
> Isn't storing the administrator password for a server in the registry 
> a terrible idea?  This is setting off all kinds of alarm bells in my mind...
> Even if you "encrypt" it, I would think it would still be easy enough 
> to recover the plaintext just by finding the key in the MSI file and 
> then decrypting.  I don't see how it offers any real security beyond 
> shielding from casual prying eyes.  I would think an installer that 
> does this without telling could easily trap the unwary system administrator 
> who wants to run a tight ship...
> 
> -----Original Message-----
> From: Rob Mensching [mailto:r...@robmensching.com]
> Sent: Wednesday, February 16, 2011 15:35
> To: General discussion for Windows Installer XML toolset.
> Subject: Re: [WiX-users] Encrypt and store the SQL sa password in the 
> windows registry
> 
> Not today but it would be a great custom action to have.
> 
> On Tue, Feb 15, 2011 at 2:40 PM, Thai-Hoa Nguyen
> <taiwa...@hotmail.com>wrote:
> 
> >
> >
> > Hello
> >
> > I'm currently storing the SQL sa password so the database can be 
> > uninstalled later.
> >
> > <RegistryValue Root='HKLM' Key='SOFTWARE\xyz\abcName='SQLPwd'
> > Value='[SQLPASSWORD]' Type='string' />
> >
> >
> > <Property Id="SQLPASSWORD" Value="password"> <RegistrySearch 
> > Id='SqlPwdReg' Key='SOFTWARE\xyz\abc' Name='SQLPwd'
> > Root='HKLM' Type='raw'/>
> > </Property>
> >
> > Is there a quick and easy way to encrypt and decypt the password in Wix?
> >
> > Thank you.
> >
> > --------------------------------------------------------------------
> > --
> > -------- The ultimate all-in-one performance toolkit: Intel(R) 
> > Parallel Studio XE:
> > Pinpoint memory and threading errors before they happen.
> > Find and fix more than 250 security defects in the development cycle.
> > Locate bottlenecks in serial and parallel code that limit performance.
> > http://p.sf.net/sfu/intel-dev2devfeb
> > _______________________________________________
> > WiX-users mailing list
> > WiX-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/wix-users
> >
> >
> 
> 
> --
> virtually, Rob Mensching - http://RobMensching.com LLC
> ----------------------------------------------------------------------
> ------
> --
> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
> Pinpoint memory and threading errors before they happen.
> Find and fix more than 250 security defects in the development cycle.
> Locate bottlenecks in serial and parallel code that limit performance.
> http://p.sf.net/sfu/intel-dev2devfeb
> _______________________________________________
> WiX-users mailing list
> WiX-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/wix-users
> 
> 
> ----------------------------------------------------------------------
> -------- The ultimate all-in-one performance toolkit: Intel(R) 
> Parallel Studio XE:
> Pinpoint memory and threading errors before they happen.
> Find and fix more than 250 security defects in the development cycle.
> Locate bottlenecks in serial and parallel code that limit performance.
> http://p.sf.net/sfu/intel-dev2devfeb
> _______________________________________________
> WiX-users mailing list
> WiX-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/wix-users
------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb
_______________________________________________
WiX-users mailing list
WiX-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wix-users


------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb
_______________________________________________
WiX-users mailing list
WiX-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wix-users

Reply via email to