I think that would depend on whether the SQL Server is located on the same physical computer as the software in question that wants to store an account password. If it's the same computer then you are correct - in fact that thought had already crossed my mind. The one remaining issue I can think of is that the user's password is still compromised in a way that it wouldn't be otherwise. Windows and I'm sure SQL Server uses one-way hash functions so that, even if the "password file" is stolen, significant effort must be expended to determine what the passwords are if the quality of the passwords is good. If the administrator is using the same password for everything then there could be a problem: it might allow an attacker to further infiltrate the network. If the password was only used for that one account then it's a non-issue.
I think that the "save password" concept really gets scary if the SQL Server is located on a different computer. For example, suppose the app uses the "sa" password to create the database on a remote server. But for security reasons the app should not use the "sa" account for day-to-day use, and so the "sa" password is never used again except for uninstall and is saved in the registry somehow as has been discussed. In that case, if the client computer is compromised, this "saved password" registry key. I.e. the attacker pulls the hard drive from the client computer, reads the key associated with the SYSTEM context somehow, and then decrypts the password. Now he's gained access to the server that he did not previously have. -----Original Message----- From: Castro, Edwin G. (Hillsboro) [mailto:edwin.cas...@fiserv.com] Sent: Wednesday, February 16, 2011 18:33 To: General discussion for Windows Installer XML toolset. Subject: Re: [WiX-users] Encrypt and store the SQL sa password in the windows registry That all depends on what key you use to encrypt the data. If the key is associated with the SYSTEM context then only the SYSTEM context will be able to decrypt the data. If an attacker already has access to the SYSTEM context then it's already Game Over. Edwin G. Castro Software Developer - Staff Electronic Banking Services Fiserv Office: 503-746-0643 Fax: 503-617-0291 www.fiserv.com P Please consider the environment before printing this e-mail > -----Original Message----- > From: James Johnston [mailto:johnst...@inn-soft.com] > Sent: Wednesday, February 16, 2011 8:19 AM > To: 'General discussion for Windows Installer XML toolset.' > Subject: Re: [WiX-users] Encrypt and store the SQL sa password in the > windows registry > > Isn't storing the administrator password for a server in the registry > a terrible idea? This is setting off all kinds of alarm bells in my mind... > Even if you "encrypt" it, I would think it would still be easy enough > to recover the plaintext just by finding the key in the MSI file and > then decrypting. I don't see how it offers any real security beyond > shielding from casual prying eyes. I would think an installer that > does this without telling could easily trap the unwary system administrator > who wants to run a tight ship... > > -----Original Message----- > From: Rob Mensching [mailto:r...@robmensching.com] > Sent: Wednesday, February 16, 2011 15:35 > To: General discussion for Windows Installer XML toolset. > Subject: Re: [WiX-users] Encrypt and store the SQL sa password in the > windows registry > > Not today but it would be a great custom action to have. > > On Tue, Feb 15, 2011 at 2:40 PM, Thai-Hoa Nguyen > <taiwa...@hotmail.com>wrote: > > > > > > > Hello > > > > I'm currently storing the SQL sa password so the database can be > > uninstalled later. > > > > <RegistryValue Root='HKLM' Key='SOFTWARE\xyz\abcName='SQLPwd' > > Value='[SQLPASSWORD]' Type='string' /> > > > > > > <Property Id="SQLPASSWORD" Value="password"> <RegistrySearch > > Id='SqlPwdReg' Key='SOFTWARE\xyz\abc' Name='SQLPwd' > > Root='HKLM' Type='raw'/> > > </Property> > > > > Is there a quick and easy way to encrypt and decypt the password in Wix? > > > > Thank you. > > > > -------------------------------------------------------------------- > > -- > > -------- The ultimate all-in-one performance toolkit: Intel(R) > > Parallel Studio XE: > > Pinpoint memory and threading errors before they happen. > > Find and fix more than 250 security defects in the development cycle. > > Locate bottlenecks in serial and parallel code that limit performance. > > http://p.sf.net/sfu/intel-dev2devfeb > > _______________________________________________ > > WiX-users mailing list > > WiX-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > > > -- > virtually, Rob Mensching - http://RobMensching.com LLC > ---------------------------------------------------------------------- > ------ > -- > The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: > Pinpoint memory and threading errors before they happen. > Find and fix more than 250 security defects in the development cycle. > Locate bottlenecks in serial and parallel code that limit performance. > http://p.sf.net/sfu/intel-dev2devfeb > _______________________________________________ > WiX-users mailing list > WiX-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/wix-users > > > ---------------------------------------------------------------------- > -------- The ultimate all-in-one performance toolkit: Intel(R) > Parallel Studio XE: > Pinpoint memory and threading errors before they happen. > Find and fix more than 250 security defects in the development cycle. > Locate bottlenecks in serial and parallel code that limit performance. > http://p.sf.net/sfu/intel-dev2devfeb > _______________________________________________ > WiX-users mailing list > WiX-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/wix-users ------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users ------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users
