quote:
Originally posted by http://www.derkeiler.com/Mailing-Lists/NT-Bugtraq/2003-04/0016.html
An archive search did not bring up this topic as having been covered so
here goes.
Under the theory that any local NT/Windows 2000 user account which is
created by default as part of an application install is a potential
threat, I would like to warn administrators about SQL Server 2000 SP3.
Installing SQL Server 2000 SP3 creates a local account, SQLDebugger.
The account, while only a member of the Users group, has "Password never
expires" and "User cannot change password" checked by default. This is
not documented in the Readme(s) nor the Fixlist. If its there it is
buried so deep that I never found it. I opened a case with Microsoft
to find out what was going on and was told that SQLDebugger is created
as part of sqldbreg2.exe. The account is used by Visual Studio and
Query Analyzer. More information (though not much) can be found in
Q318632.
What I don't understand is why this is not documented better or even
mentioned. Administrators should certainly be told of any local
account so that they can either delete it or secure it.
Hope this helps (i hardly read it
)
