Setting The 'sa' Password In Microsoft SQL Server

Please see the Microsoft SQL Server Security pages and the SQL Server Security Checklist from SQLsecurity.com for more information on securely administering Microsoft SQL Server. Also, a detailed analysis of one worm which exploits this vulnerability is available from the Incidents.org site maintained by the SANS Institute

To change the password from the command line on MSSQL Server or MSDE:

  1. Open a command shell by selecting "Start"-->"Run...", and typing "cmd.exe" in the "Run" dialog box.
  2. Change to the directory in which the MSSQL or MSDE utilities are stored (this is ususally C:\MSDE\binn, C:\MSSQL7\binn, etc., but YMMV).
  3. Issue the following command where <newpassword> is the password you have chosen:
    osql -U sa -P "" -Q "sp_password NULL,<newpassword>,sa"

To change the password on the 'sa' account from the graphical interfaces of MSSQL Server 7.0 and 2000 on both Windows NT 4.0 and 2000:

  1. Open the "SQL Server Enterprise Manager". This is usually under "Start"-->"Programs"-->"Microsoft SQL Server", but your software maby be configured differently. Starting with MSSQL 7.0, the "SQL Server Enterprise Manager" is a snap-in for the "Microsoft Management Console" (mmc.exe). Please see Microsoft documentation if you are unsure how to use this application.
  2.  

  3. Navigate to the "Logins" object under the "Security" folder on the SQL Server you wish to administer. Then, right click on the 'sa' account and select "Properties".

    Enterprise Manager
    Enterprise Manager
  4. Now, enter a new password in the "Password" field under the "Authentication" options.

    Set Password
    Set Password

To change the password on the 'sa' account from the graphical interface of MSSQL Server 6.5 on Windows NT 4.0:

  1. Open the "SQL Server Enterprise Manager". This is usually under "Start"-->"Programs"-->"Microsoft SQL Server", but your software may be configured differently. This package should have been installed with MSSQL Server 6.5, so please see your documentation if you are unsure of how to find this application
  2.  

  3. Navigate to the "Logins" object for the SQL Server you wish to administer. Then, right click on the 'sa' account and select "Edit".

    Enterprise Manager
    Enterprise Manager
  4. Now, enter a new password in the "Password" field and click "Modify"

    Set Password
    Set Password
  5. Also note that if there is an account named "probe", it may also open you up for this vulnerability. Please verify the password for these accounts as well.