Passwords retrievable via SQLDMO

I was startled, while experimenting with the SQLDMO library, to find out
that it allows you to see the passwords that were used to register SQL
Servers in Enterprise Manager. Is it me, or is this an astonishing security
breach?
Harlan Messinger
Remove the first dot from my e-mail address.
Veuillez ter le premier point de mon adresse de courriel.Correct, but you already knew the password, since this is a per user
registration, by default this information is stored in the HKEY_CURRENT_USER
hive in the Registry, so only the actual user who made the registration can
read the password he used himself to register, so he already knew the
password to begin with, you are not exposing more information in that case.
And since it is in the HEKY_CURREN_USER you need to login in with the NT
credentials of the user who created the entry to access it.
Besides that, this is why there is an option that says "Always prompt for
login name and password" which is what you should use in my opinion if you
are using standard security. Or you can always use integrated security, in
which case you do not have this problem.
GertD@.SQLDev.Net
Please reply only to the newsgroups.
This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use.
Copyright SQLDev.Net 1991-2004 All rights reserved.
"Harlan Messinger" <h.messinger@.comcast.net> wrote in message
news:34gdfoF4afco0U1@.individual.net...
>I was startled, while experimenting with the SQLDMO library, to find out
> that it allows you to see the passwords that were used to register SQL
> Servers in Enterprise Manager. Is it me, or is this an astonishing
> security
> breach?
> --
> Harlan Messinger
> Remove the first dot from my e-mail address.
> Veuillez ter le premier point de mon adresse de courriel.
>