This article addresses two issues:
The SQL Server
Setup program and SQL Server Enterprise Manager grant unnecessary permissions
to the SQL Server service startup account when the account is not a member of
the Administrators Users group.
An unchecked buffer
exists in an encryption function. A buffer overrun can occur as a result and
can be used to either cause the SQL Server service to fail, or to cause code to
run in the security context of the server that is running SQL Server.
To resolve this problem, obtain the latest
service pack for Microsoft SQL Server 2000. For additional information, click
the following article number to view the article in the Microsoft Knowledge
INF: How To Obtain the Latest SQL Server 2000 Service Pack
: The following fix was created before the release of Microsoft
SQL Server 2000 Service Pack 3.
To download the fix for these
issues, see the following article in the Microsoft Knowledge Base:
INF: SQL Server 2000 Security Update for Service Pack 2
The downloadable file contains a stand-alone
utility named Servpriv.exe. You can use Servpriv.exe to correct the permission
problems for the service registry keys. The Readme.txt file in the package has
instructions for applying the fixes and for running Servpriv.exe.
How to Use Servpriv.exe
To use Servpriv.exe, type the following text on the command line,
and then press ENTER:
parameter is the name of the SQL Server instance that you want to
patch. If you want to patch the default instance, specify MSSQLSERVER (case
does not matter); otherwise, specify the name of the SQL Server instance. This
utility is designed to only patch SQL Server 2000 installations that are
running SQL Server 2000 Service Pack 2, or later. If you are not running SQL
Server 2000 Service Pack 2, you must upgrade to SQL Server 2000 Service Pack 2
before you use Servpriv.exe.Examples
Default instance = Servpriv.exe MSSQLServer
Named instance = Servpriv.exe INST1 where the instance typically connected to is SERVER_NAME\INST1
For more information about how to use Servpriv.exe, read the
Readme.txt file that is included with the download file.
has confirmed that this is a problem in the Microsoft products that are listed
at the beginning of this article.
This problem was first corrected in Microsoft SQL Server
2000 Service Pack 3.