FAQ: Security scan flags Firebird 'sysdba' default password

Question: After installing or upgrading to RPM 6.0, a security scanner reports that the Firebird service is accessible using the default password. Can the default password be changed?

Answer 1: The only time the default 'sysdba' password is needed is during RPM installation or upgrade. You can change the default 'sysdba' password after it is installed and even while RPM is running without affecting the receiving and processing of print jobs.

Here is one way to change the password.

  1. Open a command prompt by choosing Run from the Windows Start menu, typing cmd.exe, and pressing OK.
  2. Run the following command: "C:\Program Files\Firebird\Firebird_2_5\bin\gsec.exe" -user sysdba -password masterkey -mo sysdba -pw NewPassword
  3. Note that you will need the password during future RPM upgrades and if you uninstall and reinstall it, so be sure to write down or memorize the password for future use.
  4. Run your security scan again and verify the issue is no longer reported.

Note: Firebird may exist in a different location, so please specify the correct path to the gsec.exe file. Also, be sure to substitute the new password where appropriate.

Answer 2: Another possible solution is to remove the Firebird SQL Server firewall exception created during installation.  This will prevent remote network access to Firebird, but access from both the local RPM service and GUI should remain unaffected.  To do so, follow these steps.

  1. Open Control Panel.  Search for Firewall and click Windows Firewall.  Alternatively, click System and Security, then Windows Firewall.
  2. In the left menu, click Allow an app or feature through Windows Firewall.
  3. If User Account Control is in effect, click Change Settings.
  4. Locate and highlight Firebird SQL Server in the list and click the Remove button.  Confirm that you want the exception to be removed.  You may also temporarily remove the checks from each of the network types: Domain, Private, and Public.  Doing so may not be possible in which case you must remove it and the recreate it if necessary.

Note: If you are using the RPM GUI to access RPM from a remote network computer, this option will obviously prevent that from working.