Here's a great one for anybody applying the SP4 to SQL Server:
Try doing a trace on SQL statements that happen to even vaguely mention “password”... it'll block it!
Even if the code is inserting an email that vaguely mentions something about password security... without even saying “the password was [blank].“
Try this sql script, running SQL Profiler:
use northwind
insert into customers ( customerid, companyname, contactname )
values ( 'PASSW', 'Password Experts', 'The password man' )
Guess what... it gets blocked. Apparently it really is just a dumb substring search for the “password“ text...
Great job guys... That's the way to really “think” about security...
Anyone? Anyone?