For example, Microsoft Corp. now acknowledges that its SQL Server 2000 was installed with many security features turned off by default. Ease of use was the reason, but it led to one notorious hole in which Windows systems administrator accounts were also automatically given administrator accounts on SQL Server, said Jon Hwang, senior database administrator at OpenTable Inc. in San Francisco.

"It's better if vendors assume you might have a very junior crew of DBAs and prevent a lot of these loopholes upfront," said Hwang, who runs SQL Server 2000 to support OpenTable's Web-based restaurant reservations system. He's testing the 2005 version, which he says provides a "dramatic" improvement in security.

Tom Rizzo, Microsoft's product manager for SQL Server, said that besides new features such as encryption of data "at rest" within the database, SQL Server's configuration tool turns off some features, such as support for native Web services, to keep inexperienced database administrators from inadvertently creating security holes. SQL Server 2005 even challenges administrators who try to create accounts without passwords by scolding them in pop-up messages, though it stops short of blocking the practice.

"We think that's like driving at 120 miles an hour without seat belts," Rizzo said.

But, he added, "we have to make SQL Server flexible as well as secure."