I am not a systems developer, but we have an internal payroll application, that essentially has 2 servers in its architecture, a database server running MS-SQL Server, and an application server, both have windows 2008 server as OS. A security audit has found a weak password associated with a local OS account which is members of the admins group. My question is what is the overall risk, the data is stored on the database server not the application server, so if someone exploited this weak password and got admin access to the application server, what’s the risk, what could they? What “data” is typically installed an the application server? Surely the higher risk server is the database server which houses the actual data.