2.17 Ensure no login exists with the name 'sa'

Information

The sa login (e.g. principal) is a widely known and often widely used SQL Server account. Therefore, there should not be a login called sa even when the original sa login (principal_id 0x01) has been renamed.

Rationale:

Enforcing this control reduces the probability of an attacker executing brute force attacks against a well-known principal.

Solution

Execute the appropriate ALTER or DROP statement below based on the principal_id returned for the login named sa. Replace the <different_name> value within the below syntax and execute to rename the sa login.

USE [master]
GO
-- If principal_id = 1 or the login owns database objects, rename the sa login
ALTER LOGIN [sa] WITH NAME = <different_name>;
GO
-- If the login owns no database objects, then drop it
-- Do NOT drop the login if it is principal_id = 1
DROP LOGIN sa


Impact:

It is not a good security practice to code applications or scripts to use the sa account. Given that it is a best practice to rename and disable the sa account, some 3rd party applications check for the existence of a login named sa and if it doesn't exist, creates one. Removing the sa login will prevent these scripts and applications from authenticating to the database server and executing required tasks or functions.

Default Value:

The login with a principal_id = 1 is named sa by default.

See Also

https://workbench.cisecurity.org/files/2945

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv6|5.1, CSCv7|5.1

Plugin: MS_SQLDB

Control ID: e41ea98d061ac96bcc8eb9d3b8b3c3459ca723fe11be70497a085ea7656056c4