The SQL Server default account [sa] must be disabled.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-214028 | SQL6-D0-016200 | SV-214028r822467_rule | High |
| Description |
|---|
| SQL Server's [sa] account has special privileges required to administer the database. The [sa] account is a well-known SQL Server account and is likely to be targeted by attackers and thus more prone to providing unauthorized access to the database. This [sa] default account is administrative and could lead to catastrophic consequences, including the complete loss of control over SQL Server. If the [sa] default account is not disabled, an attacker might be able to gain access through the account. SQL Server by default disables the [sa] account at installation. Some applications that run on SQL Server require the [sa] account to be enabled for the application to function properly. These applications that require the [sa] account to be enabled are usually legacy systems. |
| STIG | Date |
|---|---|
| MS SQL Server 2016 Instance Security Technical Implementation Guide | 2022-09-12 |
Details
| Check Text ( C-15245r822466_chk ) |
|---|
| Check SQL Server settings to determine if the [sa] (system administrator) account has been disabled by executing the following query: USE master; GO SELECT name, is_disabled FROM sys.sql_logins WHERE principal_id = 1; GO Verify that the "name" column contains the current name of the [sa] database server account. If the "is_disabled" column is not set to "1", this is a finding. |
| Fix Text (F-15243r313868_fix) |
|---|
| Modify the enabled flag of SQL Server's [sa] (system administrator) account by running the following script. USE master; GO ALTER LOGIN [sa] DISABLE; GO |