UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

SQL Server default account sa must have its password changed.


Overview

Finding ID Version Rule ID IA Controls Severity
V-40920 SQL2-00-018800 SV-53274r1_rule Medium
Description
SQL Server's default 'sa' account has special privileges required to administer SQL Server. The default 'sa' account is a well-known SQL Server administrator account and is likely to be targeted by attackers and thus more prone to providing unauthorized access to the database. This 'sa' default account is administrative in nature and could lead to catastrophic consequences including the complete loss of control over SQL Server, not to mention a compromise of user data. If the 'sa' default account's password is not changed an attacker might be able to gain access through the account.
STIG Date
Microsoft SQL Server 2012 Database Instance Security Technical Implementation Guide 2014-01-05

Details

Check Text ( C-47575r2_chk )
Check SQL Server settings to determine if the 'sa' (sysadmin) account has had its password changed by running the following script:

USE MASTER

GO

DECLARE @User_id varchar(60)

SET @User_id = '<'system administrator id'>'

SELECT name AS 'Account'
, LOGINPROPERTY(name, 'PasswordLastSetTime') AS 'Time of Last Password Change'
FROM sys.sql_logins
WHERE @User_id = name

If SQL Server default 'sa' account has not had its password changed since installation, this is a finding.

Note: If the 'sa' account name has been changed per SQL2-00-010200, replace 'sa' in the query above with the renamed 'sa' account.
Fix Text (F-46202r2_fix)
Modify SQL Server 'sa' (sysadmin) default account password by running the following script:


USE master

GO


ALTER LOGIN [<'system administrator id'>] WITH PASSWORD = N'<'new password'>'