SQL Server default account sa must have its password changed.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-40920 | SQL2-00-018800 | SV-53274r1_rule | Medium |
| Description |
|---|
| SQL Server's default 'sa' account has special privileges required to administer SQL Server. The default 'sa' account is a well-known SQL Server administrator account and is likely to be targeted by attackers and thus more prone to providing unauthorized access to the database. This 'sa' default account is administrative in nature and could lead to catastrophic consequences including the complete loss of control over SQL Server, not to mention a compromise of user data. If the 'sa' default account's password is not changed an attacker might be able to gain access through the account. |
| STIG | Date |
|---|---|
| Microsoft SQL Server 2012 Database Instance Security Technical Implementation Guide | 2014-06-23 |
Details
| Check Text ( C-47575r2_chk ) |
|---|
| Check SQL Server settings to determine if the 'sa' (sysadmin) account has had its password changed by running the following script: USE MASTER GO DECLARE @User_id varchar(60) SET @User_id = '<'system administrator id'>' SELECT name AS 'Account' , LOGINPROPERTY(name, 'PasswordLastSetTime') AS 'Time of Last Password Change' FROM sys.sql_logins WHERE @User_id = name If SQL Server default 'sa' account has not had its password changed since installation, this is a finding. Note: If the 'sa' account name has been changed per SQL2-00-010200, replace 'sa' in the query above with the renamed 'sa' account. |
| Fix Text (F-46202r2_fix) |
|---|
| Modify SQL Server 'sa' (sysadmin) default account password by running the following script: USE master GO ALTER LOGIN [<'system administrator id'>] WITH PASSWORD = N'<'new password'>' |