SQL Server default account sa must be disabled.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-40936 | SQL2-00-017100 | SV-53290r1_rule | Medium |
| Description |
|---|
| SQL Server's 'sa' account has special privileges required to administer the database. The 'sa' account is a well-known SQL Server account and is likely to be targeted by attackers and thus more prone to providing unauthorized access to the database. This 'sa' default account is administrative and could lead to catastrophic consequences including the complete loss of control over SQL Server. If the 'sa' default account is not disabled an attacker might be able to gain access through the account. SQL Server by default, at installation, disables the 'sa' account. Some applications that run on SQL Server require the 'sa' account to be enable in order for the application to function properly. These applications that require the 'sa' account to be enabled are usually legacy systems. |
| STIG | Date |
|---|---|
| Microsoft SQL Server 2012 Database Instance Security Technical Implementation Guide | 2014-06-23 |
Details
| Check Text ( C-47591r2_chk ) |
|---|
| Check SQL Server settings to determine if the 'sa' (sysadmin) account has been disabled by executing the following query: USE MASTER GO Select * from sys.sql_logins where name = 'sa' If the "is-disabled" column is not set to 1, this is a finding. Note: If the 'sa' account name has been changed per SQL2-00-010200, replace 'sa' in the query above with the renamed 'sa' account. |
| Fix Text (F-46218r2_fix) |
|---|
| Modify the enabled flag of SQL Server's 'sa' (sysadmin) account by running the following script: USE master GO ALTER LOGIN [sa] DISABLE |