UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

SQL Server default account sa must be disabled.


Overview

Finding ID Version Rule ID IA Controls Severity
V-40936 SQL2-00-017100 SV-53290r3_rule Medium
Description
SQL Server's 'sa' account has special privileges required to administer the database. The 'sa' account is a well-known SQL Server account and is likely to be targeted by attackers and thus more prone to providing unauthorized access to the database. This 'sa' default account is administrative and could lead to catastrophic consequences, including the complete loss of control over SQL Server. If the 'sa' default account is not disabled, an attacker might be able to gain access through the account. SQL Server by default, at installation, disables the 'sa' account. Some applications that run on SQL Server require the 'sa' account to be enabled in order for the application to function properly. These applications that require the 'sa' account to be enabled are usually legacy systems.
STIG Date
Microsoft SQL Server 2012 Database Instance Security Technical Implementation Guide 2017-04-03

Details

Check Text ( C-47591r4_chk )
Check SQL Server settings to determine if the 'sa' (sysadmin) account has been disabled by executing the following query:

USE MASTER
GO
SELECT name, is_disabled
FROM sys.sql_logins
WHERE principal_id = 1;

Verify that the "name" column contains the current name of the sa database server account (see note).

If the "is_disabled" column is not set to 1, this is a finding.

Note: If the 'sa' account name has been changed per SQL2-00-010200, its new name should appear in the query results.
Fix Text (F-46218r3_fix)
Modify the enabled flag of SQL Server's "sa" (sysadmin) account by running the following script. If the account name has been changed per SQL2-00-010200, replace the letters "sa" in the query with the new name.

USE master;
GO
ALTER LOGIN [sa] DISABLE;