Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-40936 | SQL2-00-017100 | SV-53290r3_rule | Medium |
Description |
---|
SQL Server's 'sa' account has special privileges required to administer the database. The 'sa' account is a well-known SQL Server account and is likely to be targeted by attackers and thus more prone to providing unauthorized access to the database. This 'sa' default account is administrative and could lead to catastrophic consequences, including the complete loss of control over SQL Server. If the 'sa' default account is not disabled, an attacker might be able to gain access through the account. SQL Server by default, at installation, disables the 'sa' account. Some applications that run on SQL Server require the 'sa' account to be enabled in order for the application to function properly. These applications that require the 'sa' account to be enabled are usually legacy systems. |
STIG | Date |
---|---|
Microsoft SQL Server 2012 Database Instance Security Technical Implementation Guide | 2017-12-01 |
Check Text ( C-47591r4_chk ) |
---|
Check SQL Server settings to determine if the 'sa' (sysadmin) account has been disabled by executing the following query: USE MASTER GO SELECT name, is_disabled FROM sys.sql_logins WHERE principal_id = 1; Verify that the "name" column contains the current name of the sa database server account (see note). If the "is_disabled" column is not set to 1, this is a finding. Note: If the 'sa' account name has been changed per SQL2-00-010200, its new name should appear in the query results. |
Fix Text (F-46218r3_fix) |
---|
Modify the enabled flag of SQL Server's "sa" (sysadmin) account by running the following script. If the account name has been changed per SQL2-00-010200, replace the letters "sa" in the query with the new name. USE master; GO ALTER LOGIN [sa] DISABLE; |