The SQL Server default account [sa] must be disabled.

From MS SQL Server 2016 Instance Security Technical Implementation Guide

Associated with: CCI-000213

SV-94023r1_rule The SQL Server default account [sa] must be disabled.

Vulnerability discussion

SQL Server's [sa] account has special privileges required to administer the database. The [sa] account is a well-known SQL Server account and is likely to be targeted by attackers and thus more prone to providing unauthorized access to the database. This [sa] default account is administrative and could lead to catastrophic consequences, including the complete loss of control over SQL Server. If the [sa] default account is not disabled, an attacker might be able to gain access through the account. SQL Server by default, at installation, disables the [sa] account. Some applications that run on SQL Server require the [sa] account to be enabled in order for the application to function properly. These applications that require the [sa] account to be enabled are usually legacy systems.

Check content

Check SQL Server settings to determine if the [sa] (system administrator) account has been disabled by executing the following query: USE master; GO SELECT name, is_disabled FROM sys.sql_logins WHERE principal_id = 1; GO Verify that the "name" column contains the current name of the [sa] database server account (see note). If the "is_disabled" column is not set to 1, this is a finding.

Fix text

Modify the enabled flag of SQL Server's [sa] (system administrator) account by running the following script. USE master; GO ALTER LOGIN [sa] DISABLE; GO

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.