SQL Server default account sa must have its name changed.

From Microsoft SQL Server 2012 Database Instance Security Technical Implementation Guide

Associated with: CCI-000040

SV-53412r2_rule SQL Server default account sa must have its name changed.

Vulnerability discussion

SQL Server's 'sa' account has special privileges required to administer the database. The 'sa' account is a well-known SQL Server account name and is likely to be targeted by attackers, and is thus more prone to providing unauthorized access to the database.Since the SQL Server 'sa' is administrative in nature, the compromise of a default account can have catastrophic consequences, including the complete loss of control over SQL Server. Since SQL Server needs for this account to exist and it should not be removed, one way to mitigate this risk is to change the 'sa' account name.

Check content

Verify the SQL Server default 'sa' account name has been changed. Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Security >> Logins. If SQL Server default 'sa' account name is in the 'Logins' list, this is a finding.

Fix text

Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Security >> Logins >> click 'sa' account name. Hit while the name is highlighted in order to edit the name. Rename the 'sa' account.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.