2.17 Ensure no login exists with the name 'sa'

Information

The sa login (e.g. principal) is a widely known and often widely used SQL Server account. Therefore, there should not be a login called sa even when the original sa login (principal_id = 1) has been renamed.

Rationale:

Enforcing this control reduces the probability of an attacker executing brute force attacks against a well-known principal name.

Impact:

It is not a good security practice to code applications or scripts to use the sa account. Given that it is a best practice to rename and disable the sa account, some 3rd party applications check for the existence of a login named sa and if it doesn't exist, creates one. Removing the sa login will prevent these scripts and applications from authenticating to the database server and executing required tasks or functions.

Solution

Execute the appropriate ALTER statement below based on the principal_id returned for the login named sa. Replace the <different_name> value within the below syntax and execute to rename the sa login.

USE [master]
GO
-- If principal_id = 1 or the login owns database objects, rename the sa login
ALTER LOGIN [sa] WITH NAME = <different_name>;
GO

Default Value:

The login with principal_id = 1 is named sa by default.

See Also

https://workbench.cisecurity.org/benchmarks/7202

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|5.1

Plugin: MS_SQLDB

Control ID: e6a30d6d312e01eb4095c42c01b2139ee8de44124f9e44308a7fcd5a52942cb7