2.13 Ensure the 'sa' Login Account is set to 'Disabled'

Information

The sa account is a widely known and often widely used SQL Server account with sysadmin privileges. This is the original login created during installation and always has the principal_id=1 and sid=0x01.

Rationale:

Enforcing this control reduces the probability of an attacker executing brute force attacks against a well-known principal.

Impact:

It is not a good security practice to code applications or scripts to use the sa account. However, if this has been done, disabling the sa account will prevent scripts and applications from authenticating to the database server and executing required tasks or functions.

Solution

Execute the following T-SQL query:

USE [master]
GO
DECLARE @tsql nvarchar(max)
SET @tsql = 'ALTER LOGIN ' + SUSER_NAME(0x01) + ' DISABLE'
EXEC (@tsql)
GO

Default Value:

By default, the sa login account is disabled at install time when Windows Authentication Mode is selected. If mixed mode (SQL Server and Windows Authentication) is selected at install, the default for the sa login is enabled.

See Also

https://workbench.cisecurity.org/benchmarks/12777

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2(3), CSCv7|16.8

Plugin: MS_SQLDB

Control ID: 408c5b0fbbf891192a7b488ab1c74987e81c55284624853c45ea8ab1a2630762