The SQL Server default account [sa] must be disabled.
An XCCDF Rule
Description
SQL Server's [sa] account has special privileges required to administer the database. The [sa] account is a well-known SQL Server account and is likely to be targeted by attackers and thus more prone to providing unauthorized access to the database. This [sa] default account is administrative and could lead to catastrophic consequences, including the complete loss of control over SQL Server. If the [sa] default account is not disabled, an attacker might be able to gain access through the account. SQL Server by default, at installation, disables the [sa] account. Some applications that run on SQL Server require the [sa] account to be enabled in order for the application to function properly. These applications that require the [sa] account to be enabled are usually legacy systems.
- ID
- SV-213848r395853_rule
- Version
- SQL4-00-017100
- Severity
- Medium
- References
- Updated
Remediation Templates
A Manual Procedure
Modify the enabled flag of SQL Server's [sa] (system administrator) account by running the following script. If the account name has been changed per SQL4-00-010200, replace the letters "sa" in the query with the new name.
USE master;
GO
ALTER LOGIN [sa] DISABLE;
GO