STIGQter STIGQter: STIG Summary: MS SQL Server 2014 Instance Security Technical Implementation Guide Version: 1 Release: 9 Benchmark Date: 26 Oct 2018: The SQL Server default account [sa] must be disabled.

DISA Rule

SV-82343r1_rule

Vulnerability Number

V-67853

Group Title

SRG-APP-000141-DB-000092

Rule Version

SQL4-00-017100

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Modify the enabled flag of SQL Server's [sa] (system administrator) account by running the following script. If the account name has been changed per SQL4-00-010200, replace the letters "sa" in the query with the new name.

USE master;
GO
ALTER LOGIN [sa] DISABLE;
GO

Check Contents

Check SQL Server settings to determine if the [sa] (system administrator) account has been disabled by executing the following query:

USE master;
GO
SELECT name, is_disabled
FROM sys.sql_logins
WHERE principal_id = 1;
GO

Verify that the "name" column contains the current name of the [sa] database server account (see note).

If the "is_disabled" column is not set to 1, this is a finding.

Note: If the [sa] account name has been changed per SQL4-00-010200, its new name should appear in the query results.

Vulnerability Number

V-67853

Documentable

False

Rule Version

SQL4-00-017100

Severity Override Guidance

Check SQL Server settings to determine if the [sa] (system administrator) account has been disabled by executing the following query:

USE master;
GO
SELECT name, is_disabled
FROM sys.sql_logins
WHERE principal_id = 1;
GO

Verify that the "name" column contains the current name of the [sa] database server account (see note).

If the "is_disabled" column is not set to 1, this is a finding.

Note: If the [sa] account name has been changed per SQL4-00-010200, its new name should appear in the query results.

Check Content Reference

M

Target Key

2639

Comments