STIGQter STIGQter: STIG Summary: MS SQL Server 2016 Instance Security Technical Implementation Guide Version: 1 Release: 8 Benchmark Date: 24 Jan 2020: The SQL Server default account [sa] must be disabled.

DISA Rule

SV-94023r2_rule

Vulnerability Number

V-79317

Group Title

SRG-APP-000033-DB-000084

Rule Version

SQL6-D0-016200

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Modify the enabled flag of SQL Server's [sa] (system administrator) account by running the following script.
USE master;
GO
ALTER LOGIN [sa] DISABLE;
GO

Check Contents

Check SQL Server settings to determine if the [sa] (system administrator) account has been disabled by executing the following query:

USE master;
GO
SELECT name, is_disabled
FROM sys.sql_logins
WHERE principal_id = 1;
GO

Verify that the "name" column contains the current name of the [sa] database server account.

If the "is_disabled" column is not set to “1”, this is a finding.

Vulnerability Number

V-79317

Documentable

False

Rule Version

SQL6-D0-016200

Severity Override Guidance

Check SQL Server settings to determine if the [sa] (system administrator) account has been disabled by executing the following query:

USE master;
GO
SELECT name, is_disabled
FROM sys.sql_logins
WHERE principal_id = 1;
GO

Verify that the "name" column contains the current name of the [sa] database server account.

If the "is_disabled" column is not set to “1”, this is a finding.

Check Content Reference

M

Target Key

3219

Comments