Skip to content

Ensure no login exists with the name 'sa'

Description

The sa login (e.g. principal) is a widely known and often widely used SQL Server account. Therefore, there should not be a login called sa even when the original sa login (principal_id = 1) has been renamed.

Rationale

Enforcing this control reduces the probability of an attacker executing brute force attacks against a well-known principal name.

Applies To

  • Databases

Tags

This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service rds
secureclouddb/engine sqlserver

Default Rule

const { isEmptyArray } = module

/**
 * @param {Object} databaseSettings - database settings object
 * @returns {boolean} true if no login with name 'sa'
 */
function validate(databaseSettings) {
    const success = isEmptyArray(databaseSettings.users) ||
                    isEmptyArray(
                        databaseSettings.users.filter(user =>
                            user.sqlserver &&
                            user.sqlserver.source === 'sys.server_principals' &&
                            user.sqlserver.name === 'sa'))

    return {
        success,
    }
}

validate(databaseSettings)