Skip to content

Ensure the 'sa' Login Account has been renamed

Description

The sa account is a widely known and often widely used SQL Server login with sysadmin privileges. The sa login is the original login created during installation and always has principal_id=1 and sid=0x01

Rationale

It is more difficult to launch password-guessing and brute-force attacks against the sa login if the name is not known.

Applies To

  • Databases

Tags

This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service rds
secureclouddb/engine sqlserver

Default Rule

const { isEmptyArray } = module
/**
 * @param {Object} databaseSettings - database settings object
 * @returns {boolean} true if 'sa' login has been renamed
 */
function validate(databaseSettings) {
    const success = isEmptyArray(databaseSettings.users) ||
                    isEmptyArray(
                        databaseSettings.users.filter(user => 
                            user.sqlserver && 
                            user.sqlserver.principalId === 1 && 
                            user.sqlserver.source === 'sys.server_principals' &&
                            user.sqlserver.name === 'sa'))

    return {
        success,
    }
}

validate(databaseSettings)