Skip to content

Revoke Logon To sa Account


A user account has been mapped to the sa logon. Database level users mapped to the sa logon can take any action on the server.


The sa account should not be used, and should be disabled. A user account for a database which is mapped to the sa logon can take any action on the system. If a user account is mapped to the sa logon, it may represent evidence of an intrusion, and logs should be carefully examined.

Applies To

  • Databases


This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service rds
secureclouddb/engine sqlserver

Default Rule

const { isEmptyArray } = module

 * @param {Object} databaseSettings - database settings object
 * @returns {boolean} true if there are no database principals mapped to the sa account 
function validate(databaseSettings) {
    const success = isEmptyArray(databaseSettings.users) ||
        isEmptyArray(databaseSettings.users.filter(user => 
            user.sqlserver &&
            user.sqlserver.sid === '0x01' &&
            user.sqlserver.principalId !== 1 &&
            user.sqlserver.source === 'sys.database_principals'))

    return {