Skip to content

Ensure the 'sa' Login Account is set to 'Disabled'

Description

The sa account is a widely known and often widely used SQL Server login with sysadmin privileges. The sa login is the original login created during installation and always has principal_id=1 and sid=0x01.

Rationale

Enforcing this control reduces the probability of an attacker executing brute force attacks against a well-known principal.

Applies To

  • Databases

Tags

This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service rds
secureclouddb/engine sqlserver

Default Rule

const { isEmptyArray } = module

/**
 * @param {Object} databaseSettings - database settings object
 * @returns {boolean} true if 'sa' login is disabled
 */
function validate(databaseSettings) {
    const success = isEmptyArray(databaseSettings.users) ||
                    isEmptyArray(
                        databaseSettings.users.filter(user => 
                            user.sqlserver && 
                            user.sqlserver.principalId === 1 && 
                            user.sqlserver.source === 'sys.server_principals' &&
                            !user.sqlserver.isDisabled))

    return {
        success,
    }
}

validate(databaseSettings)