Changes for sa Login Safety

Every SQL Server install includes the sa login as a sysadmin. This can be good for consistency; however, that also makes it a prime target for attackers trying to get into your SQL Server. That is one of many reasons why you should make the following changes to protect your sa login from being used in an attack.

Set a Secure sa Password

Like any login or account, make sure a secure password is used. Using “password” or “123456” for sa is a recipe for disaster. My recommendation would be to use a site like https://passwordsgenerator.net/ to create a random password that can’t easily be guessed and can be stored somewhere safe. In SSMS, go to Security > Logins > sa. Right click the sa login and select Properties. From the General page, set your secure password.

Is it a password you can rattle off with ease? Hopefully not. I prefer if it’s a password you can’t ever remember and always have to go retrieve from some type of password vault.

Disable sa

What if you’re in a nice situation where the sa login is not required to be used? Nobody should be logging into a SQL Server sa and applications shouldn’t be using it either (consider the principle of least privilege). If you’re able, disable the sa login. Following the same steps as changing the password, we can instead go to the Status page and make sure the sa login is disabled.

Change sa Login Name

If you’re not using the sa login and you are able to disable it, you may also want to change the name. This may sound a bit risky but SQL Server will always know which login is sa and so can you based on the 0x01 sid value that we can see in sql_logins:

SELECT *
FROM sys.sql_logins;
GO

SQL Server can still use sa where needed. If you ever needed to find the true sa login to change it back, this is how you could find it.

Right click on the sa login and select rename to change the name.

Better Safe Than Sorry

You don’t have much to lose by making these changes. They can all be done in a matter of seconds and can protect your databases and your job!

Thanks for reading!

One thought on “Changes for sa Login Safety”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s