Every SQL Server install includes the sa login as a sysadmin. This can be good for consistency; however, that also makes it a prime target for attackers trying to get into your SQL Server. That is one of many reasons why you should make the following changes to protect your sa login from being used in an attack.
Set a Secure sa Password
Like any login or account, make sure a secure password is used. Using “password” or “123456” for sa is a recipe for disaster. My recommendation would be to use a site like https://passwordsgenerator.net/ to create a random password that can’t easily be guessed and can be stored somewhere safe. In SSMS, go to Security > Logins > sa. Right click the sa login and select Properties. From the General page, set your secure password.
Is it a password you can rattle off with ease? Hopefully not. I prefer if it’s a password you can’t ever remember and always have to go retrieve from some type of password vault.
What if you’re in a nice situation where the sa login is not required to be used? Nobody should be logging into a SQL Server sa and applications shouldn’t be using it either (consider the principle of least privilege). If you’re able, disable the sa login. Following the same steps as changing the password, we can instead go to the Status page and make sure the sa login is disabled.
Change sa Login Name
If you’re not using the sa login and you are able to disable it, you may also want to change the name. This may sound a bit risky but SQL Server will always know which login is sa and so can you based on the 0x01 sid value that we can see in sql_logins:
SELECT * FROM sys.sql_logins; GO
SQL Server can still use sa where needed. If you ever needed to find the true sa login to change it back, this is how you could find it.
Right click on the sa login and select rename to change the name.
Better Safe Than Sorry
You don’t have much to lose by making these changes. They can all be done in a matter of seconds and can protect your databases and your job!
Thanks for reading!