← Back to Microsoft Azure SQL Managed Instance Security Technical Implementation Guide

V-276318

CAT II (Medium)

Azure SQL Managed Instance default [sa] account must have its name changed.

Rule ID

SV-276318r1150020_rule

STIG

Microsoft Azure SQL Managed Instance Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-000381

Discussion

Azure SQL Managed Instance's [sa] account has special privileges required to administer the database. The [sa] account is a well-known account name that is likely to be targeted by attackers and is thus, more prone to providing unauthorized access to the database. Since [sa] is administrative in nature, the compromise of a default account can have catastrophic consequences, including the complete loss of control over Azure SQL Managed Instance. Since SQL Server needs this account to exist and it must not be removed, one way to mitigate this risk is to change the [sa] account name.

Check Content

Verify the Azure SQL Managed Instance default [sa] account name has been changed by executing the following query: 
 
USE master;
GO
SELECT name FROM sys.sql_logins WHERE UPPER(name) = 'SA' OR principal_id = 1;
 
If the name returned has the consecutive letters "sa" in the query output, this is a finding.

Fix Text

Modify the Azure SQL Managed Instance's [sa] account name by running the following example script:  

USE master; 
GO  
ALTER LOGIN [sa] WITH NAME = NewAccountName