Rule ID
SV-276317r1150033_rule
Version
V1R1
CCIs
Azure SQL Managed Instance [sa] account has special privileges required to administer the database. The [sa] account is a well-known account and is likely to be targeted by attackers and thus more prone to providing unauthorized access to the database. This [sa] default account is administrative and could lead to catastrophic consequences, including the complete loss of control over Azure SQL Managed Instance. If the [sa] default account is not disabled, an attacker could gain access through the account. Azure SQL Managed Instance by default disables the [sa] account at creation. Some applications that run on Azure SQL Managed Instance require the [sa] account to be enabled for the application to function properly. These applications that require the [sa] account to be enabled are usually legacy systems.
Check Azure SQL Managed Instance settings to determine if the [sa] account has been disabled by executing the following query: USE master; GO SELECT name, is_disabled FROM sys.sql_logins WHERE principal_id = 1; GO The "name" column contains the current name of the [sa] database server account. If the "is_disabled" column is not set to "1", this is a finding.
Modify the enabled flag of Azure SQL Managed Instance's [sa] account by running the following script: USE master; GO ALTER LOGIN [sa] DISABLE; GO