-
Notifications
You must be signed in to change notification settings - Fork 10
Configure SA Account
| Previous Configure DBA Non-Sysadmin Group | Manual Configuration | Configure xp_cmdshell Proxy Account Next |
|---|
FineBuild can configure the sa Account so that it is disabled and optionally renamed. This is done to make it harder for anyone who is not aware of the site SQL Server configuration to compromise SQL Server security.
It is considered to be good practice to disable the sa account, as this eliminates an attack vector on to SQL Server.
It is no longer considered to be good practice to rename the sa account. This is because of repeated experience where upgrading SQL Server to a new edition or Service Pack has failed if the sa account has been renamed. Although this can be considered as a bug, the risk of Microsoft repeating this problem in future Service Packs or other fixes of SQL Server has to be taken into account. Each site should take their own view about renaming the sa account.
If the sa account is renamed, it is possible that some applications are written so that an account called sa is needed to perform the application install. In this situation, it is recommended that a new account called sa is created for the duration of the install process, and then deleted when the install is complete.
SA Account configuration helps to prevent unexpected use of the system administration account. If you setup Security Compliance then SA Account configuration will always be implemented.
The sa Account configuration relates to Process Id 5CD and is controlled by the parameters below:
| SQL Version | Parameter | FULL Build | WORKSTATION Build | CLIENT Build |
|---|---|---|---|---|
| SQL2019 | /SetupDisableSA: | Yes | Yes | N/A |
| SQL2017 | /SetupDisableSA: | Yes | Yes | N/A |
| SQL2016 | /SetupDisableSA: | Yes | Yes | N/A |
| SQL2014 | /SetupDisableSA: | Yes | Yes | N/A |
| SQL2012 | /SetupDisableSA: | Yes | Yes | N/A |
| SQL2008R2 | /SetupDisableSA: | Yes | Yes | N/A |
| SQL2008 | /SetupDisableSA: | Yes | Yes | N/A |
| SQL2005 | /SetupDisableSA: | Yes | Yes | N/A |
In order to maintain compatibility with older versions of SQL FineBuild, the parameter ConfigDisableSA can also be used.
FineBuild also uses the following parameters to help Configure the sa Account:
| Parameter | Default Value | Description |
|---|---|---|
| /saName: | sa | New name for the sa account |
FineBuild will automatically disable and optionally rename the sa account.
The following steps show what you would have to do for manual SA Account configuration. FineBuild does all of this work for you automatically.
- Disable the sa account by running the following SQL statement in a SSMS query window:
ALTER LOGIN [sa] DISABLE - Optionally, within a query window enter the following command to rename the sa account.
ALTER LOGIN [sa] WITH NAME=[saName]
Copyright FineBuild Team © 2013 - 2020. License and Acknowledgements
| Previous Configure DBA Non-Sysadmin Group | Top | Configure xp_cmdshell Proxy Account Next |
|---|
Key SQL FineBuild Links:
SQL FineBuild supports:
- All SQL Server versions from SQL 2019 through to SQL 2005
- Clustered, Non-Clustered and Core implementations of server operating systems
- Availability and Distributed Availability Groups
- 64-bit and (where relevant) 32-bit versions of Windows
The following Windows versions are supported:
- Windows 2022
- Windows 11
- Windows 2019
- Windows 2016
- Windows 10
- Windows 2012 R2
- Windows 8.1
- Windows 2012
- Windows 8
- Windows 2008 R2
- Windows 7
- Windows 2008
- Windows Vista
- Windows 2003
- Windows XP