Configure sa Account - SQL-FineBuild/Common GitHub Wiki
| Previous Configure DBA Non-Sysadmin Group | Manual Configuration | Configure xp_cmdshell Proxy Account Next |
|---|
FineBuild can configure the sa Account so that it is disabled and optionally renamed. This is done to make it harder for anyone who is not aware of the site SQL Server configuration to compromise SQL Server security.
It is considered to be good practice to disable the sa account, as this eliminates an attack vector on to SQL Server.
It is no longer considered to be good practice to rename the sa account. This is because of repeated experience where upgrading SQL Server to a new edition or Service Pack has failed if the sa account has been renamed. Although this can be considered as a bug, the risk of Microsoft repeating this problem in future Service Packs or other fixes of SQL Server has to be taken into account. Each site should take their own view about renaming the sa account.
If the sa account is renamed, it is possible that some applications are written so that an account called sa is needed to perform the application install. In this situation, it is recommended that a new account called sa is created for the duration of the install process, and then deleted when the install is complete.
SA Account configuration helps to prevent unexpected use of the system administration account. If you setup Security Compliance then SA Account configuration will always be implemented.
The sa Account configuration relates to Process Id 5CD and is controlled by the parameters below:
| SQL Version | Parameter | FULL Build | WORKSTATION Build | CLIENT Build |
|---|---|---|---|---|
| SQL2019 | /SetupDisableSA: | Yes | Yes | N/A |
| SQL2017 | /SetupDisableSA: | Yes | Yes | N/A |
| SQL2016 | /SetupDisableSA: | Yes | Yes | N/A |
| SQL2014 | /SetupDisableSA: | Yes | Yes | N/A |
| SQL2012 | /SetupDisableSA: | Yes | Yes | N/A |
| SQL2008R2 | /SetupDisableSA: | Yes | Yes | N/A |
| SQL2008 | /SetupDisableSA: | Yes | Yes | N/A |
| SQL2005 | /SetupDisableSA: | Yes | Yes | N/A |
In order to maintain compatibility with older versions of SQL FineBuild, the parameter ConfigDisableSA can also be used.
FineBuild also uses the following parameters to help Configure the sa Account:
| Parameter | Default Value | Description |
|---|---|---|
| /saName: | sa | New name for the sa account |
FineBuild will automatically disable and optionally rename the sa account.
The following steps show what you would have to do for manual SA Account configuration. FineBuild does all of this work for you automatically.
- Disable the sa account by running the following SQL statement in a SSMS query window:
ALTER LOGIN [sa] DISABLE - Optionally, within a query window enter the following command to rename the sa account.
ALTER LOGIN [sa] WITH NAME=[saName]
Copyright FineBuild Team © 2013 - 2020. License and Acknowledgements
| Previous Configure DBA Non-Sysadmin Group | Top | Configure xp_cmdshell Proxy Account Next |
|---|