This project has moved. For the latest updates, please go here.

Previous Configure DBA Non-Sysadmin Group Manual Configuration Configure xp_cmdshell Proxy Account Next

Configure SA Account

FineBuild can configure the sa Account so that it is disabled and optionally renamed. This is done to make it harder for anyone who is not aware of the site SQL Server configuration to compromise SQL Server security.

It is considered to be good practice to disable the sa account, as this eliminates an attack vector on to SQL Server.

It is no longer considered to be good practice to rename the sa account. This is because of repeated experience where upgrading SQL Server to a new edition or Service Pack has failed if the sa account has been renamed. Although this can be considered as a bug, the risk of Microsoft repeating this problem in future Service Packs or other fixes of SQL Server has to be taken into account. Each site should take their own view about renaming the sa account.

If the sa account is renamed, it is possible that some applications are written so that an account called sa is needed to perform the application install. In this situation, it is recommended that a new account called sa is created for the duration of the install process, and then deleted when the install is complete.

Security Compliance

SA Account configuration helps to prevent unexpected use of the system administration account. If you setup Security Compliance then SA Account configuration will always be implemented.

FineBuild Configure SA Account

The sa Account configuration relates to Process Id 5CD and is controlled by the parameters below:

Parameter Build SQL2005 SQL2008 SQL2008 R2 SQL2012 SQL2014 SQL2016
SetupDisableSA FULL Yes Yes Yes Yes Yes Yes
SetupDisableSA WORKSTATION Yes Yes Yes Yes Yes Yes
SetupDisableSA CLIENT N/A N/A N/A N/A N/A N/A

In order to maintain compatibility with older versions of SQL FineBuild, the parameter ConfigDisableSA can also be used.

FineBuild also uses the following parameters to help Configure Sysadmin Accounts:
Parameter Default Value Description
saName sa New name for the sa account

FineBuild will automatically disable and optionally rename the sa account.
Top

Manual Configure SA Account

The following steps show what you would have to do for manual SA Account configuration. FineBuild does all of this work for you automatically.

1) Disable the sa account by running the following SQL statement in a SSMS query window:
ALTER LOGIN [sa] DISABLE

2) Optionally, within a query window enter the following command to rename the sa account.
ALTER LOGIN [sa] WITH NAME=[saName]

Copyright FineBuild Team © 2013 - 2016. License and Acknowledgements
Previous Configure DBA Non-Sysadmin Group Top Configure xp_cmdshell Proxy Account Next

Last edited Aug 27, 2016 at 1:25 PM by EdVassie, version 4