hardening of SA account causes failed login found in error logs

  • Hi Guys,

    i am hardening the SA but disabling it and renaming it according to CIS hardening guide. But found multiple failed login errors in Error logs. Did a further trace using the sql profiler and discover:

    Login failed for user 'sa'. Reason:.... Always On Operations Dashboard

    i could not found any supporting technote from Microsoft saying that it should be exempted from any further hardening.

    did u guys just leave the SA account as it it. If that is the case isn't that non-compliance to the security hardening that is within best practice?



  • Thanks for posting your issue and hopefully someone will answer soon.

    This is an automated bump to increase visibility of your question.

  • I don't have ALWAYS ON configured on any of my instances as we have a different tool for handling failover.

    We also have some 3rd party tools that don't support windows authentication for SQL Server, so we need to have SQL logins enabled.  Some of these tools require the sa account (scary, but not a lot I can do about it.  They are hard-coded to use sa and explicitly ask for the sa password... these tools end up getting their own Instance as I don't trust them to not screw up other databases on the same instance OR to store the sa password poorly and have it get leaked).  So I don't have sa disabled or renamed on all of my instances.

    As for renaming the account and disabling it, renaming isn't really required if it is disabled.  If a user (hacker) can get into the system enough that they can enable the sa account, they can also look up who is in the sysadmin role and figure out what you renamed it to.

    Now, as for that always on operations dashboard error, is your always on configured to be run as SA?  Or for that matter, is anything configured to run as sa?  Disabling the sa account is a good practice, but disabling the sa account when it is in use is going to be problematic.  Having as few users as possible in sysadmin is also best practice, but I wouldn't recommend removing everyone.

  • We implement CIS and have AOAG's the SA account is fully disabled and we dont get the error.

    What was the implementation path, did you do the AOAG's before applying CIS.  Are the HADR_ENDPOINTS owned by the SA account.

    We always apply CIS before any other configuration and that seems to work out great for everything else after the fact.

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic. Login to reply