sa is a tabu for remote connections (password goes as open text if there is no forced network encryption). a dba has to have a good reason to make me think they need sa to login.
another exeption for a user to be in master is sql service account (when buildin/administrators is removed). this accoun doesn't need to be windows administrator, syadmin has to be granted to it. in my case service account sit in master in addition to sa.