I have a strange problem. In SQL Server Management Studio 18, I tried to log in with the sa account. It failed.
I know in this case we should check mixed mode auth and sa enable checkbox. I checked them and they were enabled. I saw all the net for other checkboxes or something useful but nothing that not enabled for me.
I logged in with Windows auth and changed the password of sa. after changing, sa login worked. but few minutes later after some tests with my application, I realized that I can't login remotely to sa. I returned and check again in management studio and While it was unbelievable, the sa login failed again.
I changed sa password and the story repeated again. what was happening?
Note, while this doesn't directly resolve a problem experienced with the SA account, which is ultimately unknowable without extensive investigation into the specific host environment, it does form part of best practice which the OP has identified as having resolved their overall problem.
The original comment:
Disable the SA account and create a dedicated application and/or user
login with appropriate permissions. The first thing I do on a new SQL
instance is kill SA as it's a prime attack surface.
Related
When using MS SQL Server, I keep trying to create more logins for the server with their own passwords however as soon as the login has been created, I go back to look at the login settings and see that the password has been reset to some mysterious 15 character password.
As you can imagine, this basically makes the login unusable. I've seen other cases similar to this specifically for the "sa" login however nothing on the creation of custom logins.
I've tried unchecking the "User must change password at next login", "Enforce password expiration", and "Enforce password policy" checkboxes but this has no effect. The one thing that does work is using no password at all, but obviously this is a huge security risk.
MS SQL Server never store your password for security reason. MS SQL Server store only the HASH of your password.
Therefore settings form can't shown the password. Instead it shows
some mysterious 15 character.
I have a database BugTracker which is accessible from "sa" user.
I have just created new user AdminBugCatcher. I have also mapped "BugTracker" database with this user. But this database should not be accessible through "sa" user.
How can we achieve the same ?
I have already tried to unlink this database from "sa" user but getting an error "Drop failed for the User "dbo" ".
I don't think it's possible. I'm not an expert, but I do have about 7 years of experience with sql server, and to the best of my knowledge, sa is system administrator, and you can't block this user from anything.
You can disable the sa login (although I wouldn't recommend it), or better yet, just don't give the sa password to anyone except the system administrator.
For a little bit more information, read this.
You can't remove the sa account but you can rename and/or disable it.
Just make sure if you disable the sa account that you have another account with administrator privileges.
Please refer the below link for DISABLING\RENAMING
http://www.andreas-kraus.net/blog/security-advise-rename-your-sql-server-2005-sa-account/
sa is a member of the SYSADMIN role and this can't be changed.
All you can do is put a strong password on "sa" and keep it safe.
I am using SQL Server 2008 R2. Since 2-3 weeks ago, the sa password has been continuously changing automatically. Does anyone know why this is the case?
Make sure the you have not set the SA account up to change password after a set amount of time. In PCI compliance mode you may have to roll security passwords. However, you should account for this for your SA accounts.
**SA passwords** don't change or reset automatically.
You can visit possible solution at this link:
sa password keep changing automatically
The title says it pretty well: I can access my SQL Server from the internet, and my users are configured with strong passwords to access only their respective DBs.
But I receive 10000+ login attacks by day with the user "sa".
I don't need "sa" remote access, how to disable it, and only it?
Thank you!
Security practices by Microsoft and industry state if use SQL authentication to rename the sa account and disable it. There is really no reason to use that account explicity for an application or admin account. Most companies require tracability when it comes to security and use of the sa account in SQL server does not allow for that.
Even if you disable or rename it you will still see attacks coming in for that account, it comes with the territory. The same thing occurs with the default login Oracle has in their product. Script kiddies and other hacking programs are just programmed to check for those type of accounts.
A better option might be to report where the attacks are coming from on the network side to your network team or ISP. They will be able to better handle that to block that traffic through the network layer. Just my opinion.
Perhaps this might help: in conjunction with this:
As far as i know SQL Server lets you diable single sql server logins, but that means the login is disabled in general, regardless of the machine the user is trying to connect from. So you either disable "sa" in general or you'll have give the login a really strong password. You might be able to emulate the desired behavior by using a logon trigger, that checks where the user connects from, if the user is "sa", but i think that's not a viable solution for you, since you seem to be wanting to get rid of the many connection attempts from attacks. In any case, you might want to remove "sa" from the server role "sysadmin" to guard against a potentially successful login attemt.
i was just wondering if anybody knows how to detect what is calling the sa login on my sql server 2005. I have a stack of websites and i swear i configured these with a different user id and password but my event viewer logs tell me that something is constantly trying to login using the sa credentials. Any help would be appreciated.
run profiler, create a new trace, use event audit login and audit login failed you can filter for username sa if you want
see image below
See also this post by onpnt: To SA or not to SA
you could also use a Logon Trigger but that will only fire if the authentication is succesful
If they are successfully connected then you can look in sys.dm_exec_connections, this will at least tell you the client_net_address (IP address as reported to Windows). You can also look at PROGRAM_NAME and HOST_NAME in sys.dm_exec_sessions, but be aware that these are not necessarily populated, and are easy to spoof.