If you are running your databases on a Windows network environment, the best practice is to use Windows Authentication rather than Mixed Authentication (Both Windows and SQL Authentication). However, there are many companies that still use Mixed Authentication which allows both AD accounts and SQL Accounts. If your organization MUST use SQL authenticated accounts (SQL Logins), you must ensure that your SA account is locked down as completely as possible and that only key people in the team know the password.

The most obvious first steps is to utilize a complex passphrase, create separate accounts for each DBA, and then ensure that nothing ever uses the SA account.

However, there is still an issue to resolve with someone attempting to hack into your SQL Server by using a brute force attack against the SA account. Just like the Administrator account in Windows, the SA account can NOT be locked out, regardless of the number of failed login attempts.

Being a smart DBA or a System Admin, you can defeat the brute force attacks on the Administrator (SA) account in a very simple way and that is by simply renaming the Administrator account of your SQL Servers. Once you change the SA account, hackers will fail when using SA account (default SA account) when trying to connect using SA account since the account is now renamed or is invalid.

Let’s take a look at the steps required to rename the default SA account: Note: Renaming an SA account was not possible prior to SQL Server 2005.

Renaming SA Account

ALTER LOGIN SA WITH NAME = [SALEEM]
GO

Once the above step is performed (i.e. SA account has been renamed), let’s disable the SA account:

ALTER LOGIN [SA] DISABLE;