Need official MS response - rename/remove 'sa' account?

I need to get an official MS response on whether it is possible to rename or
remove the 'sa' account when using Mixed Mode authentication on SQL Server
2000. This is to satisfy some audit points for our company.
Thanks.
-Pete SchottYou don't generally get official MS responses on a newsgroup. You are going
to have to contact Microsoft directly for that.
The unofficial answer is that neither is possible.
--
Hal Berenson, SQL Server MVP
True Mountain Group LLC
"Peter A. Schott" <pschott@.drivefinancial.com> wrote in message
news:r3o0iv4fecv9iicenjruhcnecp05fhbcbc@.4ax.com...
> I need to get an official MS response on whether it is possible to rename
or
> remove the 'sa' account when using Mixed Mode authentication on SQL Server
> 2000. This is to satisfy some audit points for our company.
> Thanks.
> -Pete Schott|||On Thu, 24 Jul 2003 17:07:43 -0600, "Hal Berenson"
<haroldb@.truemountainconsulting.com> wrote:
>The unofficial answer is that neither is possible.
Hal, wasn't doing both a standard security suggestion back in 6.5
days?
I haven't engaged in this recently, but assumed it was still possible
and even advisable.
Joshua Stern|||Hello Pete,
Thank you for your posting. I did some research on the "sa" login removal.
If you notice the option to remove the "sa" login is not provided in
Enterprise Manager since you cannot remove sa login. If you refer to Books
Online , under sp_droplogin ( the command used to drop a login), the
following caveats exist :
Remarks
A login mapped to an existing user in any database cannot be removed. The
user must be removed first by using sp_dropuser. Additionally, these logins
cannot be removed:
The system administrator (sa) login.
A login that owns an existing database.
A login that owns jobs in the msdb database.
A login that is currently in use and connected to SQL Server.
Therefore, by design "sa" cannot be removed. However. please note that by
using Windows Nt Authentication, we can bypass the use of "sa" . The SQL
server will then authenticate Windows Nt logins only. Due to this reason
and the fact that as per SQL 2000 Books Online, sa has been included for
backward compatibility purposes, you may want to carefully examine the use
of this login for application development purposes.
If you have further questions on the issue, please feel free to post back.
Thanks & Regards,
Peter Yang
MCSE2000, MCSA, MCDBA
Microsoft Partner Online Support
Get Secure! - www.microsoft.com/security
=====================================================When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================This posting is provided "AS IS" with no warranties, and confers no rights.
| From: Peter A. Schott <pschott@.drivefinancial.com>
| Subject: Need official MS response - rename/remove 'sa' account?
| Date: Thu, 24 Jul 2003 17:42:00 -0500
| Message-ID: <r3o0iv4fecv9iicenjruhcnecp05fhbcbc@.4ax.com>
| X-Newsreader: Forte Agent 1.93/32.576 English (American)
| MIME-Version: 1.0
| Content-Type: text/plain; charset=us-ascii
| Content-Transfer-Encoding: 7bit
| Newsgroups: microsoft.public.sqlserver.server
| NNTP-Posting-Host: drivefinancial.com 65.105.152.62
| Lines: 1
| Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
| Xref: cpmsftngxa06.phx.gbl microsoft.public.sqlserver.server:297733
| X-Tomcat-NG: microsoft.public.sqlserver.server
|
| I need to get an official MS response on whether it is possible to rename
or
| remove the 'sa' account when using Mixed Mode authentication on SQL Server
| 2000. This is to satisfy some audit points for our company.
|
| Thanks.
|
| -Pete Schott
||||The 'sa' login renaming feature is also not provided.
Simply set a strong password for 'sa', that cannot be guessed by dictionary
based attacks.
Switch to Windows authentication, so that 'sa' is basically useless.
--
HTH,
Vyas, MVP (SQL Server)
http://vyaskn.tripod.com/
What hardware is your SQL Server running on?
http://vyaskn.tripod.com/poll.htm
"Peter A. Schott" <pschott@.drivefinancial.com> wrote in message
news:npf2ivgmmlg9ca2qntpfsdrms93269lppf@.4ax.com...
Peter,
One more question - is there anything about renaming 'sa'? If it's
possible and supported, I will have to do that. If it's not possible or
supported, I will need to provide some formal document about that.
While I'm sure it's possible, I'm pretty sure that it's not supported, but
need to know for sure.
If you don't know, can you direct me to the appropriate contact who can give
me a definite answer?
Thanks.
-Pete Schott
petery@.online.microsoft.com (Peter Yang [MSFT]) wrote:
> Hello Pete,
> Thank you for your posting. I did some research on the "sa" login removal.
> If you notice the option to remove the "sa" login is not provided in
> Enterprise Manager since you cannot remove sa login. If you refer to Books
> Online , under sp_droplogin ( the command used to drop a login), the
> following caveats exist :
> Remarks
> A login mapped to an existing user in any database cannot be removed. The
> user must be removed first by using sp_dropuser. Additionally, these
logins
> cannot be removed:
> The system administrator (sa) login.
> A login that owns an existing database.
> A login that owns jobs in the msdb database.
> A login that is currently in use and connected to SQL Server.
> Therefore, by design "sa" cannot be removed. However. please note that by
> using Windows Nt Authentication, we can bypass the use of "sa" . The SQL
> server will then authenticate Windows Nt logins only. Due to this reason
> and the fact that as per SQL 2000 Books Online, sa has been included for
> backward compatibility purposes, you may want to carefully examine the use
> of this login for application development purposes.
> If you have further questions on the issue, please feel free to post back.
> Thanks & Regards,
> Peter Yang
> MCSE2000, MCSA, MCDBA
> Microsoft Partner Online Support
> Get Secure! - www.microsoft.com/security
> =====================================================> When responding to posts, please "Reply to Group" via
> your newsreader so that others may learn and benefit
> from your issue.
> =====================================================> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
> --
> | From: Peter A. Schott <pschott@.drivefinancial.com>
> | Subject: Need official MS response - rename/remove 'sa' account?
> | Date: Thu, 24 Jul 2003 17:42:00 -0500
> | Message-ID: <r3o0iv4fecv9iicenjruhcnecp05fhbcbc@.4ax.com>
> | X-Newsreader: Forte Agent 1.93/32.576 English (American)
> | MIME-Version: 1.0
> | Content-Type: text/plain; charset=us-ascii
> | Content-Transfer-Encoding: 7bit
> | Newsgroups: microsoft.public.sqlserver.server
> | NNTP-Posting-Host: drivefinancial.com 65.105.152.62
> | Lines: 1
> | Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
> | Xref: cpmsftngxa06.phx.gbl microsoft.public.sqlserver.server:297733
> | X-Tomcat-NG: microsoft.public.sqlserver.server
> |
> | I need to get an official MS response on whether it is possible to
rename
> or
> | remove the 'sa' account when using Mixed Mode authentication on SQL
Server
> | 2000. This is to satisfy some audit points for our company.
> |
> | Thanks.
> |
> | -Pete Schott
> |