Deleting or Disabling SA Login in SQL Server for Security Purposes

One of the common security recommendation DBAs come across or Security teams or management ask about SA login in present in SQL Server instance and they suggest to disable or delete this ‘SA’ login for security purposes. Generally it is expected that built-in SA account is the first thing hackers may try to get access to.
SQL Server installs or comes with a default SQL Server login named SA an abbreviation of “system administrator”. The sa login maps to the sysadmin fixed server role, which has irrevocable administrative credentials on the whole server. There are no limits to the potential damage if an attacker gains access as a system administrator. This SA account needs to be setup with a strong password and should not be used to login in your application.
Although SQL Server allows DBAs to disable to delete SA login, it may not be a good option to delete this account and even better not to disable this account as well, because sometime SQL Server installation may fail or behave weirdly when SA account is disabled or deleted. If the security team insists, then the last thing you could do is to keep this login disabled or better change the Authentication mode to Windows Authentication(Important to make sure no applications us SQL authentication as it will fail after changing to Windows Authentication).
You can also rename the SA account. You can run below command to rename the SA account.
ALTER LOGIN sa WITH NAME = [newsa];
Also, it is important to note that SQL Server may be set a owner of many SQL Server Agent jobs, so before making the change it would be better to change the job owner from SA login to some other login which you are aware of which will never be deleted from the SQL Sever instance. Also, there may be some applications which may use the SA account, so it is important to identify the applications or processes using the SA account. One way to find which applications are using the SA account would be to setup a profiler trace by filtering it on SA login. Later you can import the trace to a SQL Server table and search for any applications using the SA account.
Sometimes you may see that the SA account is disable by default, this is because the SQL Server would have been installed by choosing only Windows Authentication.
This is applicable on below versions of SQL Server
SQL Server 2005
SQL Server 2008 R2
SQL Server 2012
SQL Server 2014
Hope this was helpful.
Thanks,
SQLServerF1 Team
In-Depth Blogs on SQL Server, Information about SQL Server Conferences and Events, SQL Server Frequently asked questions, SQL Server Trainings.