question

DisabledLivesMatter-3766 avatar image
0 Votes"
DisabledLivesMatter-3766 asked Criszhan-msft edited

Correct way to disable login for SA account??

We need SA to be database owner but reduce potential security issues.
I've been told one thing to do is to disable the login permission for the SA account.
However, in looking this up I'm confused...everything is t-sql code and it's not clear whether to use deny or revoke...
Is it possible to do this in SSMS and if so how??
Thank you, Tom

sql-server-general
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RobbieVarn-7255 avatar image
0 Votes"
RobbieVarn-7255 answered

There are two ways to disable the "sa" account. One way, in SSMS, is to right click on the login and select properties>status>Login: disabled. Another way is via t-sql, with this command: "Alter Login [sa] disable". The sa account can still own the databases but yet still be disabled.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DisabledLivesMatter-3766 avatar image
0 Votes"
DisabledLivesMatter-3766 answered

Thank you for replying...I knew it had to be something simple, but not exactly what/how.
It was confusing when I read about disable vs deny vs revoke etc. etc.
This is just what I needed.
Thank you, :) tom

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Criszhan-msft avatar image
0 Votes"
Criszhan-msft answered Criszhan-msft edited

Hi,

Welcome to Microsoft Q&A!

It was confusing when I read about disable vs deny vs revoke etc. etc.

Disabling a login means that this account is not allowed to connect\login to the server. Disabling a login does not affect the behavior of logins that are already connected.

Disabled logins retain their permissions and can still be impersonated.The sa account can still be the owner of databases, agent jobs, etc.

Deny and Revoke respectively represent the deny of permission to a principal and removing a previously granted or denied permission, which are operations on user permissions.

Best Regards,
Cris


If the answer is helpful, please click "Accept Answer" and upvote it.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.