Correct way to disable login for SA account??

Question

We need SA to be database owner but reduce potential security issues.
I've been told one thing to do is to disable the login permission for the SA account.
However, in looking this up I'm confused...everything is t-sql code and it's not clear whether to use deny or revoke...
Is it possible to do this in SSMS and if so how??
Thank you, Tom

Answer 1

There are two ways to disable the "sa" account. One way, in SSMS, is to right click on the login and select properties>status>Login: disabled. Another way is via t-sql, with this command: "Alter Login [sa] disable". The sa account can still own the databases but yet still be disabled.

Answer 2

Hi,

Welcome to Microsoft Q&A!

>It was confusing when I read about disable vs deny vs revoke etc. etc.

Disabling a login means that this account is not allowed to connect\login to the server. Disabling a login does not affect the behavior of logins that are already connected.

Disabled logins retain their permissions and can still be impersonated.The sa account can still be the owner of databases, agent jobs, etc.

Deny and Revoke respectively represent the deny of permission to a principal and removing a previously granted or denied permission, which are operations on user permissions.

Best Regards,
Cris

---

If the answer is helpful, please click "Accept Answer" and upvote it.

Answer 3

Thank you for replying...I knew it had to be something simple, but not exactly what/how.
It was confusing when I read about disable vs deny vs revoke etc. etc.
This is just what I needed.
Thank you, :) tom