Does SA account need to be called "SA" or can I rename it safely?

It can be renamed. It's often considered a Best Practice for security, but there can be SQL Agent fallout if you don't bounce the Agent service or change job owners, and I can find reports of it borking Server 2008 upgrades, too.

That's enough to make me not want to bother renaming it. I say assigning a complex password and disabling the login is enough, and it's generally a better option since it actually closes the vulnerability instead of merely obfuscating it. Obfuscation gains you very little security. In the future, if you truly need an SQL authorization sysadmin, create a new account for it. That's not particularly difficult. You have the same attack surface as renaming without having to remember that SID 0x01 isn't sa anymore (even though it still is sa). And, of course, since the SID never really changes, it's not difficult to find which account is SID 0x01 (or a member of the sysadmin role, for that matter). Of course, if possible, don't even use mixed mode. Best practice is to use Windows authentication only mode, AFAIK.


Yes, the 2005 to 2008 problem is fixed. Now you can disable the SA account, you can rename it to SomethingElse, you can give it Chinese password, or you can mix and match.

See: http://www.mssqltips.com/sqlservertip/2221/different-ways-to-secure-the-sql-server-sa-login/

Notice that since the SID of SA (whatever you rename it) still remains, the new name can be discovered by:

SELECT * FROM sys.syslogins WHERE sid = 0x01

You rightly cannot get rid of the built-in administrator login, of course. So you just need to decide whether the minor side-effects are a problem for you.

I never use "SA" for my work, but use my own special domain account with sysadmin permissions.