Commands / Invoke-sqmSAObfuscation
Invoke-sqmSAObfuscation
SecuritysqmSQLTool v1.8.2+ · Hardening⚠ High Impact  ✓ -WhatIf supported
Renames the built-in SA login to an obfuscated name (e.g., DBA_SYSADMIN_01) to hide it from automated attacks. Creates a new dummy SA login with disabled state and a randomized password to maintain compatibility and satisfy compliance audits that expect a SA account to exist.

Parameters

ParameterTypeRequiredDefaultNotes
-SqlInstancestringRequiredTarget SQL Server instance.
-SqlCredentialPSCredentialOptionalCredentials with sysadmin role.
-NewSANamestringOptionalDBA_SYSADMIN_01New obfuscated name for the renamed SA login.
-BackupCurrentPasswordswitchSwitch$falseSave current SA password to secure backup location.
-EnableExceptionswitchSwitch$falseRe-throw exceptions immediately.
-WhatIf / -ConfirmswitchOptionalShouldProcess (ConfirmImpact: High) guards rename execution.

Execution Flow

START dbatools available? NO throw: dbatools not found YES Connect to instance (sysadmin credentials required) Verify instance is online Get current SA login via Get-DbaLogin Verify SA exists and is enabled; check for existing renames If -BackupCurrentPassword: securely store SA password ShouldProcess? (ConfirmImpact: High) NO WhatIf: show plan continue YES ALTER LOGIN [sa] RENAME TO -NewSAName Example: ALTER LOGIN [sa] RENAME TO [DBA_SYSADMIN_01] CREATE LOGIN [sa] with disabled state Set random password (not used), CHECK_POLICY=ON, CHECK_EXPIRATION=ON ALTER LOGIN [sa] DISABLE (prevents accidental use) ALTER SERVER ROLE [sysadmin] ADD MEMBER -NewSAName Grant sysadmin to obfuscated SA login for management access Return [PSCustomObject] obfuscation result Instance, OldSAName, NewSAName, DummySACreated, Status DONE

Examples

Obfuscate SA with default name and -WhatIf
Invoke-sqmSAObfuscation -SqlInstance "SQL01" -WhatIf
Obfuscate SA with custom name and backup password
Invoke-sqmSAObfuscation -SqlInstance "SQL01" -NewSAName "ADMIN_SYS" -BackupCurrentPassword