Blog » Via Pinal Dave
SQL SERVER – FIX : Error: 18486 Login failed for user ’sa’ because the account is currently locked out. The system administrator can unlock it. – Unlock SA Login
Today, we will riffle through a very simple, yet common issue – How to unlock a locked “sa” login?
It is quite a common practice that SQL Server is hosted on a separate server than application server. In most cases, SQL Server ports or IP are exposed to the web, which makes them risk prone. For hackers, System Admin login “sa” is the preferred account which they use for hacking. In fact, a majority of hackers try to hack into SQL Server by attempting to login using “sa” account. Once hackers gain access to server using “sa” login, they get a complete control over the SQL Server.
Hackers apply Brute Force method to hack “sa” login. Brute Force method is an attempt to guess a password using every possible combination. Be it in your machine where SQL Server is hosted or in your domain, if you have a policy setting that disables any account after a certain number of unsuccessful attempts, it will also disable all your SQL Server logins including “sa” login. In this scenario, SQL Server will display the following error:
Login failed for user ’sa’ because the account is currently locked out. The system administrator can unlock it.
1) Disable the policy on your system or on your domain level. However, this may not be the most appropriate option as it will adversely affect your security protection level.
2) If this is a one-time issue, enable “sa” login WITH changing password of “sa” login.
ALTER LOGIN sa WITH PASSWORD = 'yourpass' UNLOCK ;
3) If this is a one-time issue, enable “sa” login WITHOUT changing password of “sa” login.
ALTER LOGIN sa WITH CHECK_POLICY = OFF;
ALTER LOGIN sa WITH CHECK_POLICY = ON;
4) If you are not using “sa” login, switch your authentication from mixed mode authentication to windows authentication to remove your “sa” login account.
5) BEST Practice: Create another user with systemadmin role having the same rights as “sa” login and let “sa” login get disabled. Use the newly created account as this will not be exposed on the Internet and for hackers it will be a tough nut to crack! They will find it difficult to guess the right password and moreover, they will not be able to do Brute Force attack over it.
I am eager to know if there are other options to solve this problem.
If you simply want to change the “sa” password, you can follow my previous article SQL SERVER – Change Password of SA Login Using Management Studio.
Please note that it is not mandatory to reboot SQL Server or restart SQL Server services after changing the password for “sa” login. If you are interested, go through all the comments and bring forth your opinion about this discussion.
Reference : Pinal Dave (http://blog.SQLAuthority.com)