For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/ansible/azure/sql_server_predictable_admin_account_name.md. A documentation index is available at /llms.txt.

SQL Server predictable admin account name

This product is not supported for your selected Datadog site. ().

Metadata

Id: 663062e9-473d-4e87-99bc-6f3684b3df40

Cloud Provider: Azure

Platform: Ansible

Severity: Low

Category: Best Practices

Learn More

Description

Admin usernames for Azure SQL Server must not be empty or use predictable names. Predictable account names (for example, “admin” or “administrator”) make it significantly easier for attackers to perform brute-force, credential-stuffing, and targeted authentication attacks.

For Ansible resources using azure.azcollection.azure_rm_sqlserver or azure_rm_sqlserver, the admin_username property must be defined as a non-empty string. It must not be one of the following predictable names: admin, administrator, root, user, azure_admin, azure_administrator, or guest.

Tasks that omit admin_username, set it to an empty value, or use any of the predictable names (checked case-insensitively) are flagged as insecure.

Secure example:

- name: Create Azure SQL Server
  azure.azcollection.azure_rm_sqlserver:
    name: my-sql-server
    resource_group: my-rg
    location: eastus
    admin_username: dbadmin01
    admin_password: "{{ sql_admin_password }}"

Compliant Code Examples

#this code is a correct code for which the query should not find any result
- name: Create (or update) SQL Server
  azure_rm_sqlserver:
    resource_group: myResourceGroup
    name: server_name
    location: westus
    admin_username: mylogin
    admin_password: Testpasswordxyz12!

Non-Compliant Code Examples

#this is a problematic code where the query should report a result(s)
- name: Create (or update) SQL Server1
  azure_rm_sqlserver:
    resource_group: myResourceGroup
    name: server_name1
    location: westus
    admin_username: ""
    admin_password: Testpasswordxyz12!
- name: Create (or update) SQL Server2
  azure_rm_sqlserver:
    resource_group: myResourceGroup
    name: server_name2
    location: westus
    admin_username:
    admin_password: Testpasswordxyz12!
- name: Create (or update) SQL Server3
  azure_rm_sqlserver:
    resource_group: myResourceGroup
    name: server_name3
    location: westus
    admin_username: admin
    admin_password: Testpasswordxyz12!