--- title: SQL server predictable Active Directory admin account name description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > SQL server predictable Active Directory admin account name --- # SQL server predictable Active Directory admin account name {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `terraform-azure-sql-server-predictable-active-directory-admin-account-name` **Provider:** Azure **Platform:** Terraform **Severity:** Low **Category:** Best Practices #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sql_active_directory_administrator) ### Description{% #description %} Azure SQL Servers should not use predictable Active Directory Administrator account names, such as `Admin`, for the `login` attribute, as this increases the risk of brute-force or dictionary attacks. Using easily guessed usernames, such as `login = "Admin"`, increases the risk of unauthorized access by making accounts more susceptible to targeted attacks. To enhance security, use a unique and hard-to-guess login name, such as: ``` login = "NotEasyToPredictAdmin" ``` This helps reduce the likelihood of successful account compromise. ## Compliant Code Examples{% #compliant-code-examples %} ```terraform #this code is a correct code for which the query should not find any result data "azurerm_client_config" "current" {} resource "azurerm_resource_group" "negative1" { name = "acceptanceTestResourceGroup1" location = "West US" } resource "azurerm_sql_server" "negative2" { name = "mysqlserver" resource_group_name = azurerm_resource_group.example.name location = azurerm_resource_group.example.location version = "12.0" administrator_login = "4dm1n157r470r" administrator_login_password = "4-v3ry-53cr37-p455w0rd" } resource "azurerm_sql_active_directory_administrator" "negative3" { server_name = azurerm_sql_server.example.name resource_group_name = azurerm_resource_group.example.name login = "NotEasyToPredictAdmin" tenant_id = data.azurerm_client_config.current.tenant_id object_id = data.azurerm_client_config.current.object_id } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```terraform #this is a problematic code where the query should report a result(s) data "azurerm_client_config" "current" {} resource "azurerm_resource_group" "positive1" { name = "acceptanceTestResourceGroup1" location = "West US" } resource "azurerm_sql_server" "positive2" { name = "mysqlserver" resource_group_name = azurerm_resource_group.example.name location = azurerm_resource_group.example.location version = "12.0" administrator_login = "4dm1n157r470r" administrator_login_password = "4-v3ry-53cr37-p455w0rd" } resource "azurerm_sql_active_directory_administrator" "positive3" { server_name = azurerm_sql_server.example.name resource_group_name = azurerm_resource_group.example.name login = "" tenant_id = data.azurerm_client_config.current.tenant_id object_id = data.azurerm_client_config.current.object_id } resource "azurerm_sql_active_directory_administrator" "positive4" { server_name = azurerm_sql_server.example.name resource_group_name = azurerm_resource_group.example.name login = "Admin" tenant_id = data.azurerm_client_config.current.tenant_id object_id = data.azurerm_client_config.current.object_id } ```