Should I drop dbo from the database role db_owner?

Question

This question was migrated from Stack Overflow because it can be answered on Database Administrators Stack Exchange. Migrated last month.

I did a Vulnerability Assessment for my database today. I found VA2108 and it suggests me to

ALTER ROLE [db_owner] DROP MEMBER [dbo]

But it's the default setting of any SQL instance.

Should I go for it? And is there any risk?

Thanks

Answer 1

Don't worry about it, as J.D. says.

In fact, you cannot drop dbo from db_owner. There's a hard-wired blocker in the engine prohibiting you to do so. Try and you get the error:

Msg 15405, Level 16, State 1, Line 1
Cannot use the special principal 'dbo'.

Answer 2

It sounds like the vulnerability audit tool you use just always flags whenever a User, is mapped to the db_owner role, which in this case is the default dbo.

I believe there has to always be one db_owner of a database and as previously mentioned dbo is the default. So you won't be able to change this without first setting another User as the db_owner, which will get flagged by your audit anyway.

All things considered, this isn't the end of the world to leave as the default, as you can disable the Login associated with the dbo User.