June 29, 2012 at 9:05 am
I have a situation, where our auditors caught us DBAs for granting DBO privilage to unwanted login, and now it has become a big issue..!!
and the fact is in the server security logs my login as well as another DBAs login are found, exsactly with milli seconds gap to which the login was updated in syslogins..!!
I havent done any change, and i am trying to prove my innosence, can anyone help me out ? into what direction i need to go ?
I have read the log of master, and have the transaction id, but not sure how to retrive the info of user who has run it, pleaseeee help..!!
June 29, 2012 at 9:45 am
First, I would take the information in that table with a grain of salt. Second, you will probably need to get a logreader to figure out what you need from the t-log. Third, you really need to setup auditing to capture these types of changes. Just understand that a DBA could probably get around it if he (or she) wanted to. Remember, a locked door keeps out the honest person.
June 29, 2012 at 10:12 am
Granting dbo to a user in a database would not alter the login; therefore, just because the login was altered at that time doesn't mean that was when it was given dbo access. The prosecution has no case.
June 29, 2012 at 10:19 am
Don't know whether the user was added to the db_owner role or made dbo of the database, but either way both events are logged in the default trace.
If the auditors know that this event happened I would have thought they would also have information on the login that did it.
---------------------------------------------------------------------
July 16, 2012 at 1:44 am
I have pulled out the transaction SID, and have mapped it to the user, by using SELECT SUSER_SNAME(0x0X0X00000000000XXXXXXXXXXXXXXXXXX);
and have found that alter login was run by which user, as myself and that other dba were only two people who logged in at that time, I was able to prove that it was not me..!! 😉
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply