December 8, 2020 at 2:25 pm
Hi
As per my subject line i would like to how to capture whether login account 'sa' is begin used to connect to server .Ie is there any session where login sa is begin used ??? Please tell me how should i proceed ahead
thanks and regards
Anoop
December 8, 2020 at 3:05 pm
Extended events would be the way to go for the login_successful event type where the username is sa and the session is a user session.
The user session is important as you wouldn’t want to capture the system logging in to do system related tasks as sa as that would be a false positive capture.
December 8, 2020 at 3:56 pm
To add to Ant-Green's comment, you may want to capture what queries are being run as sa too. Knowing that sa logged in is one thing, but if it is a malicious user, they could screw up your database so having a log of everything they did is not a bad idea.
On top of capturing the account sa, you may want to capture all users in the sysadmin role. This may be more complex than your original requirement, but if Steve is a sysadmin and his password gets compromised, you may want to know what Steve's account was doing.
Also, a good practice is to disable the sa account if you don't need it. Renaming it is also not a horrible idea IF it needs to be enabled. Mind you, both of these things should only be done AFTER you confirm that nothing is using it OR you change anything that is using it (application connections, linked servers, etc) to use a more appropriate account. And, as always, make the changes on test and then ensure they work before making any changes on live.
The above is all just my opinion on what you should do.
As with all advice you find on a random internet forum - you shouldn't blindly follow it. Always test on a test server to see if there is negative side effects before making changes to live!
I recommend you NEVER run "random code" you found online on any system you care about UNLESS you understand and can verify the code OR you don't care if the code trashes your system.
December 9, 2020 at 5:07 am
My recommendation would be to do what the industry best practice normally recommends and disable it. If the phone rings, you'll have your answer and, yes, you should answer the phone to tell the people that are using it about the severe security violation they've committed and how they need to do something else other than login as the "SA" user.
--Jeff Moden
Change is inevitable... Change for the better is not.
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply