Hi All,
After seeing log of login failures and attack, we have removed all unwanted logins from SQL including NT Service\MSSQL$SQLEXPRESS service account. It is a express none of the application, windows scheduler or any service using this login, still I am seeing error very often every seconds.
Error:
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
Severity: 16 Error:18456, OS: 18456 [Microsoft][ODBC Driver 17 for SQL Server][SQL Server]Login failed for user 'NT Service\MSSQL$SQLEXPRESS'.
December 21, 2022 at 1:08 pm
Yes, it is express and working fine.
December 21, 2022 at 1:23 pm
You should not be removing the NT SERVICE\MSSQLSERVER, NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQL$<InstanceName> or NT SERVICE\SQLAGENT$<InstanceName> accounts under any normal circumstances.
These are used as proxy/virtual accounts for the actual service accounts you use to run the service, so you don't have to remember to add permissions to new service accounts as and when you change them.
If you are getting 18456 errors then you need to look at the full message in the SQL Server log and figure out what the state of the error is and then work it back to the corresponding failure reason, the below will indicate what the different state numbers represent and then you can go and fix the actual problem.
December 21, 2022 at 3:34 pm
Thank you for the response and explanation. I have added the account back the errors are not coming again. I think it it worked.
The same is true for the following
NT SERVICE\CluSvc
NT SERVICE\HealthService
NT SERVICE\SQLTelemetry
NT SERVICE\SQLWriter
NT SERVICE\Winmgmt
If you have removed any of these I would add them back with the correct permissions they had
Viewing 6 posts - 1 through 5 (of 5 total)
You must be logged in to reply to this topic. Login to reply