June 13, 2007 at 11:56 am
I have setup alerts to notify me when a DBCC TRACEON event occurs, because I have observed traces being started and I am not doing them and I am the only DBA!
I need to identify who is doing the trace to make sure it is legal.
Is this possible? How?
Please Advise.
JT
June 13, 2007 at 12:06 pm
Well only members of sysadmin can start/stop traces so that might be the first place to look. Other than that you could set up a trace to capture DBCC TRACEON/TRACEOFF events.
June 13, 2007 at 1:04 pm
Thanks "Old Hand" 🙂
I set up another trace with DBCC events as the traced operations and am gathering the workstation, sql user, NT user, etc...
Tested it with a DBCC CHECKDB on Temp and it showed up. yay!
Any other advise for this type of behavior? Anything else you think I should watch / record if I beleive an intrusion is occurring?
June 14, 2007 at 7:32 am
sp_who2 will also give information on who is tracing .
It seems there are some users with sysadmin privileges in your database.
Not sure how your environment is set up,but users can perform a wide range of functions without sysadmin privileges,Which should be given out only when you have to
Mike
June 14, 2007 at 1:47 pm
Thanks for the info. The traceing the trace on DBCC events worked perfectly and I discovered who the culprit was. Upon investigation, it was an excel spreadsheet with macros that sent SQL statements to the server and then updated 5-6 cells on the spreadsheet. It manifested itself in a DBCC TRACE event on the server!?!?
I looked at Microsoft's support site for any info on it and there is nothing. Have you ever heard of this happening? The trace said that the application name is "Microsoft Query". I was thinking that it might have something to do with a connection string parameter. The one I am wondering about is "Network = DBMSSCON". The user has db_datareader membership and nothing else.
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply