June 28, 2007 at 12:21 pm
We use a domain account as the SQL Server service account on our three SQL Server 2000 SP3 boxes (Windows 2003 Server, standard). We use the same account to remote desktop from our XP workstations into the SQL Server boxes. As near as we can tell, there aren't any applications that use this account, just the SQL Server service and our remote desktopping. The last few days, we have had agent jobs fail with this message:
MESSAGES: The job failed. Unable to determine if the owner (ourdomain\ourusername) of job Blocking Process Notify has server access (reason: Could not obtain information about Windows NT group/user 'ourdomain\ourusername'. [SQLSTATE 42000] (Error 8198)).
We try and remote desktop into the database server, and get a message that says we are locked out. We call the server guys, and they look in their logs and find that there were three failed login attempts, so Windows or Active Directory account is locked out. They can reset it, but can't tell us why this is happening. This happens once a day, usually in the morning, then it doesn't happen again the entire day.
My guess is that someone is trying to hack us via this account. Is there another explanation?
Also, most places I've worked have used a domain account as a service account. Is there a better way to do this? Thanks.
June 28, 2007 at 12:37 pm
We use domain accounts but the fact that several of you have access to the account for Remote Desktop is a bad idea. How can you have an audit trail if you don't have a 1 to 1 relationship of users to logins. If one of you changes the password how do you share it with the others before it gets locked out? The first thing I would do is create seperate logins for the agent and the users. The logs showing the failed attempts should show where the attempts are coming from.
June 28, 2007 at 1:32 pm
I should have prefaced my OP with, "This is how it was set up long before I arrived here".
The security event log for my SQL Server doesn't show a failure attempt for that account. Since it's a domain account, it's possible that someone tried to logon somewhere else in the network, and the domain controller locked the account. I've turned that one over to the server monkeys. But how should it be set up? I worked at one place where if you needed to remote into a server you would be put into the local admin group for that server. But we needed a domain account that could access file shares on other servers. I seem to recall that the domain account had some attribute set so that a human couldn't log in on the network using it. But I don't remember how we did email integration. Any ideas?
July 2, 2007 at 1:42 am
This necessary need not be a hacking issue. Before you confirm one such can you check if any other services are running under that account or any jobs are configured to run under that account or any user is trying to login to the account and uses a wrong password the best place to look n for is the eventvwr and check the time and the check the sql server and other application error logs to find out the exact reason.
Cheers,
Sugeshkumar Rajendran
SQL Server MVP
http://sugeshkr.blogspot.com
July 2, 2007 at 11:00 am
We finally got through to the right network guy who figured out the login attempts were coming from the PC in the next cube. We haven't figured out what software on there is trying to login. I'm thinking it's a virus of some kind that didn't get picked up by Trend OfficeScan. I think the PC techs are just going to melt it down and reimage it.
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply