NT Service\\MSSQL$SQLEXPRESS login failure alert every seconds

  • Hi All,

    After seeing log of login failures and attack, we have removed all unwanted logins from SQL including NT Service\MSSQL$SQLEXPRESS service account. It is a express none of the application, windows scheduler or any service using this login, still I am seeing error very often every seconds.

    Error:

    If the event originated on another computer, the display information had to be saved with the event.

    The following information was included with the event:

    Severity: 16 Error:18456, OS: 18456 [Microsoft][ODBC Driver 17 for SQL Server][SQL Server]Login failed for user 'NT Service\MSSQL$SQLEXPRESS'.

  • IS this server a SQL Express instance?  Is it still working after removing the NT Service/MSSQL$SQLEXPRESS login from it?

    • This reply was modified 2 years ago by  Jeff Fant.
  • Yes, it is express and working fine.

  • You should not be removing the NT SERVICE\MSSQLSERVER, NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQL$<InstanceName> or NT SERVICE\SQLAGENT$<InstanceName> accounts under any normal circumstances.

    These are used as proxy/virtual accounts for the actual service accounts you use to run the service, so you don't have to remember to add permissions to new service accounts as and when you change them.

     

    If you are getting 18456 errors then you need to look at the full message in the SQL Server log and figure out what the state of the error is and then work it back to the corresponding failure reason, the below will indicate what the different state numbers represent and then you can go and fix the actual problem.

    https://sqlblog.org/2020/07/28/troubleshooting-error-18456

  • Thank you for the response and explanation. I have added the account back the errors are not coming again. I think it it worked.

  • The same is true for the following

    NT SERVICE\CluSvc

    NT SERVICE\HealthService

    NT SERVICE\SQLTelemetry

    NT SERVICE\SQLWriter

    NT SERVICE\Winmgmt

    If you have removed any of these I would add them back with the correct permissions they had

Viewing 6 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic. Login to reply