September 5, 2008 at 2:49 pm
While perusing my logs, I began to recognize a particular login having unsuccessful login attempts. This particular server hosts only GIS functions, so I sent an email to the senior GIS tech, she tells me that the particular login hasn't worked here in two years.
I doubt it's an overt hack attempt, but obviously I still need to get to the bottom of it. Well, first step, look for the account. This particular user would have been a SQL authentication account, and there is no account, so it was deleted promptly when the user left.
Second step, talk to the network and Windows server administrators. They have no suggestion, and Windows doesn't log enough detail to identify the workstation. We're not running any sort of IDS, so we can't trace through that.
Third step, start a profiler trace on the account. I had it display all columns, and it dutifully logged the attempts to connect, but it didn't capture the workstation or network login info. Yet another dead end.
Any suggestions on how I might figure out who is trying to use this login? I'm tempted to create an account by that name with a blank password and no permissions, just to see if profiler would capture network information then.
-----
[font="Arial"]Knowledge is of two kinds. We know a subject ourselves or we know where we can find information upon it. --Samuel Johnson[/font]
September 5, 2008 at 3:30 pm
Wayne,
Did the trace catch the application name? My guess is that it is embedded somewhere in some app / process.
David
@SQLTentmaker“He is no fool who gives what he cannot keep to gain that which he cannot lose” - Jim Elliot
September 5, 2008 at 3:51 pm
It did, unfortunately it's a common application. It's ESRI GIS: our GIS techs have Windows-authenticated accounts, the people doing map querying are using SQL authentication. So I need a way to get the workstation ID or the network user ID.
We also have a thought that perhaps the deleted user ID is still "owning" GIS objects, I haven't had time to dig into that angle yet.
-----
[font="Arial"]Knowledge is of two kinds. We know a subject ourselves or we know where we can find information upon it. --Samuel Johnson[/font]
Viewing 3 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply