2012年3月19日星期一

Any way to disable SQL logins after failed tries?

We're using a canned app that only uses SQL Server logins (it will NOT use Windows logins to access SQL Server)

SQL Server logins seem to lack even the most rudimentary security features such as expiring passwords and automatic disabling after a set number of failed logins. Bad. Bad Microsoft.

Has anyone figured out a way to graft this on after-the-fact?

I can do it in an awkward fashion by auditing failed logins and going back to read the error log, but this isn't real time by any stretch.To the best of my knowledge, there is no innate feature in MS SQL that will allow you manage SQL Server logins as you wish. This lack has been noted before (cross your fingers, MS will deal with this in Yukon).

We wrote a custom app and created this kind of failed-login checking, but that does not sound like an option for you.

Can you do something with a scheduled job at the SQL error log (you'd have to enable logging of failed login attempts)?

I think there is a way to load the error log as a table. Then you could search for failed logins and (if the number exceeded your threshold) disable it.

I think it's doable, but I have not had the need to accomplish this particular task.

Regards,

hmscott|||Originally posted by hmscott
To the best of my knowledge, there is no innate feature in MS SQL that will allow you manage SQL Server logins as you wish. This lack has been noted before (cross your fingers, MS will deal with this in Yukon).

We wrote a custom app and created this kind of failed-login checking, but that does not sound like an option for you.

Can you do something with a scheduled job at the SQL error log (you'd have to enable logging of failed login attempts)?

I think there is a way to load the error log as a table. Then you could search for failed logins and (if the number exceeded your threshold) disable it.

I think it's doable, but I have not had the need to accomplish this particular task.

Regards,

hmscott

I doubt it...since SQL Server "security" is not the way to go...you can "See" passwords as plain as day...oh, I forgot...M$ describes this as a feature....

没有评论:

发表评论