Who’s Attacking Your Database? Monitoring Authentication and Logon Failures in SQL Server


I normally say domain admin authority is the holy grail of intruders but I bet most attackers would be sorely tempted to trade domain admin authority in return for read access to your SQL Server Databases because that's where the data is which is their end goal anyway. (And, yes, on file servers and other types of databases as well.)

So, part of any deep, persistent attack is to find SQL Servers and attempt to break into them. This is invariably going to cause authentication and/or logon failures as attackers try different credentials they have harvested from previously compromised systems.

How do you track these failure events? Where are they logged: domain controller, local Windows Security log, or by SQL Audit? The short answer is potentially all three depending on the type of account and authentication method.

What if the attacker successfully authenticates with a stolen domain account – because any domain account will always authenticate to any system in the domain – but lacks access to the database they are trying to break into? Does anything get logged? If so, what?

I'll going to answer all of these questions and more in my next real-training for free webinar. First I’ll show you all the different authentication methods that SQL Server supports. Then for each method I’ll explain where those events are logged. Which system, which log and which event IDs. And I’ll discuss logon events that can only be monitored with SQL Audit (NOT to be confused with SQL Trace).

If you have sensitive data in SQL Server, you cannot simply rely on security logs from your domain controllers and Windows server. You have to monitor events only produced by SQL Server itself. If you're only monitoring the Windows Security Log you are largely blind to attacks on SQL Server databases. In this webinar I'll show you how to get visibility.

My own software company, LOGbinder, is sponsoring this event and I’ll take just a few minutes to show you how LOGbinder for SQL Server can get SQL Audit events from all your database servers into your SIEM without ever touching your SQL Servers. Your DB admins will love you.

Please join me for this real training for free event ™. Register now.



Additional Resources